Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
beldridge
New Contributor

FQDN VIP to Private server on LAN

We have a Fortigate 200D that is running code 6.0.14.

 

Is it possible to create a FQDN VIP that maps to a server on the inside? Much like a static VIP?

 

we have a PBX that uses a Static VIP, we want to convert that to a FQDN. 

Our idea is we have three WAN interfaces we want to add each WAN IP to the FQDN and program the phones instead of using the external IP use a FQDN with all three static IP assigned to it and when a interface goes down it will connect using the other IP's on the FQDN  and not have any loss or little of. 

5 REPLIES 5
seshuganesh
Staff
Staff

HI Team,

 

As per your requirement, you need to create three VIP with all three external interface IP address.

If one is not reachable, phone should have ability to go for secondary.
Its better if your phone has ability to check whether IP is up or down like link monitor in fortigate.

Accordingly you can achieve it

beldridge

thank you for the reply, 

 

What would be the CLI commands to create a FQDN  VIP that points to a private server? 

 

When I created one the Mapped address is the FQDN and the external is 0.0.0.0 shouldn't the external be the FQDN and the mapped address be the internal? unless im missing something or just not understand because the Static VIP is as such. 

seshuganesh

What would be the CLI commands to create a FQDN  VIP that points to a private server? 

FQDN should point to the external IP address, not for the private IP as per your requirement.

Its like, there is nothing to do in fortigate, you need to create three VIP for the same private IP with different public IP. Its completely depends on DNS resolution from then and how phone will identify which public IP it should chose to send the request.

 

Debbie_FTNT

Hey beldridge,

to expand a bit on my colleagues:

- You need some kind of DNS setup that resolves the FQDN you want to use to one or more public IPs

-> those public IPs need to be associated with the FortiGate interfaces for the traffic to even reach the FortiGate

-> at that point you could do FQDN VIPs or regular VIPs with the public IPs in question

 

Do you anticipate the public IPs changing and don't want to use static IPs in the VIP configuration for that reason?

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
pminarik
Staff
Staff

Hi belridge,

 

The CLI commands to create an FQDN-based VIP look like this:

 

 

config firewall vip
    edit "my_test_vip"
        set type fqdn
        set extaddr <fqdn-type-address-object>
        set mapped-addr <fqdn-type-address-object>
        set extintf <external-interface>
        ...
end

 

 

 

CLI documentation reference is available here. (6.2 link; the 6.0 document is unfortunately incorrect)

 

Note that for FQDN-type VIPs, the mapped destination is always mandatory to be an FQDN object, whereas the external address is optional (can be FQDN (set extaddr) or IP (set extip)). In other words, if you only need the external address to be an FQDN, you will need to set the internal one as FQDN as well.

 

Lastly, if you would like to see this in the GUI, the option was added in 6.4.2 (reference).

 

addendum: It may be worth pointing out, in case it is not clear, that these FQDNs' sole purpose is to provide dynamic updates to what would otherwise be the static-IP extip and mappedip attributes. The FortiGate periodically queries the DNS server for these FQDNs and uses the resulting IPs to internally update the extip/mappedip attributes of the VIP. This is to say, these FQDNs do not provide any sort of domain-based reverse-proxy functionality, nor any other "magic".

[ corrections always welcome ]
Labels
Top Kudoed Authors