- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- 2 VIP with same external IPs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 VIP with same external IPs
I have an issue with VIPs on my FortiGate.
I have a single public IP address. I need to configure two different VIPs with this one public IP address, each using different services and pointing to different internal IPs. I created the two VIPs and used them in two different firewall policies. However, the problem I'm facing is that all traffic is going through just one firewall policy (the one with the first VIP created), even though the client-initiated traffic does not match that firewall policy.
Example:
196.209.90.89:80 -> 172.16.0.1:80
196.209.90.89:443 -> 172.16.0.1:443
196.209.90.89:22 -> 192.168.1.1:22
196.209.90.89:25 -> 192.168.1.1:25
Can you help me resolve this issue?"
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @coumbisskante ,
Can you please try mentioning the port mapping as below:
config firewall vip
edit <name>
set extport 22
set mappedport 22
next
end
- try this for port 80, 443 as well in the VIP entry that you have.
DNB
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @coumbisskante.,
Your VIPs don't have port forwarding enabled? It should look like below:
config firewall vip
edit "WebServer_VIP"
set extip 196.209.90.89
set mappedip "172.16.0.1"
set extintf "any"
set portforward enable
set extport 80
set mappedport 80
next
end
Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-port-forwarding-using-FortiGate-...
Regards,
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @coumbisskante ,
Is the port 22 the one you think is not working? If you say yes, can you check your Fortigate SSH port and SSH access on the wan interface?
Also, can you share this command output with us? After entering these commands, you should try to access your service.
diagnose sniffer packet any 'host <Your_WAN_IP> and port 22' 4 a
Second console screen :
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow filter daddr <Your_WAN_IP>
diagnose debug flow filter dport 22
diagnose debug flow trace start 100
diagnose debug enable
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ozkanaltas
No, the problem is not SSH only.
Can't send capture of the configuration right now but i will try to explain it well:
VIP CONFIGURATIONS:
- VIP 1
config firewall vip
edit "OTHER_TRAFIC"
set service "FTP" "DNS" "PING"
set extip 196.209.90.89
set extintf "any"
set mappedip "192.168.1.1"
next
end
- VIP 2
config firewall vip
edit "WebServer_VIP"
set service "HTTP" "HTTPS"
set extip 196.209.90.89
set extintf "any"
set mappedip "172.16.0.1"
next
end
FIREWALL POLICY CONFIGURATIONS:
- Firewall Policy 1
config firewall policy
edit 1
set srcintf "WAN"
set dstintf "port1"
set srcaddr "all"
set dstaddr "OTHER_TRAFIC"
set action accept
set schedule "always"
set service "FTP" "DNS" "PING"
set nat disable
next
end
- Firewall Policy 2
config firewall policy
edit 1
set srcintf "WAN"
set dstintf "port1"
set srcaddr "all"
set dstaddr "WebServer_VIP"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
set nat disable
next
end
After running diagnostics, all HTTP/HTTPS traffic is being redirected to Policy 1, even though these services are not specified in the firewall policy configuration. VIP 1, was the first one to be created.
Created on 04-29-2024 06:46 AM Edited on 04-29-2024 06:47 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @coumbisskante ,
I think the problem is the destination interface in the rule.
Your destination IP address is different in the VIP configuration but you selected the same destination interface in the policy.
Are you sure that you selected the right interface in the policy? if you don't use secondary IPs on the same interface, they need to be different.
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @ozkanaltas
Yes, I am using the correct interface. I made an error when describing my configurations earlier. The right interface is selected, but I am still experiencing the same problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @coumbisskante ,
it's interesting. Can you run debug command and share output wit us? I think this way is easiest way to solve your problem.
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your 1st firewall policy is matching all the traffic that means your firewall policy has "ALL" as Service (destination port).
You should change it to just the required service, i.e.: HTTPS or SMTP, etc
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AEK
This is not the problem.
Find below, the configurations i did:
VIP CONFIGURATIONS:
- VIP 1
config firewall vip
edit "OTHER_TRAFIC"
set service "FTP" "DNS" "PING"
set extip 196.209.90.89
set extintf "any"
set mappedip "192.168.1.1"
next
end
- VIP 2
config firewall vip
edit "WebServer_VIP"
set service "HTTP" "HTTPS"
set extip 196.209.90.89
set extintf "any"
set mappedip "172.16.0.1"
next
end
FIREWALL POLICY CONFIGURATIONS:
- Firewall Policy 1
config firewall policy
edit 1
set srcintf "WAN"
set dstintf "port1"
set srcaddr "all"
set dstaddr "OTHER_TRAFIC"
set action accept
set schedule "always"
set service "FTP" "DNS" "PING"
set nat disable
next
end
- Firewall Policy 2
config firewall policy
edit 1
set srcintf "WAN"
set dstintf "port1"
set srcaddr "all"
set dstaddr "WebServer_VIP"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
set nat disable
next
end
After running diagnostics, all HTTP/HTTPS traffic is being redirected to Policy 1, even though these services are not specified in the firewall policy configuration. VIP 1, was the first one to be created.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @coumbisskante.,
Your VIPs don't have port forwarding enabled? It should look like below:
config firewall vip
edit "WebServer_VIP"
set extip 196.209.90.89
set mappedip "172.16.0.1"
set extintf "any"
set portforward enable
set extport 80
set mappedport 80
next
end
Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-port-forwarding-using-FortiGate-...
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @coumbisskante ,
Can you please try mentioning the port mapping as below:
config firewall vip
edit <name>
set extport 22
set mappedport 22
next
end
- try this for port 80, 443 as well in the VIP entry that you have.
DNB
Related Posts
Labels
-
FortiGate
6,735 -
FortiClient
1,341 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
345 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
107 -
FortiSIEM
92 -
FortiGateCloud
88 -
FortiCloud Products
85 -
IPsec
83 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
68 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
32 -
SD-WAN
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
22 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Logging
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Web rating
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.