Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gfranceschi
Staff
Staff

Created on ‎11-07-2017 07:52 AM

Article Id 195702

Technical Note: IP address used by FortiGate to reach a unit protected by a VIP

Description
When source NAT is not activated in the Firewall policy, the FortiGate applies the destination VIP and keeps the source IP of the sender if the traffic is going through the FortiGate on different interfaces. But if the traffic is received and sent from/to the same interface, the FortiGate uses the interface IP as source to reach the unit after applying the destination NAT.

When source and destination NAT are applied, the FortiGate will use the IP of the interface as the source of the traffic to reach the protected unit by destination NAT.

Solution
gfranceschi_FD40820_FD40820-1.bmp

To understand the sniffer trace:
  • Vlan134 and vlanp2 are based on physical interface port2.
  • Vlan1 and vlan2 are based on physical interface port1.

Configuration

There are 3 VDOMs to simulate the network.  The  VIPs are defined in FGTVIP VDOM.
FGT-VM (vdom) # edit FGTVIP
current vf=FGTVIP:2
FGT-VM (FGTVIP) # sh firewall policy
config firewall policy
    edit 1
        set srcintf "VLAN1"
        set dstintf "VLAN2"
        set srcaddr "ADD_10.254.37.34/32" "ADD_10.254.37.42/32"
        set dstaddr "VIP_10.254.39.4"
        set action accept
        set schedule "always"
        set service "ALL"
     next
    edit 2
        set srcintf "VLAN1"
        set dstintf "VLAN1"
        set srcaddr "ADD_10.254.37.34/32" "ADD_10.254.37.42/32"
        set dstaddr "VIP_10.254.39.2"
        set action accept
        set schedule "always"
    next
end

 FGT-VM (FGTVIP) # show firewall vip
config firewall vip
    edit "VIP_10.254.39.2"
        set extip 10.254.39.2
        set extintf "any"
        set color 1
        set mappedip 10.254.37.64
    next
    edit "VIP_10.254.39.4"
        set extip 10.254.39.4
        set extintf "any"
        set color 1
        set mappedip 10.254.2.64
    next
end

ADD_10.254.37.34/32" ,"ADD_10.254.37.42/32","ADD_10.254.37.34/32", "ADD_10.254.37.42/32" are firewall addresses.

Presentation of IP used as source on FortiGate

NAT is disabled on FW policies.

From Loopback interface 10.254.37.34 from SOURCE VDOM, ping the VIP 10.254.39.2 in FGTVIP VDOM to reach Loopback 10.254.37.64 in the same SOURCE VDOM.  (Red ping on diagram)
FGT-VM (FGTVIP) # di sniffer packet any icmp 4
interfaces=[any]
filters=[icmp]
42.437130 VLAN134 out 10.254.37.34 -> 10.254.39.2: icmp: echo request
42.437134 port2 out 10.254.37.34 -> 10.254.39.2: icmp: echo request
42.437166 VLAN1 in 10.254.37.34 -> 10.254.39.2: icmp: echo request
42.437194 VLAN1 out 10.254.32.17 -> 10.254.37.64: icmp: echo request
42.437196 port1 out 10.254.32.17 -> 10.254.37.64: icmp: echo request
42.437218 VLAN134 in 10.254.32.17 -> 10.254.37.64: icmp: echo request
42.437248 VLAN134 out 10.254.37.64 -> 10.254.32.17: icmp: echo reply
42.437250 port2 out 10.254.37.64 -> 10.254.32.17: icmp: echo reply
42.437273 VLAN1 in 10.254.37.64 -> 10.254.32.17: icmp: echo reply
42.437281 VLAN1 out 10.254.39.2 -> 10.254.37.34: icmp: echo reply
42.437284 port1 out 10.254.39.2 -> 10.254.37.34: icmp: echo reply
42.437307 VLAN134 in 10.254.39.2 -> 10.254.37.34: icmp: echo reply

 Note that 10.254.32.17 is the IP address of the FGT interface VLAN1.

From Loopback interface 10.254.37.34 from SOURCE VDOM, ping the VIP 10.254.39.4 in FGTVIP VDOM to reach Loopback 10.254.2.64 from ENDVIP VDOM.  (Green ping on diagram)
50.763972 VLAN134 out 10.254.37.34 -> 10.254.39.4: icmp: echo request
50.763976 port2 out 10.254.37.34 -> 10.254.39.4: icmp: echo request
50.764014 VLAN1 in 10.254.37.34 -> 10.254.39.4: icmp: echo request
50.776906 VLAN2 out 10.254.37.34 -> 10.254.2.64: icmp: echo request
50.776909 port1 out 10.254.37.34 -> 10.254.2.64: icmp: echo request
50.776940 Vlanp2 in 10.254.37.34 -> 10.254.2.64: icmp: echo request
50.776969 Vlanp2 out 10.254.2.64 -> 10.254.37.34: icmp: echo reply
50.776972 port2 out 10.254.2.64 -> 10.254.37.34: icmp: echo reply
50.776997 VLAN2 in 10.254.2.64 -> 10.254.37.34: icmp: echo reply
50.777005 VLAN1 out 10.254.39.4 -> 10.254.37.34: icmp: echo reply
50.777008 port1 out 10.254.39.4 -> 10.254.37.34: icmp: echo reply
50.777030 VLAN134 in 10.254.39.4 -> 10.254.37.34: icmp: echo reply

Note that 10.254.37.34 is the IP address of the loopback from SOURCE VDOM, the source of the echo request.

Enable NAT on both firewall policies, then execute the same ping commands.

FGT-VM (FGTVIP) # con firewall policy 
FGT-VM (policy) # edit 51
FGT-VM (51) # set nat enable
FGT-VM (51) # next
FGT-VM (policy) # edit 57
FGT-VM (57) # set nat enable
FGT-VM (57) # end

FGT-VM (FGTVIP) #
FGT-VM (FGTVIP) #
FGT-VM (FGTVIP) # di sniffer packet any icmp 4
interfaces=[any]
filters=[icmp]
4.978583 VLAN134 out 10.254.37.34 -> 10.254.39.2: icmp: echo request
4.978588 port2 out 10.254.37.34 -> 10.254.39.2: icmp: echo request
4.978671 VLAN1 in 10.254.37.34 -> 10.254.39.2: icmp: echo request
4.988020 VLAN1 out 10.254.32.17 -> 10.254.37.64: icmp: echo request
4.988023 port1 out 10.254.32.17 -> 10.254.37.64: icmp: echo request
4.988054 VLAN134 in 10.254.32.17 -> 10.254.37.64: icmp: echo request
4.988088 VLAN134 out 10.254.37.64 -> 10.254.32.17: icmp: echo reply
4.988091 port2 out 10.254.37.64 -> 10.254.32.17: icmp: echo reply
4.988114 VLAN1 in 10.254.37.64 -> 10.254.32.17: icmp: echo reply
4.988124 VLAN1 out 10.254.39.2 -> 10.254.37.34: icmp: echo reply
4.988126 port1 out 10.254.39.2 -> 10.254.37.34: icmp: echo reply
4.988148 VLAN134 in 10.254.39.2 -> 10.254.37.34: icmp: echo reply

 11.187116 VLAN134 out 10.254.37.34 -> 10.254.39.4: icmp: echo request
11.187121 port2 out 10.254.37.34 -> 10.254.39.4: icmp: echo request
11.187158 VLAN1 in 10.254.37.34 -> 10.254.39.4: icmp: echo request
11.197249 VLAN2 out 10.0.113.145 -> 10.254.2.64: icmp: echo request
11.197253 port1 out 10.0.113.145 -> 10.254.2.64: icmp: echo request
11.197286 Vlanp2 in 10.0.113.145 -> 10.254.2.64: icmp: echo request
11.197324 Vlanp2 out 10.254.2.64 -> 10.0.113.145: icmp: echo reply
11.197327 port2 out 10.254.2.64 -> 10.0.113.145: icmp: echo reply
11.197347 VLAN2 in 10.254.2.64 -> 10.0.113.145: icmp: echo reply
11.197357 VLAN1 out 10.254.39.4 -> 10.254.37.34: icmp: echo reply
11.197359 port1 out 10.254.39.4 -> 10.254.37.34: icmp: echo reply
11.197380 VLAN134 in 10.254.39.4 -> 10.254.37.34: icmp: echo reply

Labels:
1283
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.