FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jrosado_FTNT
Staff
Staff
Article Id 191590
Description
This article shows how the use of a hairpin can allow an application on a server to browse a webpage hosted within itself.

In this example the FortiGate sends server’s queries to its own assigned public IP address, from Internal to Internal interface.

Solution
1. Configure a VIP mapping WAN interface to the remote site's IP address.
config firewall vip
    edit "PublicServer"
        set extip [public_ip-address]
        set extintf "wan1"
        set portforward enable
        set mappedip "[server_ip-address]"
        set extport [service_port]
        set mappedport [service_port]
    next
end

 2. Configure an IPv4 policy from Internal to WAN redirecting traffic over this port using the VIP.
config firewall policy
    edit [policy_ID]
        set srcintf "Internal"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "PublicServer"
        set action accept
        set schedule "always"
        set service "[service]"
        set nat enable
    next
end

 3. Configure a policy route to force all traffic meant for that service back to the server.
config router policy
    edit 1
        set input-device "Internal"
        set src "[server_ip-address]/255.255.255.255"
        set dst "[server_ip-address]/255.255.255.255"
        set protocol 6
        set start-port [service_port]
        set end-port [service_port]
        set gateway [wan1_DG]
        set output-device "Internal"
    next
end

Contributors