DescriptionThis article describes how to setup a VIP in the following scenario, where the real server is located on the same side of the FortiGate then the Client.
Client ======= { Internet } ==== wan1 [ FortiGate ]
| VIP <external IP1>
Real Server == { Internet }
<external IP2>
The traffic flow will be :
Client to VIP --> Fortigate wan1 { Process destination NAT with mapped address } FortiGate wan1 --> Real server
SolutionTo achieve this, the FortiGate allows to configure a Firewall Policy
from and to the same interface (wan1 to wan1) with a VIP, as shown in the example below. This is also called a hairpin policy.
config firewall vip
edit "VIP"
set extip <external IP1>
set extintf "wan1"
set portforward enable (depends on requirement)
set mappedip <external IP2>
set extport 80 (depends on requirement)
set mappedport 80 (depends on requirement)
next
end
config firewall policy
edit 1
set srcintf "wan1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "VIP"
set action accept
set schedule "always" (depends on requirement)
set service "ANY" (depends on requirement)
set nat enable (depends on requirement)
next
end |
