Fortinet black logo

Administration Guide

Home FortiIsolator 2.1.1 Administration Guide

Configuring IP Mapping in HA mode

2.1.1
2.4.4
2.4.3
2.4.2
2.4.1
2.4.0
2.3.4
2.3.1
2.3.0
2.2.0
2.1.2
2.1.1
2.1.0
2.0.1
2.0.0
1.2.2
1.2.1
1.2.0
1.1.0
Copy Link
Copy Doc ID efbf58a2-d38c-11ea-96b9-00505692583a:779449
Download PDF

Configuring IP Mapping in HA mode

Prerequisites:

Please follow High Availability to make sure native HA mode works in prior to configure in IP Mapping in HA mode.

Configuring IP Mapping in HA mode needs to set up in these systems:

  1. FortiIsolator configuration
  2. FortiGate configuration
  3. Client system configuration

Single-node setting (one-master only)

FortiIsolator configuration

  1. set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

    • set fis-ipmap 18443 18887 172.30.147.207

  2. set fis-ipmap-vip <external IP> <vip_port_map_to_443> <vip_port_map_to_8887>

    • set fis-ipmap-vip 172.30.147.207 12443 12887

  3. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:master> <port_map_to_443> <port_map_to_8887>

    • set fis-ipmap-ha 18 172.30.147.207 172.30.157.18 18443 18887

FortiGate configuration

Complete the following steps in the FortiGate UI.

  1. Go to Policy & Objects > Virtual IPs.
  2. Create two IPv4 virtual IPs with the following information:

    • IP-Mapping-443: external_IP_address -> FIS_IP (TCP: 12443 > 443)

      e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 12443 > 443)

    • IP-Mapping-8887: external_IP_address -> FIS_IP (TCP: 12887 > 8887)

      e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 128887 > 8887)

      Note

      In this example, we are using:

      • External_IP_address: 172.30.147.207
      • FIS HA Virtual IP: 172.30.157.97
      • FIS_IP: 172.30.157.18

    Settings of IP-Mapping-HA-443:

    Settings of IP-Mapping-HA-8887:

  3. Go to Policy & Objects > IPv4 Policy > Create New.
  4. Create an IPv4 policy that includes the two virtual IPs that you created.

Client system configuration

Complete the following steps on the client system (for example, Windows 10).

  1. In Windows 10, launch CMD as administrator.
  2. Use the following commands to add the FortiGate IP address to the routing table on the client system:
    1. At the command prompt, type route -p ADD <external_IP_address> Mask 255.255.255.255 <FGT_IP_address>.

      For example, route –p ADD <external_IP_address> MASK 255.255.255.255 172.30.157.48

    2. To confirm the setup, type route print.

  3. To verify that it works in a browser, browse to:

    https://<external_IP_address>:<port_map_to_HA_443>/isolator/https://www.fortinet.com

    e.g.:

    https://172.30.147.207:12443/isolator/https://www.fortinet.com

    (It will now redirect to: https://172.30.147.207:18443/isolator/https://www.fortinet.com )

Multiple-nodes setting (one-master-one-Slave)

FortiIsolator configuration

Use the FortiIsolator CLI to configure port forwarding mappings. Use the following commands:

Under FIS Master:

  1. set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

    • set fis-ipmap 18443 18887 172.30.147.207

  2. set fis-ipmap-vip <external IP> <vip_port_map_to_443> <vip_port_map_to_8887>

    • set fis-ipmap-vip 172.30.147.207 12443 12887

  3. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:master> <port_map_to_443> <port_map_to_8887>

    • set fis-ipmap-ha 18 172.30.147.207 172.30.157.18 18443 18887

  4. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:slave1> <port_map_to_443> <port_map_to_8887>

    • set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 19443 19887

  5. Under FIS slave

    set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

    • set fis-ipmap 19443 19887 172.30.147.207

Summary of examples

Master: 172.30.156.18

> set fis-ipmap 18443 18887 172.30.147.207

> set fis-ipmap-vip 172.30.147.207 12443 12887

> set fis-ipmap-ha 18 172.30.147.207 172.30.157.18 18443 18887

> set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 19443 19887

Slave: 172.30.156.19

> set fis-ipmap 19443 19887 172.30.147.207

FortiGate configuration

Follow the FortiGate configuration in Configuring IP Mapping in regular mode to create IPv4 Virtual IP mapping for Slave node under Virtual IPs.

Complete the following steps in the FortiGate UI.

  1. Go to Policy & Objects > Virtual IPs.

  2. Create two IPv4 virtual IPs with the following information:

    • IP-Mapping-HA-443: external_IP_address -> FIS_IP (TCP: 12443 > 443)

      e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 12443 > 443)

    • IP-Mapping-HA-8887: external_IP_address -> FIS_IP (TCP: 12887 > 8887)

      e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 12887 > 8887)

    Note

    The example uses the following:

    External_IP_address: 172.30.147.207

    FIS HA Virtual IP: 172.30.157.97

    FIS_IP_Master: 172.30.157.18

    FIS_IP_Slave: 172.30.157.19

    Settings of IP-Mapping-HA-443:

    Settings of IP-Mapping-HA-8887:

  3. Go to Policy & Objects > IPv4 Policy > Create New.

  4. Create an IPv4 policy that includes the two more virtual IPs that you created.

Client system configuration

Complete the following steps on the client system (for example, Windows 10).

  1. In Windows 10, launch CMD as administrator.

  2. Use the following commands to add the FortiGate IP address to the routing table on the client system:

    • At the command prompt, type

      route –p ADD <external_IP_address> Mask 255.255.255.255 <FGT_IP_address>

      For example,

      route –p ADD 172.30.147.207 MASK 255.255.255.255 172.30.157.48

    • To confirm the setup, type route print.

  3. To verify that it works in a browser, browse to:

    https://<external_IP_address>:<port_map_to_HA_443>/isolator/https://www.fortinet.com

    e.g.:

    https://172.30.147.207:12443/isolator/https://www.fortinet.com

    It will now redirect to Master node: https://172.30.147.207:18443/isolator/https://www.fortinet.com

    Or, it will redirect to Slave node:

    https://172.30.147.207:19443/isolator/https://www.fortinet.com

Previous
Next

Configuring IP Mapping in HA mode

Prerequisites:

Please follow High Availability to make sure native HA mode works in prior to configure in IP Mapping in HA mode.

Configuring IP Mapping in HA mode needs to set up in these systems:

  1. FortiIsolator configuration
  2. FortiGate configuration
  3. Client system configuration

Single-node setting (one-master only)

FortiIsolator configuration

  1. set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

    • set fis-ipmap 18443 18887 172.30.147.207

  2. set fis-ipmap-vip <external IP> <vip_port_map_to_443> <vip_port_map_to_8887>

    • set fis-ipmap-vip 172.30.147.207 12443 12887

  3. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:master> <port_map_to_443> <port_map_to_8887>

    • set fis-ipmap-ha 18 172.30.147.207 172.30.157.18 18443 18887

FortiGate configuration

Complete the following steps in the FortiGate UI.

  1. Go to Policy & Objects > Virtual IPs.
  2. Create two IPv4 virtual IPs with the following information:

    • IP-Mapping-443: external_IP_address -> FIS_IP (TCP: 12443 > 443)

      e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 12443 > 443)

    • IP-Mapping-8887: external_IP_address -> FIS_IP (TCP: 12887 > 8887)

      e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 128887 > 8887)

      Note

      In this example, we are using:

      • External_IP_address: 172.30.147.207
      • FIS HA Virtual IP: 172.30.157.97
      • FIS_IP: 172.30.157.18

    Settings of IP-Mapping-HA-443:

    Settings of IP-Mapping-HA-8887:

  3. Go to Policy & Objects > IPv4 Policy > Create New.
  4. Create an IPv4 policy that includes the two virtual IPs that you created.

Client system configuration

Complete the following steps on the client system (for example, Windows 10).

  1. In Windows 10, launch CMD as administrator.
  2. Use the following commands to add the FortiGate IP address to the routing table on the client system:
    1. At the command prompt, type route -p ADD <external_IP_address> Mask 255.255.255.255 <FGT_IP_address>.

      For example, route –p ADD <external_IP_address> MASK 255.255.255.255 172.30.157.48

    2. To confirm the setup, type route print.

  3. To verify that it works in a browser, browse to:

    https://<external_IP_address>:<port_map_to_HA_443>/isolator/https://www.fortinet.com

    e.g.:

    https://172.30.147.207:12443/isolator/https://www.fortinet.com

    (It will now redirect to: https://172.30.147.207:18443/isolator/https://www.fortinet.com )

Multiple-nodes setting (one-master-one-Slave)

FortiIsolator configuration

Use the FortiIsolator CLI to configure port forwarding mappings. Use the following commands:

Under FIS Master:

  1. set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

    • set fis-ipmap 18443 18887 172.30.147.207

  2. set fis-ipmap-vip <external IP> <vip_port_map_to_443> <vip_port_map_to_8887>

    • set fis-ipmap-vip 172.30.147.207 12443 12887

  3. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:master> <port_map_to_443> <port_map_to_8887>

    • set fis-ipmap-ha 18 172.30.147.207 172.30.157.18 18443 18887

  4. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:slave1> <port_map_to_443> <port_map_to_8887>

    • set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 19443 19887

  5. Under FIS slave

    set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

    • set fis-ipmap 19443 19887 172.30.147.207

Summary of examples

Master: 172.30.156.18

> set fis-ipmap 18443 18887 172.30.147.207

> set fis-ipmap-vip 172.30.147.207 12443 12887

> set fis-ipmap-ha 18 172.30.147.207 172.30.157.18 18443 18887

> set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 19443 19887

Slave: 172.30.156.19

> set fis-ipmap 19443 19887 172.30.147.207

FortiGate configuration

Follow the FortiGate configuration in Configuring IP Mapping in regular mode to create IPv4 Virtual IP mapping for Slave node under Virtual IPs.

Complete the following steps in the FortiGate UI.

  1. Go to Policy & Objects > Virtual IPs.

  2. Create two IPv4 virtual IPs with the following information:

    • IP-Mapping-HA-443: external_IP_address -> FIS_IP (TCP: 12443 > 443)

      e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 12443 > 443)

    • IP-Mapping-HA-8887: external_IP_address -> FIS_IP (TCP: 12887 > 8887)

      e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 12887 > 8887)

    Note

    The example uses the following:

    External_IP_address: 172.30.147.207

    FIS HA Virtual IP: 172.30.157.97

    FIS_IP_Master: 172.30.157.18

    FIS_IP_Slave: 172.30.157.19

    Settings of IP-Mapping-HA-443:

    Settings of IP-Mapping-HA-8887:

  3. Go to Policy & Objects > IPv4 Policy > Create New.

  4. Create an IPv4 policy that includes the two more virtual IPs that you created.

Client system configuration

Complete the following steps on the client system (for example, Windows 10).

  1. In Windows 10, launch CMD as administrator.

  2. Use the following commands to add the FortiGate IP address to the routing table on the client system:

    • At the command prompt, type

      route –p ADD <external_IP_address> Mask 255.255.255.255 <FGT_IP_address>

      For example,

      route –p ADD 172.30.147.207 MASK 255.255.255.255 172.30.157.48

    • To confirm the setup, type route print.

  3. To verify that it works in a browser, browse to:

    https://<external_IP_address>:<port_map_to_HA_443>/isolator/https://www.fortinet.com

    e.g.:

    https://172.30.147.207:12443/isolator/https://www.fortinet.com

    It will now redirect to Master node: https://172.30.147.207:18443/isolator/https://www.fortinet.com

    Or, it will redirect to Slave node:

    https://172.30.147.207:19443/isolator/https://www.fortinet.com

Previous
Next