This article describes how to show if the VIP is configured on FortiGate and is getting denied by a forward policy check.
Scope
FortiGate.
Solution
Firstly, make sure that the site it is DNATing is reachable on the port mentioned. To do this, perform a telnet or ping test to that server by using the following commands:
execute ping <server-ip> execute telnet <server-ip> <port>
Below is an example of a configured VIP, custom service and Policy:
VIP configuration:
config firewall vip edit "Test" set id 0 set comment '' set type static-nat set extip 1.1.1.1 set nat44 enable set nat46 disable set mappedip "192.168.1.101" set extintf "wan1" set arp-reply enable set nat-source-vip disable set portforward enable set gratuitous-arp-interval 0 set ssl-client-rekey-count 0 set color 0 set protocol tcp set extport 4443 set mappedport 4443 set portmapping-type 1-to-1 next end
Policy configuration:
config firewall policy edit 2 set name "Virtual-IP" set srcintf "wan1" set dstintf "internal" set action accept set srcaddr "all" set dstaddr "Test-VIP" set schedule "always" set service "test-vip-service" set ssl-ssh-profile "certificate-inspection" set nat disable next end
Custom service configuration:
config firewall service custom edit "test-vip-service" set uuid 4be63b06-5014-51ef-a95c-da8fe424ff05 set category "Web Access" set tcp-portrange 4443:4443 next end
The debug output will show the following:
2024-08-01 09:11:56 id=65308 trace_id=3 func=get_new_addr line=1228 msg="find DNAT: IP- 192.168.1.101, port-4443" 2024-08-01 09:11:56 id=65308 trace_id=3 func=__iprope_check_one_dnat_policy line=5223 m sg="matched policy-1, act=accept, vip=1, flag=100, sflag=2000000" 2024-08-01 09:11:56 id=65308 trace_id=3 func=iprope_dnat_check line=5280 msg="result: s kb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000100" 2024-08-01 09:11:56 id=65308 trace_id=3 func=fw_pre_route_handler line=176 msg="VIP-192 .168.1.101:4443, outdev-wan1" 2024-08-01 09:11:56 id=65308 trace_id=3 func=__ip_session_run_tuple line=3498 msg="DNAT 1.1.1.1:4443->192.168.1.101:4443" 2024-08-01 09:11:56 id=65308 trace_id=3 func=vf_ip_route_input_common line=2605 msg="fi nd a route: flag=00000000 gw-192.168.1.101 via internal" 2024-08-01 09:11:56 id=65308 trace_id=3 func=iprope_fwd_check line=789 msg="in-[wan1], out-[internal], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0" 2024-08-01 09:11:56 id=65308 trace_id=3 func=__iprope_tree_check line=535 msg="gnum-100 004, use addr/intf hash, len=3" 2024-08-01 09:11:56 id=65308 trace_id=3 func=__iprope_check_one_policy line=2047 msg="c hecked gnum-100004 policy-3, ret-no-match, act-accept" 2024-08-01 09:11:56 id=65308 trace_id=3 func=__iprope_check_one_policy line=2047 msg="c hecked gnum-100004 policy-9, ret-no-match, act-accept" 2024-08-01 09:11:56 id=65308 trace_id=3 func=__iprope_check_one_policy line=2047 msg="c hecked gnum-100004 policy-0, ret-matched, act-accept" 2024-08-01 09:11:56 id=65308 trace_id=3 func=__iprope_user_identity_check line=1822 msg ="ret-matched" 2024-08-01 09:11:56 id=65308 trace_id=3 func=__iprope_check_one_policy line=2265 msg="p olicy-0 is matched, act-drop" 2024-08-01 09:11:56 id=65308 trace_id=3 func=iprope_fwd_check line=826 msg="after iprop e_captive_check(): is_captive-0, ret-matched, act-drop, idx-0" 2024-08-01 09:11:56 id=65308 trace_id=3 func=iprope_fwd_auth_check line=845 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0" 2024-08-01 09:11:56 id=65308 trace_id=3 func=fw_forward_handler line=757 msg="Denied by forward policy check (policy 0)"
Make the following changes in the custom service:
config firewall service custom edit test-vip-service set tcp-portrange 4443 <- Instead of 4443:4443. next end
Since the source-port is not known, it cannot be specified in the configuration. Instead, disable ‘Specify source port‘ from the GUI in the services.