Configuring internet inbound/DNAT policies without FortiManager
In FortiOS 7.4.4 and later versions, you can configure internet inbound policies via the following CLI commands:
Command |
Description |
---|---|
execute azure vwan-slb show |
Shows all active permanent and temporary inbound rules configured on the associated standard load balancer (SLB). The following shows example output for this command:
|
execute azure vwan-slb pull |
Pulls remote SLB policy settings and overwrites the local settings. |
The following shows the inbound policy configuration workflow:
You can configure and push the policy from any FortiGate. The internet inbound SLB policy does not sync across FortiGates. Selecting a single FortiGate to edit the policy is recommended.
You can add an existing Public IP of standard SKU to the Azure vWAN SLB. See Adding additional public IP addresses.
To configure the internet inbound policy using the FortiOS CLI on the primary policy configuration NVA node:
set mode active
is to be set on primary policy configuration NVA node.
config azure vwan-slb set mode active config permanent-security-rules config rules edit "rule1" set protocol TCP set source-address-prefix "10.90.25.0/24" set destination-port-ranges "5600-5650, 443, 8080" set applies-on "intinbound-slb-pip" next edit "rule2" set source-address-prefix "10.80.20.0/24" set destination-port-ranges "9001" set applies-on "intinbound-slb-pip" next end end end end
The final |
In this configuration, source-address-prefix
applies as access control and does not NAT.
If you must select a new FortiGate to edit the policy, run the aforementioned commands on the new FortiGate, then run execute azure vwan-slb pull
before changing the policy.
To obtain the inbound SLB public IP address name:
Do one of the following:
- In the FortiOS CLI, run
execute azure vwan-slb show
. The following shows example output for this command: - In the Azure portal, go to vWAN > Hubs > Network Virtual Appliances > Manage Configurations. Under Settings, select Internet Inbound.
For an end-to-end data path to work, you must couple internet inbound policies with relevant firewall and virtual IP (VIP) address policies. |
To verify SLB policies:
- Do one of the following:
- In the FortiOS CLI, run
execute azure vwan-slb show
. The following shows example output for this command: - In the Azure portal, go to vWAN > Hubs > Network Virtual Appliances > Manage Configurations. Under Settings, select Internet Inbound.
- In the FortiOS CLI, run
-
If you do not see the policy change, the local policy may be out-of-sync with the remote. If so, do the following:
-
Copy the policies configured under
config azure vwan-slb
. -
Run
execute azure vwan-slb pull
to overwrite the local policy configuration. -
Paste the policies into
config azure vwan-slb
.
-