Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
live89
Contributor

PBR to virtual server

Hello experts,

 

I have a question regarding configuring PBR and mapping the destination IP to virtual server load balance.

 

We configured yesterday a Virtual Server to load balance traffic to two proxy servers. And then configured a PBR that says that who ever want to surf the internet to go to the Virtual server IP address.

Source: clients lan

Destination: 0.0.0.0/0

Outgoing Interface: Proxy's gateway interface

Gateway address: virtual server IP address

 

And that didn't work.

 

We thought it might be because that fortigate is searching for the virtual server IP address behind that interface without looking into the virtual server configuration , so we configured the virtual server IP address as secondary IP address on the relevant interface. we tried also to configure it as VIP . we tried also to configure it as proxy-arp. non of those helped to solve the problem.

 

in diagnose debug we saw that when client tried to surf the internet, the PBR mapped the traffic to relevant interface , but then policy denied because destination IP address was not the virtual server IP address.

 

id=20085 trace_id=13743 func=print_pkt_detail line=5348 msg="vd-root received a packet(proto=1, 10.30.255.250:4->8.8.8.8:2048) from 664. type=8, code=0, id=4, seq=49676."
id=20085 trace_id=13743 func=init_ip_session_common line=5507 msg="allocate a new session-be0cdbaf"
id=20085 trace_id=13743 func=vf_ip_route_input_common line=2565 msg="Match policy routing: to 172.19.1.18 via ifindex-45"
id=20085 trace_id=13743 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-172.19.1.18 via root"
id=20085 trace_id=13743 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"

 

172.19.1.18 (virtual server ip address)

10.30.255.250 (client ip address)

ifindex-45 (proxy gw interface)

 

It looks like PBR cannot map traffic to virtual server . Is that correct ?

 

Please advise

Thanks

Thanks
0 REPLIES 0
Labels
Top Kudoed Authors