Today's lab consisted of testing a theory from my @Fortinet NSE4 and NSE5: To connect FortiGates to FortiManager and FortiAnazyler from across the WAN using a VIP.

#THREAD

#HaitianNetworkEngineer
#BlackTechTwitter
#TechTwitter
#FutureCCIE
#NSE5
#Fortinet
Mapping a specific IP address to another specific IP address is usually called Destination NAT (DNAT). FortiOS calls this a Virtual IP address (VIP). DNAT, or VIP, is are used to map an external IP address to an IP address or address range.
The mapping can include all TCP/UDP ports or, if port forwarding is enabled, it only refers to the specific configured ports.
VIPs are typically used to NAT external or public IP addresses to internal or private IP addresses.
So how can VIP help me with this lab? I wanted to test if I can connect FGT's that cross over the WAN and connect to FMG and FAZ that sits behind a FGT inside of adding it via that inside (LAN) address and traverse through the IPSec tunnel.
Why? Well what if the tunnel goes down, then along with other resources my end users at Site A cant reach because the tunnel is down, my FortiGate at that site can't be managed by FortiManager and FortiAnayzler.
So the first step in this process is to configure a VIP on my FGT that FMG and FAZ(FAZ is not in this lab) sits in front of. The VIP is configured as follows:
FMG-VIP: Map 3.1.6.2 (WAN interface) to FMG (10.3.1.100).
But i wanted to make this VIP more specific because in a production enviornment I can be using more VIPs for other services, so I drilled down what Ports (both TCP and UDP) FMG will use.
I confirmed from my studies that FMG uses the following to manage a FortiGate:

TCP 541 == Remote Management of Fortigate
TCP 8888 == FortiGuard Antispam and webfiltering rating lookup from Forticlient or FortiGate
TCP 8890 == FortiGuard AV and IPS update request from FortiGate
After configuring this, next I had to configure my firewall policy for my VIP to work properly. but even before that to effectively organize and manage my policy in the future,
I created address objects and groups that had the remote fortigates WAN addresses so that I may set those as my "Source Addresses" in my policy.
Heres why, the policy for my VIP will be allowing connections from outside (WAN) to inside (LAN). With opening up my network to the "wild" I had to make sure I make this policy as "SPECIFIC" as possible to not open up the network to threats.
So after configuring the Address Objects needed, I created my firewall policy:
From WAN-->LAN
Source: Remote Fortigate (Address Group)
Destination: FMG-VIP (Destination NAT)
Service: FMG ports (TCP and UDP specific ports)
NAT: Enabled
Now why am I enabling NAT? This is for the VIP to work as expected (WAN 3.1.6.2 to 10.3.1.100)
So when that traffic hits the WAN interface and destined for FMG, the source will be NAT'ed to the LAN interface so that FMG doesn't have to have a route to the FortiGates that are in the wild.
To add, I took a packet capture to confirm the ports that are allowed for the VIP is working properly.
As you can see, I added Lab-FortiGate-4 to FortiManager and did this capture.
The FortiGate in front of FMG (Lab-FortiGate-3) is doing NAT and passing those ports as the source is the LAN interface of the FortiGate
Source: 4.1.6.2
Destination: 3.1.6.2 - FortiManager VIP/ WAN IP
Source NAT'ed: 10.3.1.254
Destination NAT'ed: 10.3.1.100 - FortiManager
This was fun, more to come
"Stay in the gym" - JM / CS

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Haitian Network Engineer 🇭🇹

Haitian Network Engineer 🇭🇹 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(