Configuring internet inbound/DNAT policies
To configure these options, you must have deployed Azure vWAN NVA with the internet edge inbound option selected. See Deploying FortiGate NVAs in a vWAN hub.
In FortiOS 7.4.4 and later versions, you can configure internet inbound policies via the following CLI commands:
|
Command |
Description |
|---|---|
|
execute azure vwan-slb show |
Shows all active permanent and temporary inbound rules configured on the associated standard load balancer (SLB). The following shows example output for this command:
|
|
execute azure vwan-slb pull |
Pulls remote SLB policy settings and overwrites the local settings. |
The following shows the inbound policy configuration workflow:
You can configure and push the policy from any FortiGate. The internet inbound SLB policy does not sync across FortiGates. Selecting a single FortiGate to edit the policy is recommended.
To configure the internet inbound policy using the FortiOS CLI on the primary policy configuration NVA node:
set mode active is to be set on primary policy configuration NVA node.
config azure vwan-slb
set mode active
config permanent-security-rules
config rules
edit "rule1"
set protocol TCP
set source-address-prefix "10.90.25.0/24"
set destination-port-ranges "5600-5650, 443, 8080"
set applies-on "intinbound-slb-pip"
next
edit "rule2"
set source-address-prefix "10.80.20.0/24"
set destination-port-ranges "9001"
set applies-on "intinbound-slb-pip"
next
end
end
end
end
|
The final |
In this configuration, source-address-prefix applies as access control and does not NAT.
If you must select a new FortiGate to edit the policy, run the aforementioned commands on the new FortiGate, then run execute azure vwan-slb pull before changing the policy.
To obtain the inbound SLB public IP address name:
Do one of the following:
- In the FortiOS CLI, run
execute azure vwan-slb show. The following shows example output for this command:
- In the Azure portal, go to vWAN > Hubs > Network Virtual Appliances > Manage Configurations. Under Settings, select Internet Inbound.
|
|
For an end-to-end data path to work, you must couple internet inbound policies with relevant firewall and virtual IP (VIP) address policies. |
To verify SLB policies:
- Do one of the following:
- In the FortiOS CLI, run
execute azure vwan-slb show. The following shows example output for this command: - In the Azure portal, go to vWAN > Hubs > Network Virtual Appliances > Manage Configurations. Under Settings, select Internet Inbound.
- In the FortiOS CLI, run
-
If you do not see the policy change, the local policy may be out-of-sync with the remote. If so, do the following:
-
Copy the policies configured under
config azure vwan-slb. -
Run
execute azure vwan-slb pullto overwrite the local policy configuration. -
Paste the policies into
config azure vwan-slb.
-
To configure a VIP and policy:
You must configure an inbound SLB policy in conjunction with a VIP rule and corresponding firewall policy. The following shows a sample for both mapped to port 9001, rule2 from the example SLB rules, to configure in FortiOS. In this example, 4.255.139.49 is the public IP address attached to the SLB:
config firewall vip
edit "VIPwebserver"
set extip 4.255.139.49
set mappedip "192.168.1.4"
set extintf "port1"
set portforward enable
set extport 9001
set mappedport 22
next
end
end
config firewall policy
edit 20
set name "inbounddemo-144"
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "VIPwebserver"
set schedule "always"
set service "ALL"
set nat enable
next
end
You must enable source NAT for this policy. Otherwise, return traffic follows the 0.0.0.0/0 route in the destination VNet. With routing intents enabled for the quad zero route, this returns to the Azure internal load balancer in the vWAN hub. As this load balancer does not yet have a session state for traffic initiated from public addresses, it may send the traffic to any of the backend pool, which will likely not be the FortiGate where the session was originated. SNAT fixes this problem by returning traffic to the correct FortiGate.
To troubleshoot this configuration:
The deployment assigns a system-assigned managed identity (MI) with the correct permissions. MI permissions on Microsoft Entra ID propagation may take a few minutes.
|
|
The following procedure is a workaround. You only need to perform this procedure if role assignment on the system-assigned identity does not succeed. |
- On the Azure portal, go to the managed resource group and click Show Hidden types to see the deployed NVA.
- Copy the NVA name.
- On the Azure portal, go to Microsoft Entra ID > Enterprise applications > All applications. Select managed Identities for the filter. Search for your NVA, select it, and copy the object ID.
- In the Azure CLI, run
Get-AzRoleAssignment –ObjectId <object ID>.
- Deploying the marketplace listing creates an
NVAcontributor-<GUID>definition and assigns it to the managed application object ID. If this is not the case, add a role definition with the following permissions manually by going to Subscriptions > IAM > add role assignment and creating a custom role with the following allowed actions:"actions": [ "Microsoft.Solutions/applications/read", "Microsoft.Network/networkVirtualAppliances/read", "Microsoft.Network/networkVirtualAppliances/write", "Microsoft.Network/networkVirtualAppliances/inboundSecurityRules/read", "Microsoft.Network/networkVirtualAppliances/inboundSecurityRules/write", "Microsoft.Resources/subscriptions/resourcegroups/read", "Microsoft.Network/publicIPAddresses/read" ] -
Create a role assignment by assigning access to Managed Identity. Under members, select All system assigned managed Identities. Select the deployed resource and assign.