This shows a virtual server 'test_VS' configured after the central NAT was enabled.
Firewall Policy.
The Virtual server does not need to be referenced anywhere.
However, we need to ensure that we are adding a firewall policy, ensuring that both the real servers are allowed as destination, and the port they are listening on needs to be allowed.
Example below.Debugging.
One can use the debug flow filters to check if the traffic is hitting the correct policy and if it’s being DNAT-ed correctly to the real servers address.# diagnose debug flow filter clearThat debug flow will clearly show the policy the traffic is matching (first packet only).
# diagnose debug flow filter saddr x.x.x.x
# diagnose debug flow filter trace start 1000
# diagnose debug console timestamp enable
# diagnose debug enable
The debug will also show the destination address changing to the real server that is active.As per the example it would be 192.168.1.2.Related Articles
Technical Note: Configuration changes regarding Central NAT and Virtual IPs in FortiOS 5.4
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.