Policy Object "Service" setting for Virtual IP Port forwarding... | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB
Fuse
- Fuse Fortinet User Community

Mark Thread UnreadFlat Reading Mode ❐

Hot!Policy Object "Service" setting for Virtual IP Port forwarding...

Author Post Essentials Only Full Version
tplau New Member Total Posts : 2 Scores: 0 Reward points: 0 Joined: 2020/11/24 23:48:24 Status: offline 2020/11/25 00:08:51 (permalink) 5.6 0 Policy Object "Service" setting for Virtual IP Port forwarding... Hi all, I encountered the following situation and would like to understand more the mechanism behind. I am setting up Virtual IP port forwarding and IPv4 policy object, such that I can ssh to private machine from public IP, for example, public_ip:22099 -> private_pc099:22 When checking the tutorial in setting up the IPv4 policy object, the guideline tells us to set the "Service" to ALL (or ANY), as the port forwarding rule in Virtual IP object will only forward the port 22099 to 22. While I can achieve the ssh purpose successfully for setting ALL for service, as an experiment, I created explicitly the port 22099 as a new Service object, then assign the 22099 service in the IPv4 Policy object's Service attribute. Then I cannot SSH to public_ip:22099 -> private_pc099:22. But if I set SSH as the service in IPv4 Policy object, the SSH connection can be made successfully. So if the above situation is expected, may I understand more the mechanism behind, for example, why I need to set the service to SSH (22) instead of Service_22099? Thanks a lot for any comments. Regards, Patrick #1 2 Replies Related Threads
ede_pfau Expert Member Total Posts : 6411 Scores: 551 Reward points: 0 Joined: 2004/03/09 01:20:18 Location: Heidelberg, Germany Status: offline Re: Policy Object "Service" setting for Virtual IP Port forwarding... 2020/11/25 04:24:13 (permalink) 0 hi, and welcome to the forums. The explanation is quite simple: a VIP does DNAT. NAT is done before matching the policy. So the service field in the policy needs to match the translated port. There is a document about this, "Life of a packet" IIRC, which explains the flow of data and operations. Ede " Kernel panic: Aiee, killing interrupt handler!" #2
tplau New Member Total Posts : 2 Scores: 0 Reward points: 0 Joined: 2020/11/24 23:48:24 Status: offline Re: Policy Object "Service" setting for Virtual IP Port forwarding... 2020/11/25 19:29:33 (permalink) 0 ede_pfau hi, and welcome to the forums. The explanation is quite simple: a VIP does DNAT. NAT is done before matching the policy. So the service field in the policy needs to match the translated port. There is a document about this, "Life of a packet" IIRC, which explains the flow of data and operations. Thanks a lot for the explanation :) #3

Jump to:

© 2021 APG vNext Commercial Version 5.5