Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiIsolator 2.3.1 Administration Guide
    2.3.1
    2.4.5
    2.4.4
    2.4.3
    2.4.2
    2.4.1
    2.4.0
    2.3.4
    2.3.1
    2.3.0
    2.2.0
    2.1.2
    2.1.1
    2.1.0
    2.0.1
    2.0.0
    1.2.2
    1.2.1
    1.2.0
    1.1.0

    Configuring IP Mapping in HA mode

    Configuring IP Mapping in HA mode

    Prerequisites:

    Please follow High Availability to make sure native HA mode works in prior to configure in IP Mapping in HA mode.

    Configuring IP Mapping in HA mode needs to set up in these systems:

    1. FortiIsolator configuration
    2. FortiGate configuration
    3. Client system configuration

    Single-node setting (one-master only)

    FortiIsolator configuration

    1. set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

      • set fis-ipmap 18443 18887 172.30.147.207

    2. set fis-ipmap-vip <external IP> <vip_port_map_to_443> <vip_port_map_to_8887>

      • set fis-ipmap-vip 172.30.147.207 12443 12887

    3. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:master> <port_map_to_443> <port_map_to_8887>

      • set fis-ipmap-ha 18 172.30.147.207 172.30.157.18 18443 18887

    FortiGate configuration

    Complete the following steps in the FortiGate UI.

    1. Go to Policy & Objects > Virtual IPs.
    2. Create two IPv4 virtual IPs with the following information:

      • IP-Mapping-443: external_IP_address -> FIS_IP (TCP: 12443 > 443)

        e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 12443 > 443)

      • IP-Mapping-8887: external_IP_address -> FIS_IP (TCP: 12887 > 8887)

        e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 128887 > 8887)

        Note

        In this example, we are using:

        • External_IP_address: 172.30.147.207
        • FIS HA Virtual IP: 172.30.157.97
        • FIS_IP: 172.30.157.18

      Settings of IP-Mapping-HA-443:

      Settings of IP-Mapping-HA-8887:

    3. Go to Policy & Objects > IPv4 Policy > Create New.
    4. Create an IPv4 policy that includes the two virtual IPs that you created.

    Client system configuration

    Complete the following steps on the client system (for example, Windows 10).

    1. In Windows 10, launch CMD as administrator.
    2. Use the following commands to add the FortiGate IP address to the routing table on the client system:
      1. At the command prompt, type route -p ADD <external_IP_address> Mask 255.255.255.255 <FGT_IP_address>.

        For example, route –p ADD <external_IP_address> MASK 255.255.255.255 172.30.157.48

      2. To confirm the setup, type route print.

    3. To verify that it works in a browser, browse to:

      https://<external_IP_address>:<port_map_to_HA_443>/isolator/https://www.fortinet.com

      e.g.:

      https://172.30.147.207:12443/isolator/https://www.fortinet.com

      (It will now redirect to: https://172.30.147.207:18443/isolator/https://www.fortinet.com )

    Multiple-nodes setting (one-master-one-Slave)

    FortiIsolator configuration

    Use the FortiIsolator CLI to configure port forwarding mappings. Use the following commands:

    Under FIS Master:

    1. set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

      • set fis-ipmap 18443 18887 172.30.147.207

    2. set fis-ipmap-vip <external IP> <vip_port_map_to_443> <vip_port_map_to_8887>

      • set fis-ipmap-vip 172.30.147.207 12443 12887

    3. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:master> <port_map_to_443> <port_map_to_8887>

      • set fis-ipmap-ha 18 172.30.147.207 172.30.157.18 18443 18887

    4. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:slave1> <port_map_to_443> <port_map_to_8887>

      • set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 19443 19887

    5. Under FIS slave

      set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

      • set fis-ipmap 19443 19887 172.30.147.207

    Summary of examples

    Master: 172.30.156.18

    > set fis-ipmap 18443 18887 172.30.147.207

    > set fis-ipmap-vip 172.30.147.207 12443 12887

    > set fis-ipmap-ha 18 172.30.147.207 172.30.157.18 18443 18887

    > set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 19443 19887

    Slave: 172.30.156.19

    > set fis-ipmap 19443 19887 172.30.147.207

    FortiGate configuration

    Follow the FortiGate configuration in Configuring IP Mapping in regular mode to create IPv4 Virtual IP mapping for Slave node under Virtual IPs.

    Complete the following steps in the FortiGate UI.

    1. Go to Policy & Objects > Virtual IPs.

    2. Create two IPv4 virtual IPs with the following information:

      • IP-Mapping-HA-443: external_IP_address -> FIS_IP (TCP: 12443 > 443)

        e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 12443 > 443)

      • IP-Mapping-HA-8887: external_IP_address -> FIS_IP (TCP: 12887 > 8887)

        e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 12887 > 8887)

      Note

      The example uses the following:

      External_IP_address: 172.30.147.207

      FIS HA Virtual IP: 172.30.157.97

      FIS_IP_Master: 172.30.157.18

      FIS_IP_Slave: 172.30.157.19

      Settings of IP-Mapping-HA-443:

      Settings of IP-Mapping-HA-8887:

    3. Go to Policy & Objects > IPv4 Policy > Create New.

    4. Create an IPv4 policy that includes the two more virtual IPs that you created.

    Client system configuration

    Complete the following steps on the client system (for example, Windows 10).

    1. In Windows 10, launch CMD as administrator.

    2. Use the following commands to add the FortiGate IP address to the routing table on the client system:

      • At the command prompt, type

        route –p ADD <external_IP_address> Mask 255.255.255.255 <FGT_IP_address>

        For example,

        route –p ADD 172.30.147.207 MASK 255.255.255.255 172.30.157.48

      • To confirm the setup, type route print.

    3. To verify that it works in a browser, browse to:

      https://<external_IP_address>:<port_map_to_HA_443>/isolator/https://www.fortinet.com

      e.g.:

      https://172.30.147.207:12443/isolator/https://www.fortinet.com

      It will now redirect to Master node: https://172.30.147.207:18443/isolator/https://www.fortinet.com

      Or, it will redirect to Slave node:

      https://172.30.147.207:19443/isolator/https://www.fortinet.com

    Previous
    Next

    Configuring IP Mapping in HA mode

    Configuring IP Mapping in HA mode

    Prerequisites:

    Please follow High Availability to make sure native HA mode works in prior to configure in IP Mapping in HA mode.

    Configuring IP Mapping in HA mode needs to set up in these systems:

    1. FortiIsolator configuration
    2. FortiGate configuration
    3. Client system configuration

    Single-node setting (one-master only)

    FortiIsolator configuration

    1. set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

      • set fis-ipmap 18443 18887 172.30.147.207

    2. set fis-ipmap-vip <external IP> <vip_port_map_to_443> <vip_port_map_to_8887>

      • set fis-ipmap-vip 172.30.147.207 12443 12887

    3. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:master> <port_map_to_443> <port_map_to_8887>

      • set fis-ipmap-ha 18 172.30.147.207 172.30.157.18 18443 18887

    FortiGate configuration

    Complete the following steps in the FortiGate UI.

    1. Go to Policy & Objects > Virtual IPs.
    2. Create two IPv4 virtual IPs with the following information:

      • IP-Mapping-443: external_IP_address -> FIS_IP (TCP: 12443 > 443)

        e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 12443 > 443)

      • IP-Mapping-8887: external_IP_address -> FIS_IP (TCP: 12887 > 8887)

        e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 128887 > 8887)

        Note

        In this example, we are using:

        • External_IP_address: 172.30.147.207
        • FIS HA Virtual IP: 172.30.157.97
        • FIS_IP: 172.30.157.18

      Settings of IP-Mapping-HA-443:

      Settings of IP-Mapping-HA-8887:

    3. Go to Policy & Objects > IPv4 Policy > Create New.
    4. Create an IPv4 policy that includes the two virtual IPs that you created.

    Client system configuration

    Complete the following steps on the client system (for example, Windows 10).

    1. In Windows 10, launch CMD as administrator.
    2. Use the following commands to add the FortiGate IP address to the routing table on the client system:
      1. At the command prompt, type route -p ADD <external_IP_address> Mask 255.255.255.255 <FGT_IP_address>.

        For example, route –p ADD <external_IP_address> MASK 255.255.255.255 172.30.157.48

      2. To confirm the setup, type route print.

    3. To verify that it works in a browser, browse to:

      https://<external_IP_address>:<port_map_to_HA_443>/isolator/https://www.fortinet.com

      e.g.:

      https://172.30.147.207:12443/isolator/https://www.fortinet.com

      (It will now redirect to: https://172.30.147.207:18443/isolator/https://www.fortinet.com )

    Multiple-nodes setting (one-master-one-Slave)

    FortiIsolator configuration

    Use the FortiIsolator CLI to configure port forwarding mappings. Use the following commands:

    Under FIS Master:

    1. set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

      • set fis-ipmap 18443 18887 172.30.147.207

    2. set fis-ipmap-vip <external IP> <vip_port_map_to_443> <vip_port_map_to_8887>

      • set fis-ipmap-vip 172.30.147.207 12443 12887

    3. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:master> <port_map_to_443> <port_map_to_8887>

      • set fis-ipmap-ha 18 172.30.147.207 172.30.157.18 18443 18887

    4. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:slave1> <port_map_to_443> <port_map_to_8887>

      • set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 19443 19887

    5. Under FIS slave

      set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

      • set fis-ipmap 19443 19887 172.30.147.207

    Summary of examples

    Master: 172.30.156.18

    > set fis-ipmap 18443 18887 172.30.147.207

    > set fis-ipmap-vip 172.30.147.207 12443 12887

    > set fis-ipmap-ha 18 172.30.147.207 172.30.157.18 18443 18887

    > set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 19443 19887

    Slave: 172.30.156.19

    > set fis-ipmap 19443 19887 172.30.147.207

    FortiGate configuration

    Follow the FortiGate configuration in Configuring IP Mapping in regular mode to create IPv4 Virtual IP mapping for Slave node under Virtual IPs.

    Complete the following steps in the FortiGate UI.

    1. Go to Policy & Objects > Virtual IPs.

    2. Create two IPv4 virtual IPs with the following information:

      • IP-Mapping-HA-443: external_IP_address -> FIS_IP (TCP: 12443 > 443)

        e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 12443 > 443)

      • IP-Mapping-HA-8887: external_IP_address -> FIS_IP (TCP: 12887 > 8887)

        e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 12887 > 8887)

      Note

      The example uses the following:

      External_IP_address: 172.30.147.207

      FIS HA Virtual IP: 172.30.157.97

      FIS_IP_Master: 172.30.157.18

      FIS_IP_Slave: 172.30.157.19

      Settings of IP-Mapping-HA-443:

      Settings of IP-Mapping-HA-8887:

    3. Go to Policy & Objects > IPv4 Policy > Create New.

    4. Create an IPv4 policy that includes the two more virtual IPs that you created.

    Client system configuration

    Complete the following steps on the client system (for example, Windows 10).

    1. In Windows 10, launch CMD as administrator.

    2. Use the following commands to add the FortiGate IP address to the routing table on the client system:

      • At the command prompt, type

        route –p ADD <external_IP_address> Mask 255.255.255.255 <FGT_IP_address>

        For example,

        route –p ADD 172.30.147.207 MASK 255.255.255.255 172.30.157.48

      • To confirm the setup, type route print.

    3. To verify that it works in a browser, browse to:

      https://<external_IP_address>:<port_map_to_HA_443>/isolator/https://www.fortinet.com

      e.g.:

      https://172.30.147.207:12443/isolator/https://www.fortinet.com

      It will now redirect to Master node: https://172.30.147.207:18443/isolator/https://www.fortinet.com

      Or, it will redirect to Slave node:

      https://172.30.147.207:19443/isolator/https://www.fortinet.com

    Previous
    Next