Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jonathan_Body_FTNT
Staff
Staff

Created on ‎07-02-2009 09:42 AM Edited on ‎06-09-2022 03:28 PM By Anonymous

Article Id 194960

Configuration Example: Using VIP (Virtual IP) for Port Translation only

Purpose

On the FortiGate unit, a VIP can be created for port translation only: both the External IP and Mapped IP use the same value, which is that of an internal server.
 
In the example that follows the External TCP port 443 is Mapped to TCP port 22.
 
For more information about VIP, please see the Administration Guide at http://docs.fortinet.com/fgt.html

 


Scope
FortiGate VDOM and NAT mode.
Diagram

--external vip 172.31.224.197   (ext tcp port 443)
                    ||
                   port1
                    ||
               [ FORTIGATE ]
                    ||
                   port2
                    ||
--mapped ip 172.31.224.197   (mapped tcp port 22)
                    ||
              Internal Server
 


Expectations, Requirements

A server on port2 of the FortiGate unit uses IP 172.31.224.197 and listens on TCP port 22.

A VIP is created with this same IP value on External (port1) and Mapped IP (port2), but for port translation only, changing requests on TCP port 443 to 22.


Configuration

FortiOS firmware version 5.0.x:
 
show firewall vip
config firewall vip
    edit "vip-test"
        set arp-reply disable
        set extip 172.31.224.197
        set extintf "port1"
        set portforward enable
        set mappedip 172.31.224.197
        set extport 443
        set mappedport 22
    next
end

config firewall policy
    edit 3
        set srcintf "port1"
        set dstintf "port2"
            set srcaddr "all"
            set dstaddr "vip-test"
        set action accept
        set schedule "always"
            set service "ALL"
        set nat enable
    next
end
 
 
FortiOS firmware version 4.0 MR3: 
 
in 
config firewall policy
 
set service "ALL" 
must be replaced by 
set service "ANY"
 
Firmware versions prior to 4.0 MR3:
 
in
config firewall policy
 
set srcaddr "all"
must also be replaced by 
set srcaddr "any" 
 
 


Verification

n/a
 


Troubleshooting

1) In case of issues, you can use the "debug flow" command to check whether the traffic flows through the Firewall Policy.
 
id=20085 trace_id=22 msg="vd-root received a packet(proto=6, 192.168.183.120:1189->172.31.224.197:443) from port1."
id=20085 trace_id=22 msg="allocate a new session-000000d9"
id=20085 trace_id=22 msg="find SNAT: IP-172.31.224.197(from IPPOOL), port-22"
id=20085 trace_id=22 msg="VIP-172.31.224.197:22, outdev-port1"
id=20085 trace_id=22 msg="DNAT 172.31.224.197:443->172.31.224.197:22"
 
2) If you see the below message in your debug flow trace.
 
id=20085 trace_id=22 msg="iprope_in_check() check failed, drop"

 

Please ensure you have configured the following parameter on the VIP:
 
config firewall vip
  edit vip-test
    set arp-reply disable
  next
end 

 

Related Articles

Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate wi...

38862
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.