Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Azure vWAN SD-WAN NGFW Deployment Guide

    Home FortiGate Public Cloud 7.4.0 Azure vWAN SD-WAN NGFW Deployment Guide
    7.4.0
    7.6.0
    7.4.0
    7.2.0

    Completing internet inbound/DNAT policy configuration

    Completing internet inbound/DNAT policy configuration

    To configure a VIP and policy:

    You must configure an inbound SLB policy in conjunction with a VIP rule and corresponding firewall policy. The following shows a sample for both mapped to port 9001, rule2 from the example SLB rules, to configure in FortiOS. In this example, 4.255.139.49 is the public IP address attached to the SLB:

    config firewall vip
    edit "VIPwebserver"
        set extip 4.255.139.49
        set mappedip "192.168.1.4"
        set extintf "port1"
        set portforward enable
        set extport 9001
        set mappedport 22
    	next
     end
end
config firewall policy
    edit 20
        set name "inbounddemo-144"
        set srcintf "port1"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "VIPwebserver"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

    You must enable source NAT for this policy. Otherwise, return traffic follows the 0.0.0.0/0 route in the destination VNet. With routing intents enabled for the quad zero route, this returns to the Azure internal load balancer in the vWAN hub. As this load balancer does not yet have a session state for traffic initiated from public addresses, it may send the traffic to any of the backend pool, which will likely not be the FortiGate where the session was originated. SNAT fixes this problem by returning traffic to the correct FortiGate.

    To troubleshoot this configuration:

    The deployment assigns a system-assigned managed identity (MI) with the correct permissions. MI permissions on Microsoft Entra ID propagation may take a few minutes.

    Note

    The following procedure is a workaround. You only need to perform this procedure if role assignment on the system-assigned identity does not succeed.
    1. On the Azure portal, go to the managed resource group and click Show Hidden types to see the deployed NVA.
    2. Copy the NVA name.
    3. On the Azure portal, go to Microsoft Entra ID > Enterprise applications > All applications. Select managed Identities for the filter. Search for your NVA, select it, and copy the object ID.
    4. In the Azure CLI, run Get-AzRoleAssignment –ObjectId <object ID>.

    5. Deploying the marketplace listing creates an NVAcontributor-<GUID> definition and assigns it to the managed application object ID. If this is not the case, add a role definition with the following permissions manually by going to Subscriptions > IAM > add role assignment and creating a custom role with the following allowed actions:
      "actions": [
         "Microsoft.Solutions/applications/read",
         "Microsoft.Network/networkVirtualAppliances/read",
         "Microsoft.Network/networkVirtualAppliances/write",
         "Microsoft.Network/networkVirtualAppliances/inboundSecurityRules/read",
         "Microsoft.Network/networkVirtualAppliances/inboundSecurityRules/write",
         "Microsoft.Resources/subscriptions/resourcegroups/read",
         "Microsoft.Network/publicIPAddresses/read"     
          ]

    6. Create a role assignment by assigning access to Managed Identity. Under members, select All system assigned managed Identities. Select the deployed resource and assign.

    Previous
    Next

    Completing internet inbound/DNAT policy configuration

    Completing internet inbound/DNAT policy configuration

    To configure a VIP and policy:

    You must configure an inbound SLB policy in conjunction with a VIP rule and corresponding firewall policy. The following shows a sample for both mapped to port 9001, rule2 from the example SLB rules, to configure in FortiOS. In this example, 4.255.139.49 is the public IP address attached to the SLB:

    config firewall vip
    edit "VIPwebserver"
        set extip 4.255.139.49
        set mappedip "192.168.1.4"
        set extintf "port1"
        set portforward enable
        set extport 9001
        set mappedport 22
    	next
     end
end
config firewall policy
    edit 20
        set name "inbounddemo-144"
        set srcintf "port1"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "VIPwebserver"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

    You must enable source NAT for this policy. Otherwise, return traffic follows the 0.0.0.0/0 route in the destination VNet. With routing intents enabled for the quad zero route, this returns to the Azure internal load balancer in the vWAN hub. As this load balancer does not yet have a session state for traffic initiated from public addresses, it may send the traffic to any of the backend pool, which will likely not be the FortiGate where the session was originated. SNAT fixes this problem by returning traffic to the correct FortiGate.

    To troubleshoot this configuration:

    The deployment assigns a system-assigned managed identity (MI) with the correct permissions. MI permissions on Microsoft Entra ID propagation may take a few minutes.

    Note

    The following procedure is a workaround. You only need to perform this procedure if role assignment on the system-assigned identity does not succeed.
    1. On the Azure portal, go to the managed resource group and click Show Hidden types to see the deployed NVA.
    2. Copy the NVA name.
    3. On the Azure portal, go to Microsoft Entra ID > Enterprise applications > All applications. Select managed Identities for the filter. Search for your NVA, select it, and copy the object ID.
    4. In the Azure CLI, run Get-AzRoleAssignment –ObjectId <object ID>.

    5. Deploying the marketplace listing creates an NVAcontributor-<GUID> definition and assigns it to the managed application object ID. If this is not the case, add a role definition with the following permissions manually by going to Subscriptions > IAM > add role assignment and creating a custom role with the following allowed actions:
      "actions": [
         "Microsoft.Solutions/applications/read",
         "Microsoft.Network/networkVirtualAppliances/read",
         "Microsoft.Network/networkVirtualAppliances/write",
         "Microsoft.Network/networkVirtualAppliances/inboundSecurityRules/read",
         "Microsoft.Network/networkVirtualAppliances/inboundSecurityRules/write",
         "Microsoft.Resources/subscriptions/resourcegroups/read",
         "Microsoft.Network/publicIPAddresses/read"     
          ]

    6. Create a role assignment by assigning access to Managed Identity. Under members, select All system assigned managed Identities. Select the deployed resource and assign.

    Previous
    Next