Hot!Port forward based on source IP

Author
Gao
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/05/23 13:46:55
  • Status: offline
2020/05/23 14:06:05 (permalink)
0

Port forward based on source IP

For Fortigate 500E (fortiOS6.0.9), can I do port forwarding base on source IP? 

For example, if the client A (IP 1.2.3.4) try to access our internal FTP server, when it reach to the WAN interface of the Fortigate at port 21, I want it to forward to FTP server X at an internal IP 10.1.1.3 on port 21. All other clients (any IP which is NOT 1.2.3.4) reach WAN port 21 will be forward to a different FTP server Y at IP 10.1.1.4 on port 21.
 
Thanks for help.
 
  
#1

2 Replies Related Threads

    lobstercreed
    Gold Member
    • Total Posts : 229
    • Scores: 25
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: Port forward based on source IP 2020/05/24 10:00:27 (permalink)
    0
    I'm not sure if this will work as I've never had your use case, but I think you could maybe use the src-filter attribute from CLI to configure the VIP that you want to work from 1.2.3.4. 
     
    I could see a problem potentially that the other object that doesn't have the src-filter would also match on traffic from 1.2.3.4 so it still might not do what you want.  I'd suggest experimenting with that attribute though.
     
    Otherwise you might need to just use a different port and tell the client at 1.2.3.4 to connect on port 21021 for example and then NAT that to your different IP.
    #2
    mbence84
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/11 13:01:08
    • Status: offline
    Re: Port forward based on source IP 2020/05/25 05:56:59 (permalink)
    0
    Good Day,
     
    I think i might be able to assist. So what you do is your create two VIP's see below. If you using the same destination IP and port you are forced to use source filter option on both entries, not just one. So you create the one VIP with the actual source IP/network and the second VIP with you sub net the 0.0.0.0/0 in two and add them on there. This should catch all other IP if not from the first VIP source. One you completed the VIP go update your sec policy so that the specific catch policy are first with the address entry also that of the same source in the policy with the matching VIP. Create then a followup policy foe all other with any source to the second VIP. That should do the trick.
     
    config firewall vip
    edit "VIP1"
    set src-filter "10.10.204.0/24"
    set extip 10.10.204.250
    set extintf "port1"
    set portforward enable
    set mappedip "10.10.10.10"
    set extport 3389
    set mappedport 3389

    edit "VIP2"
    set src-filter "0.0.0.0/1" "128.0.0.0/1"
    set extip 10.10.204.250
    set extintf "port1"
    set portforward enable
    set mappedip "10.10.20.10"
    set extport 3389
    set mappedport 3389
    #3
    Jump to:
    © 2020 APG vNext Commercial Version 5.5