Hello forum members. My first post. Recently we purchased FortiGate 1000D and replaced TMG 2010 successfully. I found a lot of similar discussions but nine of them describe my issue.
Now I can't create one rule (can't figure out how to) which I can create easily on Kerio Control or TMG itself
What I need, is to forward SMTP port to Exchange Server itself (10.22.10.59), bypassing my AntiSpamServer (10.22.10.80) when connection goes from specific IP addrress (lets say 2.3.4.5)
in other words i need vip rule like below
my.wan.ip.addr --> 10.22.10.80 (TCP: 25 --> 25) | (this is ok)
my.wan.ip.addr —> 10.22.10.59 (TCP: 25 --> 25) srcip 2.3.4.5 | this is not ok
Please note that I have forwarding rule for SMTP service and it works well. All request to that service are forwarded to 10.22.10.80. This is ok. Now how to excuse a WAN IP by forwarding SMTP queries directly to my Exchange Server (10.22.10.59)
Solved! Go to Solution.
I may be mistaken given Bob's post above, but I would have thought you could easily accomplish this. You simply need two different VIP objects and two different firewall rules. You already have half of it with the VIP that has 10.22.10.80 as the mapped IP, and your firewall rule that allows all traffic from the Internet to that destination. Your second VIP would need to be defined with a mapped IP of 10.22.10.59 (still port 25). Now you just need a firewall rule above your other firewall rule that looks for traffic from 8.8.8.8 and maps to the second VIP. Traffic sourced from other IPs won't match that and should fall to the next rule that has been working for you.
Let me know if this works, as it will be an interesting revelation to me if it doesn't. - Daniel
With port forwarding, you can only have one SourceIP/port (socket) definition. You will have to find another mechanism to accomplish what you are trying to do. Try using 0.0.0.0 port 25 for the other.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
I may be mistaken given Bob's post above, but I would have thought you could easily accomplish this. You simply need two different VIP objects and two different firewall rules. You already have half of it with the VIP that has 10.22.10.80 as the mapped IP, and your firewall rule that allows all traffic from the Internet to that destination. Your second VIP would need to be defined with a mapped IP of 10.22.10.59 (still port 25). Now you just need a firewall rule above your other firewall rule that looks for traffic from 8.8.8.8 and maps to the second VIP. Traffic sourced from other IPs won't match that and should fall to the next rule that has been working for you.
Let me know if this works, as it will be an interesting revelation to me if it doesn't. - Daniel
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.