Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 6.4.13 Administration Guide
    6.4.13
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Dynamic SNAT

    Dynamic SNAT

    Dynamic SNAT maps the private IP addresses to the first available public address from a pool of addresses. In the FortiGate firewall, this can be done by using IP pools. IP pools is a mechanism that allows sessions leaving the FortiGate firewall to use NAT. An IP pool defines a single IP address or a range of IP addresses to be used as the source address for the duration of the session. These assigned addresses are used instead of the IP address assigned to that FortiGate interface.

    IP pool types

    FortiGate uses four types of IPv4 IP pools. This topic focuses on some of the differences between them.

    Overload

    This type of IP pool is similar to static SNAT mode. We need to define an external IP range that contains one or more IP addresses. When there is only one IP address it is almost the same as static SNAT, the outgoing interface address is used. When it contains multiple IP addresses, it is equivalent to an extended mode of static SNAT.

    For instance, if we define an overload type IP pool with two external IP addresses (172.16.200.1—172.16.200.2), since there are 60,416 available port numbers per IP, this IP pool can handle 60,416*2 internal IP addresses to the same service, where a service is defined by a specific protocol, destination IP address, and destination port.

    The mapped IP address can be calculated from the source IP address. The index number of the address in the pool is the remainder of the source IP address, in decimal, divided by the number addresses in the pool.

    Tooltip

    To calculate the decimal value of the source IP address, either use an online calculator, or use the following equation:

    a.b.c.d = a * (256)3 + b * (256)2 + c * (256) + d

    For example:

    192.168.0.1 = 192 * (256)3 + 168 * (256)2 + 0 * (256) + 1 = 3232235521

    If there is one IP pool, where:

    • P1 = the first address in the IP pool
    • R1 = the number of IP addresses in the IP pool
    • X = the source IP address as a decimal number
    • Y = the mapped IP address

    Then the equation to determine the mapped address is:

    Y = P1 + X mod R1

    For example:

    IP pool

    Source IP address

    172.26.73.20 to 172.26.73.90

    192.168.1.200
    1. Convert the source IP address to a decimal number:

      192 * (256)3 + 168 * (256)2 + 1 * (256) + 200 = 3232235976

    2. Determine the number of IP addresses in the pool:

      172.26.73.90 - 172.26.73.20 = 71

    3. Find the remainder of the source IP address divided by the number of addresses in the pool:

      3232235976 mod 71 = 26

    4. Add the remainder to the first IP address in the pool:

      172.26.73.20 + 26 = 172.26.73.46

      So, the mapped IP address is 172.26.73.46.

    If there are multiple IP pools, the calculation is similar to when there is only one pool.

    If there are two IP pools, where:

    • P1 = the first address in the first IP pool
    • P2 = the first address in the second IP pool
    • R1 = the number of IP addresses in the first IP pool
    • R2 = the number of IP addresses in the second IP pool
    • X = the source IP address as a decimal number
    • Y = the mapped IP address

    Then the equations to determine the mapped address are:

    If X mod (R1 + R2) >= R1, then Y = P2 + X mod R2

    If X mod (R1 + R2) < R1, then Y = P1 + X mod R1

    For example:

    IP pools

    Source IP address

    pool01: 172.26.73.20 to 172.26.73.90

    192.168.1.200

    pool02: 172.26.75.50 to 172.26.75.150
    1. Convert the source IP address to a decimal number:

      192 * (256)3 + 168 * (256)2 + 1 * (256) + 200 = 3232235976

    2. Determine the total number of IP addresses in the pools:

      (172.26.73.90 - 172.26.73.20) + (172.26.75.50 - 172.26.75.150) = 71 + 101 = 172

    3. Find the remainder of the source IP address divided by the number of addresses in the pools:

      3232235976 mod 172 = 108

    4. The remainder is greater than the number of addresses in pool01, so the address is selected from pool02 and the remainder is recalculated based only on pool02:

      3232235976 mod 101 = 40

    5. Add the new remainder to the first IP address in pool02:

      172.26.75.50 + 40 = 172.26.75.90

      So, the mapped IP address is 172.26.75.90.

    One-to-one

    This type of IP pool means that the internal IP address and the external (translated) IP address match one-to-one. The port address translation (PAT) is disabled when using this type of IP pool. For example, if we define a one-to-one type IP pool with two external IP addresses (172.16.200.1 - 172.16.200.2), this IP pool only can handle two internal IP addresses.

    Fixed port range

    For the overload and one-to-one IP pool types, we do not need to define the internal IP range. For the fixed port range type of IP pool, we can define both internal IP range and external IP range. Since each external IP address and the number of available port numbers is a specific number, if the number of internal IP addresses is also determined, we can calculate the port range for each address translation combination. So we call this type fixed port range. This type of IP pool is a type of port address translation (PAT).

    For instance, if we define one external IP address (172.16.200.1) and ten internal IP addresses (10.1.100.1-10.1.100.10), we have translation IP+Port combination like following table:

    Port block allocation

    This type of IP pool is also a type of port address translation (PAT). It gives users a more flexible way to control the way external IPs and ports are allocated. Users need to define Block Size/Block Per User and external IP range. Block Size means how many ports each Block contains. Block per User means how many blocks each user (internal IP) can use.

    The following is a simple example:

    • External IP Range: 172.16.200.1—172.16.200.1
    • Block Size: 128
    • Block Per User: 8

    Result:

    • Total-PBAs: 472 (60416/128)
    • Maximum ports can be used per User (Internal IP Address): 1024 (128*8)
    • How many Internal IP can be handled: 59 (60416/1024 or 472/8)

    Sample configuration

    To configure overload IP pool in the GUI:
    1. In Policy & Objects > IP Pools, click Create New.
    2. Select IPv4 Pool and then select Overload.

    To configure overload IP pool in the CLI:
    config firewall ippool
    edit "Overload-ippool"
        set startip 172.16.200.1
        set endip 172.16.200.1
    next
end
    To configure one-to-one IP pool using the GUI:
    1. In Policy & Objects > IP Pools, click Create New.
    2. Select IPv4 Pool and then select One-to-One.

    To configure one-to-one IP pool in the CLI:
    config firewall ippool
    edit "One-to-One-ippool"
        set type one-to-one
        set startip 172.16.200.1
        set endip 172.16.200.2
    next
end
    To configure fixed port range IP pool in the GUI:
    1. In Policy & Objects > IP Pools, click Create New.
    2. Select IPv4 Pool and then select Fixed Port Range.

    To configure fixed port range IP pool in the CLI:
    config firewall ippool
    edit "FPR-ippool"
        set type fixed-port-range
        set startip 172.16.200.1
        set endip 172.16.200.1
        set source-startip 10.1.100.1
        set source-endip 10.1.100.10
   next
end
    To configure port block allocation IP pool in the GUI:
    1. In Policy & Objects > IP Pools, click Create New.
    2. Select IPv4 Pool and then select Port Block Allocation.

    To configure port block allocation IP pool in the CLI:
    config firewall ippool
    edit PBA-ippool
        set type port-block-allocation
        set startip 172.16.200.1
        set endip 172.16.200.1
        set block-size 128
        set num-blocks-per-user 8
    next
end

    IP pools and blackhole route configuration

    In FortiOS 6.4.8 and below, all IP addresses used as IP pools and VIPs are considered local IP addresses if responding to ARP requests on these external IP addresses is enabled (set arp-reply enable, by default). In this case, the FortiGate is considered a destination for those IP addresses and can receive reply traffic at the application layer successfully.

    In FortiOS 6.4.9 and above, all IP addresses used as IP pools and VIPs are no longer considered local IP addresses if responding to ARP requests on these external IP addresses is enabled (set arp-reply enable, by default). In this case, the FortiGate is not considered a destination for those IP addresses and cannot receive reply traffic at the application layer without special handling.

    • This behavior affects FortiOS features in the application layer that use an IP pool as its source IP pool including SSL VPN web mode, explicit web proxy, and the Phase 1 local gateway of an interface mode IPsec VPN.

    • The FortiGate will not receive reply traffic at the application layer and the corresponding the FortiOS feature will not work as desired.

    • Configuring an IP pool as the source NAT IP address in a regular firewall policy works as before.

    For explicit proxy setups, one set of these steps is sufficient to avoid the issue:

    • Delete the blackhole route and ensure another route is defined that matches traffic for the IP pool reply traffic, or

    • Keep the blackhole route and if the IP pool consists of a single IP address, configure this IP address as a secondary IP address on an outgoing FortiGate interface. In this case, the secondary IP address is considered a local address, which allows the FortiGate to be considered a destination that can receive IP pool reply traffic.

    For SSL VPN web mode setups, the following steps are sufficient to avoid the issue:

    • Configure the first IP address in the IP pool as a secondary IP address on the outgoing FortiGate interface defined in the SSL VPN web mode firewall policy. In this case, the secondary IP address is considered a local address, which allows the FortiGate to be considered a destination that can receive IP pool reply traffic.

    Note

    For a given VDOM, if different SSL VPN web mode destinations need to go out from different interfaces, then each destination would need to have a different IP pool specified in the corresponding firewall policy.

    For interface mode IPsec VPN setups with local gateway configured, the following steps are sufficient to avoid the issue:

    • Keep the interface mode IPsec VPN Phase 1 local gateway configured as the IP pool and if the IP pool consists of a single IP address, configure this IP address as a secondary IP address on an outgoing FortiGate interface. In this case, the secondary IP address is considered a local address which allows the FortiGate to be considered a destination that can receive IP pool reply traffic.

    Explicit proxy configuration example

    In this explicit proxy configuration example, an IP pool with a single IP address is configured with set arp-reply enable configured by default along with a blackhole route that matches the reply traffic destined to the IP pool.

    config firewall ippool
    edit “ippool1”
        set startip 1.1.1.1
        set endip 1.1.1.1
    next
end
config router static
    edit 1
        set dst 1.1.1.0 255.255.255.0
        set blackhole enable
    next
end

    Suppose the explicit web proxy on the FortiGate has already been enabled and configured using steps described in Explicit web proxy. In the corresponding proxy policy, configure the IP pool ippool1 as the source IP address.

    config firewall proxy-policy
    edit 1
        set name "allow_traffic"
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set poolname "ippool1"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
    next
end

    Because the blackhole route matches the reply traffic to the IP pool and drops it, then reply traffic cannot reach the explicit web proxy on the FortiGate.

    To resolve the issue caused by the blackhole route configuration, you can consider configuring one of the following settings:

    • Delete the blackhole route and ensure another route is defined that matches traffic for the IP pool reply traffic.

      In the example below, a default route for outgoing interface port1 is defined which matches the IP pool reply traffic.

      config router static
    delete 1
    edit 2
        set dst 0.0.0.0 0.0.0.0
        set device port1
    next
end

    • Keep the blackhole route and if the IP pool consists of a single IP address as in this example, configure this IP address as a secondary IP address on an outgoing FortiGate interface.

      In the example below, the outgoing interface port1 has a secondary IP of 1.1.1.1/24 defined on it.

      config system interface
    edit DMZ
        set secondary-IP enable
        config secondaryip
            edit 1
                set ip 1.1.1.1 255.255.255.0
            next
        end
    next
end

    SSL VPN web mode configuration example

    In this SSL VPN web mode configuration example, an IP pool with a single IP address is configured with set arp-reply enable configured by default along with a blackhole route that matches the reply traffic destined to the IP pool.

    config firewall ippool
    edit “ippool1”
        set startip 1.1.1.1
        set endip 1.1.1.1
    next
end
config router static
    edit 1
        set dst 1.1.1.0 255.255.255.0
        set blackhole enable
    next
end

    Suppose SSL VPN web mode has already been configured on the FortiGate using steps described in SSL VPN web mode for remote user. In the corresponding SSL VPN web mode firewall policy, configure the IP pool ippool1 as the source IP address and dynamic SNAT pool.

    config firewall policy
    edit 1
        set name "SSL_Web_SFTP"
        set srcintf "ssl.root"
        set dstintf "DMZ"
        set action accept
        set srcaddr "all"
        set dstaddr "SFTP_SERVER"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set fixedport enable
        set ippool enable
        set poolname "SSL_Web_SFTP"
        set groups "SSL_VPN_WEB_SFTP"
    next
end

    Because the blackhole route matches the reply traffic to the IP pool and drops it, then reply traffic from the secure FTP server connected to the FortiGate DMZ interface cannot reach the FortiGate SSL VPN web portal.

    To resolve the issue caused by the blackhole route configuration, configure the following settings:

    • Keep the blackhole route. If the IP pool consists of a single IP address as in this example, configure this IP address as a secondary IP address on the outgoing FortiGate interface defined in the SSL VPN web mode firewall policy.

      Note

      For a given VDOM, if different SSL VPN web mode destinations need to go out from different interfaces, then each destination would need to have a different IP pool specified in the corresponding firewall policy.

      In the example below, the DMZ interface is the outgoing interface used to reach the secure FTP server that requires a secondary IP of 1.1.1.1/24 to be defined on it.

      config system interface
    edit DMZ
        set secondary-IP enable
        config secondaryip
            edit 1
                set ip 1.1.1.1 255.255.255.0
            next
        end
    next
end

    Interface mode IPsec VPN with local gateway configuration example

    In this interface mode IPsec VPN with local gateway configuration example, an IP pool with a single IP address is configured with set arp-reply enable configured by default and this IP pool is specified with the local gateway setting.

    config firewall ippool
    edit “ippool2”
        set startip 1.2.3.4
        set endip 1.2.3.4
    next
end
config vpn ipsec phase1-interface
    edit “VPN1”
        ...
        set local-gw 1.2.3.4
        ...
    next
end

    Since the local gateway is configured with the IP address that matches an IP pool, this IP address is not considered local. Then, the IPsec VPN Phase 1 negotiation will fail and the IPsec tunnel will not come up as expected.

    To resolve the issue caused by the IP pool not being considered a local address for the interface mode IPsec VPN local gateway setting, configure the following settings:

    • Keep the interface mode IPsec VPN Phase 1 local gateway configured as the IP pool and if the IP pool consists of a single IP address, configure this IP address as a secondary IP address on the outgoing FortiGate interface used with the interface mode IPsec VPN tunnel. In this case, the secondary IP address is considered a local address, which allows the FortiGate to be considered a destination that can receive IP pool reply traffic.

    In the example below, the outgoing interface port2 is the physical interface used for the interface mode IPsec VPN tunnel. Therefore, define a secondary IP of 1.2.3.4/24 on this interface to ensure that IPsec Phase 1 negotiation succeeds and allows the IPsec tunnel to come up.

    config system interface
    edit port2
        set secondary-IP enable
        config secondaryip
            edit 1
                set ip 1.2.3.4 255.255.255.0
            next
        end
    next
end
    Previous
    Next

    Dynamic SNAT

    Dynamic SNAT

    Dynamic SNAT maps the private IP addresses to the first available public address from a pool of addresses. In the FortiGate firewall, this can be done by using IP pools. IP pools is a mechanism that allows sessions leaving the FortiGate firewall to use NAT. An IP pool defines a single IP address or a range of IP addresses to be used as the source address for the duration of the session. These assigned addresses are used instead of the IP address assigned to that FortiGate interface.

    IP pool types

    FortiGate uses four types of IPv4 IP pools. This topic focuses on some of the differences between them.

    Overload

    This type of IP pool is similar to static SNAT mode. We need to define an external IP range that contains one or more IP addresses. When there is only one IP address it is almost the same as static SNAT, the outgoing interface address is used. When it contains multiple IP addresses, it is equivalent to an extended mode of static SNAT.

    For instance, if we define an overload type IP pool with two external IP addresses (172.16.200.1—172.16.200.2), since there are 60,416 available port numbers per IP, this IP pool can handle 60,416*2 internal IP addresses to the same service, where a service is defined by a specific protocol, destination IP address, and destination port.

    The mapped IP address can be calculated from the source IP address. The index number of the address in the pool is the remainder of the source IP address, in decimal, divided by the number addresses in the pool.

    Tooltip

    To calculate the decimal value of the source IP address, either use an online calculator, or use the following equation:

    a.b.c.d = a * (256)3 + b * (256)2 + c * (256) + d

    For example:

    192.168.0.1 = 192 * (256)3 + 168 * (256)2 + 0 * (256) + 1 = 3232235521

    If there is one IP pool, where:

    • P1 = the first address in the IP pool
    • R1 = the number of IP addresses in the IP pool
    • X = the source IP address as a decimal number
    • Y = the mapped IP address

    Then the equation to determine the mapped address is:

    Y = P1 + X mod R1

    For example:

    IP pool

    Source IP address

    172.26.73.20 to 172.26.73.90

    192.168.1.200
    1. Convert the source IP address to a decimal number:

      192 * (256)3 + 168 * (256)2 + 1 * (256) + 200 = 3232235976

    2. Determine the number of IP addresses in the pool:

      172.26.73.90 - 172.26.73.20 = 71

    3. Find the remainder of the source IP address divided by the number of addresses in the pool:

      3232235976 mod 71 = 26

    4. Add the remainder to the first IP address in the pool:

      172.26.73.20 + 26 = 172.26.73.46

      So, the mapped IP address is 172.26.73.46.

    If there are multiple IP pools, the calculation is similar to when there is only one pool.

    If there are two IP pools, where:

    • P1 = the first address in the first IP pool
    • P2 = the first address in the second IP pool
    • R1 = the number of IP addresses in the first IP pool
    • R2 = the number of IP addresses in the second IP pool
    • X = the source IP address as a decimal number
    • Y = the mapped IP address

    Then the equations to determine the mapped address are:

    If X mod (R1 + R2) >= R1, then Y = P2 + X mod R2

    If X mod (R1 + R2) < R1, then Y = P1 + X mod R1

    For example:

    IP pools

    Source IP address

    pool01: 172.26.73.20 to 172.26.73.90

    192.168.1.200

    pool02: 172.26.75.50 to 172.26.75.150
    1. Convert the source IP address to a decimal number:

      192 * (256)3 + 168 * (256)2 + 1 * (256) + 200 = 3232235976

    2. Determine the total number of IP addresses in the pools:

      (172.26.73.90 - 172.26.73.20) + (172.26.75.50 - 172.26.75.150) = 71 + 101 = 172

    3. Find the remainder of the source IP address divided by the number of addresses in the pools:

      3232235976 mod 172 = 108

    4. The remainder is greater than the number of addresses in pool01, so the address is selected from pool02 and the remainder is recalculated based only on pool02:

      3232235976 mod 101 = 40

    5. Add the new remainder to the first IP address in pool02:

      172.26.75.50 + 40 = 172.26.75.90

      So, the mapped IP address is 172.26.75.90.

    One-to-one

    This type of IP pool means that the internal IP address and the external (translated) IP address match one-to-one. The port address translation (PAT) is disabled when using this type of IP pool. For example, if we define a one-to-one type IP pool with two external IP addresses (172.16.200.1 - 172.16.200.2), this IP pool only can handle two internal IP addresses.

    Fixed port range

    For the overload and one-to-one IP pool types, we do not need to define the internal IP range. For the fixed port range type of IP pool, we can define both internal IP range and external IP range. Since each external IP address and the number of available port numbers is a specific number, if the number of internal IP addresses is also determined, we can calculate the port range for each address translation combination. So we call this type fixed port range. This type of IP pool is a type of port address translation (PAT).

    For instance, if we define one external IP address (172.16.200.1) and ten internal IP addresses (10.1.100.1-10.1.100.10), we have translation IP+Port combination like following table:

    Port block allocation

    This type of IP pool is also a type of port address translation (PAT). It gives users a more flexible way to control the way external IPs and ports are allocated. Users need to define Block Size/Block Per User and external IP range. Block Size means how many ports each Block contains. Block per User means how many blocks each user (internal IP) can use.

    The following is a simple example:

    • External IP Range: 172.16.200.1—172.16.200.1
    • Block Size: 128
    • Block Per User: 8

    Result:

    • Total-PBAs: 472 (60416/128)
    • Maximum ports can be used per User (Internal IP Address): 1024 (128*8)
    • How many Internal IP can be handled: 59 (60416/1024 or 472/8)

    Sample configuration

    To configure overload IP pool in the GUI:
    1. In Policy & Objects > IP Pools, click Create New.
    2. Select IPv4 Pool and then select Overload.

    To configure overload IP pool in the CLI:
    config firewall ippool
    edit "Overload-ippool"
        set startip 172.16.200.1
        set endip 172.16.200.1
    next
end
    To configure one-to-one IP pool using the GUI:
    1. In Policy & Objects > IP Pools, click Create New.
    2. Select IPv4 Pool and then select One-to-One.

    To configure one-to-one IP pool in the CLI:
    config firewall ippool
    edit "One-to-One-ippool"
        set type one-to-one
        set startip 172.16.200.1
        set endip 172.16.200.2
    next
end
    To configure fixed port range IP pool in the GUI:
    1. In Policy & Objects > IP Pools, click Create New.
    2. Select IPv4 Pool and then select Fixed Port Range.

    To configure fixed port range IP pool in the CLI:
    config firewall ippool
    edit "FPR-ippool"
        set type fixed-port-range
        set startip 172.16.200.1
        set endip 172.16.200.1
        set source-startip 10.1.100.1
        set source-endip 10.1.100.10
   next
end
    To configure port block allocation IP pool in the GUI:
    1. In Policy & Objects > IP Pools, click Create New.
    2. Select IPv4 Pool and then select Port Block Allocation.

    To configure port block allocation IP pool in the CLI:
    config firewall ippool
    edit PBA-ippool
        set type port-block-allocation
        set startip 172.16.200.1
        set endip 172.16.200.1
        set block-size 128
        set num-blocks-per-user 8
    next
end

    IP pools and blackhole route configuration

    In FortiOS 6.4.8 and below, all IP addresses used as IP pools and VIPs are considered local IP addresses if responding to ARP requests on these external IP addresses is enabled (set arp-reply enable, by default). In this case, the FortiGate is considered a destination for those IP addresses and can receive reply traffic at the application layer successfully.

    In FortiOS 6.4.9 and above, all IP addresses used as IP pools and VIPs are no longer considered local IP addresses if responding to ARP requests on these external IP addresses is enabled (set arp-reply enable, by default). In this case, the FortiGate is not considered a destination for those IP addresses and cannot receive reply traffic at the application layer without special handling.

    • This behavior affects FortiOS features in the application layer that use an IP pool as its source IP pool including SSL VPN web mode, explicit web proxy, and the Phase 1 local gateway of an interface mode IPsec VPN.

    • The FortiGate will not receive reply traffic at the application layer and the corresponding the FortiOS feature will not work as desired.

    • Configuring an IP pool as the source NAT IP address in a regular firewall policy works as before.

    For explicit proxy setups, one set of these steps is sufficient to avoid the issue:

    • Delete the blackhole route and ensure another route is defined that matches traffic for the IP pool reply traffic, or

    • Keep the blackhole route and if the IP pool consists of a single IP address, configure this IP address as a secondary IP address on an outgoing FortiGate interface. In this case, the secondary IP address is considered a local address, which allows the FortiGate to be considered a destination that can receive IP pool reply traffic.

    For SSL VPN web mode setups, the following steps are sufficient to avoid the issue:

    • Configure the first IP address in the IP pool as a secondary IP address on the outgoing FortiGate interface defined in the SSL VPN web mode firewall policy. In this case, the secondary IP address is considered a local address, which allows the FortiGate to be considered a destination that can receive IP pool reply traffic.

    Note

    For a given VDOM, if different SSL VPN web mode destinations need to go out from different interfaces, then each destination would need to have a different IP pool specified in the corresponding firewall policy.

    For interface mode IPsec VPN setups with local gateway configured, the following steps are sufficient to avoid the issue:

    • Keep the interface mode IPsec VPN Phase 1 local gateway configured as the IP pool and if the IP pool consists of a single IP address, configure this IP address as a secondary IP address on an outgoing FortiGate interface. In this case, the secondary IP address is considered a local address which allows the FortiGate to be considered a destination that can receive IP pool reply traffic.

    Explicit proxy configuration example

    In this explicit proxy configuration example, an IP pool with a single IP address is configured with set arp-reply enable configured by default along with a blackhole route that matches the reply traffic destined to the IP pool.

    config firewall ippool
    edit “ippool1”
        set startip 1.1.1.1
        set endip 1.1.1.1
    next
end
config router static
    edit 1
        set dst 1.1.1.0 255.255.255.0
        set blackhole enable
    next
end

    Suppose the explicit web proxy on the FortiGate has already been enabled and configured using steps described in Explicit web proxy. In the corresponding proxy policy, configure the IP pool ippool1 as the source IP address.

    config firewall proxy-policy
    edit 1
        set name "allow_traffic"
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set poolname "ippool1"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
    next
end

    Because the blackhole route matches the reply traffic to the IP pool and drops it, then reply traffic cannot reach the explicit web proxy on the FortiGate.

    To resolve the issue caused by the blackhole route configuration, you can consider configuring one of the following settings:

    • Delete the blackhole route and ensure another route is defined that matches traffic for the IP pool reply traffic.

      In the example below, a default route for outgoing interface port1 is defined which matches the IP pool reply traffic.

      config router static
    delete 1
    edit 2
        set dst 0.0.0.0 0.0.0.0
        set device port1
    next
end

    • Keep the blackhole route and if the IP pool consists of a single IP address as in this example, configure this IP address as a secondary IP address on an outgoing FortiGate interface.

      In the example below, the outgoing interface port1 has a secondary IP of 1.1.1.1/24 defined on it.

      config system interface
    edit DMZ
        set secondary-IP enable
        config secondaryip
            edit 1
                set ip 1.1.1.1 255.255.255.0
            next
        end
    next
end

    SSL VPN web mode configuration example

    In this SSL VPN web mode configuration example, an IP pool with a single IP address is configured with set arp-reply enable configured by default along with a blackhole route that matches the reply traffic destined to the IP pool.

    config firewall ippool
    edit “ippool1”
        set startip 1.1.1.1
        set endip 1.1.1.1
    next
end
config router static
    edit 1
        set dst 1.1.1.0 255.255.255.0
        set blackhole enable
    next
end

    Suppose SSL VPN web mode has already been configured on the FortiGate using steps described in SSL VPN web mode for remote user. In the corresponding SSL VPN web mode firewall policy, configure the IP pool ippool1 as the source IP address and dynamic SNAT pool.

    config firewall policy
    edit 1
        set name "SSL_Web_SFTP"
        set srcintf "ssl.root"
        set dstintf "DMZ"
        set action accept
        set srcaddr "all"
        set dstaddr "SFTP_SERVER"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set fixedport enable
        set ippool enable
        set poolname "SSL_Web_SFTP"
        set groups "SSL_VPN_WEB_SFTP"
    next
end

    Because the blackhole route matches the reply traffic to the IP pool and drops it, then reply traffic from the secure FTP server connected to the FortiGate DMZ interface cannot reach the FortiGate SSL VPN web portal.

    To resolve the issue caused by the blackhole route configuration, configure the following settings:

    • Keep the blackhole route. If the IP pool consists of a single IP address as in this example, configure this IP address as a secondary IP address on the outgoing FortiGate interface defined in the SSL VPN web mode firewall policy.

      Note

      For a given VDOM, if different SSL VPN web mode destinations need to go out from different interfaces, then each destination would need to have a different IP pool specified in the corresponding firewall policy.

      In the example below, the DMZ interface is the outgoing interface used to reach the secure FTP server that requires a secondary IP of 1.1.1.1/24 to be defined on it.

      config system interface
    edit DMZ
        set secondary-IP enable
        config secondaryip
            edit 1
                set ip 1.1.1.1 255.255.255.0
            next
        end
    next
end

    Interface mode IPsec VPN with local gateway configuration example

    In this interface mode IPsec VPN with local gateway configuration example, an IP pool with a single IP address is configured with set arp-reply enable configured by default and this IP pool is specified with the local gateway setting.

    config firewall ippool
    edit “ippool2”
        set startip 1.2.3.4
        set endip 1.2.3.4
    next
end
config vpn ipsec phase1-interface
    edit “VPN1”
        ...
        set local-gw 1.2.3.4
        ...
    next
end

    Since the local gateway is configured with the IP address that matches an IP pool, this IP address is not considered local. Then, the IPsec VPN Phase 1 negotiation will fail and the IPsec tunnel will not come up as expected.

    To resolve the issue caused by the IP pool not being considered a local address for the interface mode IPsec VPN local gateway setting, configure the following settings:

    • Keep the interface mode IPsec VPN Phase 1 local gateway configured as the IP pool and if the IP pool consists of a single IP address, configure this IP address as a secondary IP address on the outgoing FortiGate interface used with the interface mode IPsec VPN tunnel. In this case, the secondary IP address is considered a local address, which allows the FortiGate to be considered a destination that can receive IP pool reply traffic.

    In the example below, the outgoing interface port2 is the physical interface used for the interface mode IPsec VPN tunnel. Therefore, define a secondary IP of 1.2.3.4/24 on this interface to ensure that IPsec Phase 1 negotiation succeeds and allows the IPsec tunnel to come up.

    config system interface
    edit port2
        set secondary-IP enable
        config secondaryip
            edit 1
                set ip 1.2.3.4 255.255.255.0
            next
        end
    next
end
    Previous
    Next