DescriptionThis articles describes how to redirect public service query to a remote location. It is indeed possible to redirect a query destined to the public IP address (and port) of a FortiGate to any other public IP address over the Internet. This way, when pointing to the FortiGate's public IP address, a remote device will answer on its behalf. ScopeIn this example, FortiGate A redirects queries destined to its WAN1 IP address to FortiGate's B public IP address.
+------+
WAN1 ******
+------+
| FG_A | <------ **INTERNET** | FG_B |
+------+ ------>
******
-------> +------+
Solution1) Configure a VIP mapping WAN1 interface to the remote site's IP address.:# config firewall vip
edit "redirectWAN"
set extip [wan1_ip-address]
set extintf "wan1"
set portforward enable
set mappedip "[remote_public_IP]"
set extport [service_port]
set mappedport [service_port]
next
end
2) Configure an IPv4 policy from WAN1 to WAN1 redirecting traffic over this port using the VIP:# config firewall policy
edit [policy_ID]
set srcintf "wan1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "redirectWAN"
set action accept
set schedule "always"
set service "[service]"
set nat enable
next
end
3) Configure a policy route to force all traffic meant for that service to return to the Internet:
# config router policy
edit 1
set input-device "wan1"
set src "0.0.0.0/0.0.0.0"
set dst "[wan1_ip-address]/255.255.255.255"
set protocol 6
set start-port [service_port]
set end-port [service_port]
set gateway [wan1_DG]
set output-device "wan1"
next
end
