# config firewall vipForward traffic log for the destination 10.5.52.157 and service ping will shortlist all the traffic log of policy 3 in which action of the log shows 'Accept: IP connection error'.
edit "test"
set extip 10.5.52.157
set extintf "any"
set portforward enable
set mappedip "172.31.132.15"
set protocol icmp
next
end
# config firewall policy
edit 3
set name "vip"
set srcintf "wan2"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "test"
set action accept
set schedule "always"
set service "PING"
set logtraffic all
next
end
id=20085 trace_id=11 func=print_pkt_detail line=5588 msg="vd-root:0 received a packet(proto=1, 10.5.63.254:60417->10.5.52.157:2048) from wan2. type=8, code=0, id=60417, seq=1949."Flow filter logs show, DNAT information, policy and route check information.
id=20085 trace_id=11 func=init_ip_session_common line=5754 msg="allocate a new session-000b15d1"
id=20085 trace_id=11 func=fw_pre_route_handler line=181 msg="VIP-172.31.132.15:60417, outdev-wan2"
id=20085 trace_id=11 func=__ip_session_run_tuple line=3409 msg="DNAT 10.5.52.157:8->172.31.132.15:60417"
id=20085 trace_id=11 func=vf_ip_route_input_common line=2598 msg="find a route: flag=04000000 gw-172.31.132.15 via dmz"
id=20085 trace_id=11 func=fw_forward_handler line=781 msg="Allowed by Policy-3:"
get sys arp | grep -n 172.31.132.15
get sys arp | grep -n "x.x.x.x"If mapped server is directly connected network then replace 'x.x.x.x' with server IP and if mapped server is connected via static route then replace 'x.x.x.x' with next hoop gateway IP.
# dia sniffer packet any "host x.x.x.x and arp" 6 0 l
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.