Fortigate — How to allow internal users access to VIP (Public IP address)
Description

====================
Users need to access to our external services that is installed internally and published to internet via VIP (Virtual IP).

Issue

====================
Users can access to that service by using internal IP address but can’t reach external IP address when they are in the office and using internal network.

Cases

====================
Case 1: Users and Services are using same port to Fortigate.

Solution (Case 1):
Firewall VIP
When configure VIP, external interface must set for “ALL”。
config firewall vip
edit “Server1”
set extip 67.2.22.22
set extintf “any” <<< Specifying “any” is a requirement
set mappedip 172.18.10.1

Firewall Policy
1. Allow WAN to Port1 and Port1 to Port 1。
config firewall policy
edit 4
set srcintf “WAN”
set dstintf “port1”
set srcaddr “all”
set dstaddr “Server1”
set action accept
set schedule “always”
set service “ANY”
next
edit 3
set srcintf “port1”
set dstintf “port1”
set srcaddr “all”
set dstaddr “Server1”
set action accept
set schedule “always”
set service “ANY”

Note: This is my case, I completed the configuration above but users still can’t access to external services via VIP.
After review my network topology, all internal routing are completed on core switch, FG doesn’t not know what subnets we have internally. I need to add policy route to FG to tell it when package come from Port 1 and need to access to another subnet, it needs to forward the package to Port1 for routing. That’s all, every thing works like a charm.

Case 2: Users and services are in different port on Fortigate

Solution (Case 2):
Firewall VIP
When configure VIP, external interface must set for “ALL”。
config firewall vip
edit “Server1”
set extip 67.2.22.22
set extintf “any” <<< Specifying “any” is a requirement
set mappedip 172.18.10.1
next
config firewall vip
edit “Server1”
set extip 67.2.22.23
set extintf “any” <<< Specifying “any” is a requirement
set mappedip 172.18.50.1

Firewall Policy
1. Allow “WAN to Port1″、”WAN to Port3″、”Port1 to Port1” and “Port1 to Port3″。
config firewall policy
edit 4
set srcintf “WAN”
set dstintf “port1”
set srcaddr “all”
set dstaddr “Server1”
set action accept
set schedule “always”
set service “ANY”
next
edit 3
set srcintf “port1”
set dstintf “port1”
set srcaddr “all”
set dstaddr “Server1”
set action accept
set schedule “always”
set service “ANY”
next
edit 5
set srcintf “WAN”
set dstintf “port3”
set srcaddr “all”
set dstaddr “Server2”
set action accept
set schedule “always”
set service “ANY”
next
edit 6
set srcintf “port1”
set dstintf “port3”
set srcaddr “all”
set dstaddr “Server2”
set action accept
set schedule “always”
set service “ANY”
next
end

Reference Fortigate KB:

Leave a Reply

Your email address will not be published. Required fields are marked *