Configuring IP mapping in HA mode
Prerequisites:
Please follow High Availability to make sure native HA mode works prior to configuring IP Mapping in HA mode.
Configuring IP Mapping in HA mode needs to set up in these systems:
- FortiIsolator configuration
- FortiGate configuration
- Client system configuration
Single-node setting (one-master only)
FortiIsolator configuration
Use FortiIsolator CLI to configure port forwarding mappings. Use the following commands:
-
set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>
set fis-ipmap 12443 12887 172.30.147.207
-
set fis-ipmap-vip <external IP> <vip_port_map_to_443> <vip_port_map_to_8887>
set fis-ipmap-vip 172.30.147.207 14443 14887
-
set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:master> <port_map_to_443> <port_map_to_8887>
set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 12443 12887
FortiGate configuration
Complete the following steps in the FortiGate UI.
- Go to Policy & Objects > Virtual IPs.
- Create two IPv4 virtual IPs with the following information:
- IP-Mapping-443: external_IP_address -> FIS_IP (TCP: 12443 > 443)
e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 12443 > 443)
- IP-Mapping-8887: external_IP_address -> FIS_IP (TCP: 12887 > 8887)
e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 128887 > 8887)
In this example, we are using:
- External_IP_address: 172.30.147.207
- FIS HA Virtual IP: 172.30.157.99
- FIS_IP: 172.30.157.19
Settings of IP-Mapping-HA-443:
Settings of IP-Mapping-HA-8887:
- IP-Mapping-443: external_IP_address -> FIS_IP (TCP: 12443 > 443)
- Go to Policy & Objects > IPv4 Policy > Create New.
- Create an IPv4 policy that includes the two virtual IPs that you created.
Client system configuration
Complete the following steps on the client system (for example, Windows 10).
- In Windows 10, launch CMD as administrator.
- Use the following commands to add the FortiGate IP address to the routing table on the client system:
- At the command prompt, type
route -p ADD <external_IP_address> Mask 255.255.255.255 <FGT_IP_address>
.For example,
route –p ADD <external_IP_address> MASK 255.255.255.255 172.30.157.48
- To confirm the setup, type
route print
.
- At the command prompt, type
- To verify that it works in a browser, browse to:
https://<external_IP_address>:<port_map_to_HA_443>/isolator/https://www.fortinet.com
e.g.:
https://172.30.147.207:14443/isolator/https://www.fortinet.com
(It will now redirect to:
https://172.30.147.207:12443/isolator/https://www.fortinet.com
)
Multiple-nodes setting (one-master-one-slave)
FortiIsolator configuration
Use the FortiIsolator CLI to configure port forwarding mappings. Use the following commands:
Under FIS Master:
-
set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>
-
set fis-ipmap 12443 12887 172.30.147.207
-
-
set fis-ipmap-vip <external IP> <vip_port_map_to_443> <vip_port_map_to_8887>
-
set fis-ipmap-vip 172.30.147.207 14443 14887
-
-
set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:master> <port_map_to_443> <port_map_to_8887>
-
set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 12443 12887
-
-
set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:slave1> <port_map_to_443> <port_map_to_8887>
-
set fis-ipmap-ha 20 172.30.147.207 172.30.157.20 13443 13887
-
-
Under FIS slave
set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>
-
set fis-ipmap 13443 13887 172.30.147.207
-
Summary of examples
Master: 172.30.156.19
> set fis-ipmap 12443 12887 172.30.147.207
> set fis-ipmap-vip 172.30.147.207 14443 14887
> set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 12443 12887
> set fis-ipmap-ha 20 172.30.147.207 172.30.157.20 13443 13887
Slave: 172.30.156.20
> set fis-ipmap 13443 13887 172.30.147.207
FortiGate configuration
Follow the FortiGate configuration in Configuring IP mapping in regular mode to create IPv4 Virtual IP mapping for Slave node under Virtual IPs.
Complete the following steps in the FortiGate UI.
-
Go to Policy & Objects > Virtual IPs.
-
Create two IPv4 virtual IPs with the following information:
-
IP-Mapping-HA-443: external_IP_address -> FIS_IP (TCP: 14443 > 443)
e.g. 172.30.147.207 -> 172.30.157.99 (TCP: 14443 > 443)
-
IP-Mapping-HA-8887: external_IP_address -> FIS_IP (TCP: 14887 > 8887)
e.g. 172.30.147.207 -> 172.30.157.99 (TCP: 14887 > 8887)
The example uses the following:
External_IP_address: 172.30.147.207
FIS HA Virtual IP: 172.30.157.99
FIS_IP_Master: 172.30.157.19
FIS_IP_Slave: 172.30.157.20
Settings of second IP-Mapping-HA-443:
Settings of IP-Mapping-HA-8887:
-
-
Go to Policy & Objects > IPv4 Policy > Create New.
-
Create an IPv4 policy that includes the two more virtual IPs that you created.
Client system configuration
Complete the following steps on the client system (for example, Windows 10).
-
In Windows 10, launch CMD as administrator.
-
Use the following commands to add the FortiGate IP address to the routing table on the client system:
-
At the command prompt, type
route –p ADD <external_IP_address> Mask 255.255.255.255 <FGT_IP_address>
For example,
route –p ADD 172.30.147.207 MASK 255.255.255.255 172.30.157.48
-
To confirm the setup, type
route print
.
-
-
To verify that it works in a browser, browse to:
https://<external_IP_address>:<port_map_to_HA_443>/isolator/https://www.fortinet.com
e.g.:
https://172.30.147.207:14443/isolator/https://www.fortinet.com
(It will now redirect to Master node: https://172.30.147.207:12443/isolator/https://www.fortinet.com
Or, it will redirect to Slave node:
https://172.30.147.207:13443/isolator/https://www.fortinet.com
)