Fortigate Limitation

I discovered a real annoying limitation to the Fortigate firewalls today.  And although this limitation wont be encountered on a daily basis, I know this is not a unusual setup, and above that I know that Cisco Pix Firewall support this, as I have done this before.

Suppose the the following scenario:

fortilimit

Suppose traffic from the Big Bad Internet is destined to company  BOB’s application server at 170.1.1.1:8081.

On the Fortigate you create a port-nat to the  server’s internal address of 192.168.102.1.

Assume BOB.COM has their DMZ-Internal VRF behind the firewall. And assume for financial/latency reasons, that BOB.COM has a third-party VRF used by clients from the same ISP to route their traffic via MPLS, destined to 170.1.1.1. This makes sense right, and provides these client with optimal routing to 170.1.1.1 and optionally a back-up via their Internet connection, in the event that something goes wrong in the MPLS network.

But this is where you will get stuck. You won’t be able to create a nat on the Fortigate MPLS interface for 197.1.1.1, because a Fortigate ties each NAT to ONLY ONE interface. Really silly considering there are a coule scenarios where this would be needed. Obviously there are some work arounds, like doing a double nat or using a different IP via MPLS, but this is non-optimal.

This was reported to Fortigate as a bug, but their reply implied it is a feature,  and something they will not be correcting.

Advertisements

6 thoughts on “Fortigate Limitation

    1. When you create your Nat instance – You’d Specify the Interface as “Any” that way the Nat can be used from Multiple interfaces; if the Nat was originally created and bound to an Interface and rules applied; the Nat Instance Interface cannot then be changed to “Any” Interface – Unless removes for that Nat temporarily removed – Nat Changed and then Rules re-applied and new Rules added (on Live Device) – with a Fortimanager – the Nat can just be changed to “Any” interface

      1. True – was remedially fixed in a patch – just listing current limitations too – live device vs fortimanager and process :-)

Please leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s