Fortinet white logo
Fortinet white logo

Administration Guide

Configuring IP mapping in HA mode

Configuring IP mapping in HA mode

Prerequisites:

Please follow High Availability to make sure native HA mode works prior to configuring IP Mapping in HA mode.

Configuring IP Mapping in HA mode needs to set up in these systems:

  1. FortiIsolator configuration
  2. FortiGate configuration
  3. Client system configuration

Single-node setting (one-master only)

FortiIsolator configuration

Use FortiIsolator CLI to configure port forwarding mappings. Use the following commands:

  1. set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

      set fis-ipmap 12443 12887 172.30.147.207

  2. set fis-ipmap-vip <external IP> <vip_port_map_to_443> <vip_port_map_to_8887>

      set fis-ipmap-vip 172.30.147.207 14443 14887

  3. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:master> <port_map_to_443> <port_map_to_8887>

      set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 12443 12887

FortiGate configuration

Complete the following steps in the FortiGate UI.

  1. Go to Policy & Objects > Virtual IPs.
  2. Create two IPv4 virtual IPs with the following information:
    • IP-Mapping-443: external_IP_address -> FIS_IP (TCP: 12443 > 443)

      e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 12443 > 443)

    • IP-Mapping-8887: external_IP_address -> FIS_IP (TCP: 12887 > 8887)

      e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 128887 > 8887)

      Note

      In this example, we are using:

      • External_IP_address: 172.30.147.207
      • FIS HA Virtual IP: 172.30.157.99
      • FIS_IP: 172.30.157.19

    Settings of IP-Mapping-HA-443:

    Settings of IP-Mapping-HA-8887:

  3. Go to Policy & Objects > IPv4 Policy > Create New.
  4. Create an IPv4 policy that includes the two virtual IPs that you created.

Client system configuration

Complete the following steps on the client system (for example, Windows 10).

  1. In Windows 10, launch CMD as administrator.
  2. Use the following commands to add the FortiGate IP address to the routing table on the client system:
    1. At the command prompt, type route -p ADD <external_IP_address> Mask 255.255.255.255 <FGT_IP_address>.

      For example, route –p ADD <external_IP_address> MASK 255.255.255.255 172.30.157.48

    2. To confirm the setup, type route print.

  3. To verify that it works in a browser, browse to:

    https://<external_IP_address>:<port_map_to_HA_443>/isolator/https://www.fortinet.com

    e.g.:

    https://172.30.147.207:14443/isolator/https://www.fortinet.com

    (It will now redirect to: https://172.30.147.207:12443/isolator/https://www.fortinet.com)

Multiple-nodes setting (one-master-one-slave)

FortiIsolator configuration

Use the FortiIsolator CLI to configure port forwarding mappings. Use the following commands:

Under FIS Master:

  1. set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

    • set fis-ipmap 12443 12887 172.30.147.207

  2. set fis-ipmap-vip <external IP> <vip_port_map_to_443> <vip_port_map_to_8887>

    • set fis-ipmap-vip 172.30.147.207 14443 14887

  3. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:master> <port_map_to_443> <port_map_to_8887>

    • set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 12443 12887

  4. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:slave1> <port_map_to_443> <port_map_to_8887>

    • set fis-ipmap-ha 20 172.30.147.207 172.30.157.20 13443 13887

  5. Under FIS slave

    set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

    • set fis-ipmap 13443 13887 172.30.147.207

Summary of examples

Master: 172.30.156.19

> set fis-ipmap 12443 12887 172.30.147.207

> set fis-ipmap-vip 172.30.147.207 14443 14887

> set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 12443 12887

> set fis-ipmap-ha 20 172.30.147.207 172.30.157.20 13443 13887

Slave: 172.30.156.20

> set fis-ipmap 13443 13887 172.30.147.207

FortiGate configuration

Follow the FortiGate configuration in Configuring IP mapping in regular mode to create IPv4 Virtual IP mapping for Slave node under Virtual IPs.

Complete the following steps in the FortiGate UI.

  1. Go to Policy & Objects > Virtual IPs.

  2. Create two IPv4 virtual IPs with the following information:

    • IP-Mapping-HA-443: external_IP_address -> FIS_IP (TCP: 14443 > 443)

      e.g. 172.30.147.207 -> 172.30.157.99 (TCP: 14443 > 443)

    • IP-Mapping-HA-8887: external_IP_address -> FIS_IP (TCP: 14887 > 8887)

      e.g. 172.30.147.207 -> 172.30.157.99 (TCP: 14887 > 8887)

    Note

    The example uses the following:

    External_IP_address: 172.30.147.207

    FIS HA Virtual IP: 172.30.157.99

    FIS_IP_Master: 172.30.157.19

    FIS_IP_Slave: 172.30.157.20

    Settings of second IP-Mapping-HA-443:

    Settings of IP-Mapping-HA-8887:

  3. Go to Policy & Objects > IPv4 Policy > Create New.

  4. Create an IPv4 policy that includes the two more virtual IPs that you created.

Client system configuration

Complete the following steps on the client system (for example, Windows 10).

  1. In Windows 10, launch CMD as administrator.

  2. Use the following commands to add the FortiGate IP address to the routing table on the client system:

    • At the command prompt, type

      route –p ADD <external_IP_address> Mask 255.255.255.255 <FGT_IP_address>

      For example,

      route –p ADD 172.30.147.207 MASK 255.255.255.255 172.30.157.48

    • To confirm the setup, type route print.

  3. To verify that it works in a browser, browse to:

    https://<external_IP_address>:<port_map_to_HA_443>/isolator/https://www.fortinet.com

    e.g.:

    https://172.30.147.207:14443/isolator/https://www.fortinet.com

    (It will now redirect to Master node: https://172.30.147.207:12443/isolator/https://www.fortinet.com

    Or, it will redirect to Slave node:

    https://172.30.147.207:13443/isolator/https://www.fortinet.com

    )

Configuring IP mapping in HA mode

Configuring IP mapping in HA mode

Prerequisites:

Please follow High Availability to make sure native HA mode works prior to configuring IP Mapping in HA mode.

Configuring IP Mapping in HA mode needs to set up in these systems:

  1. FortiIsolator configuration
  2. FortiGate configuration
  3. Client system configuration

Single-node setting (one-master only)

FortiIsolator configuration

Use FortiIsolator CLI to configure port forwarding mappings. Use the following commands:

  1. set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

      set fis-ipmap 12443 12887 172.30.147.207

  2. set fis-ipmap-vip <external IP> <vip_port_map_to_443> <vip_port_map_to_8887>

      set fis-ipmap-vip 172.30.147.207 14443 14887

  3. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:master> <port_map_to_443> <port_map_to_8887>

      set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 12443 12887

FortiGate configuration

Complete the following steps in the FortiGate UI.

  1. Go to Policy & Objects > Virtual IPs.
  2. Create two IPv4 virtual IPs with the following information:
    • IP-Mapping-443: external_IP_address -> FIS_IP (TCP: 12443 > 443)

      e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 12443 > 443)

    • IP-Mapping-8887: external_IP_address -> FIS_IP (TCP: 12887 > 8887)

      e.g. 172.30.147.207 -> 172.30.157.97 (TCP: 128887 > 8887)

      Note

      In this example, we are using:

      • External_IP_address: 172.30.147.207
      • FIS HA Virtual IP: 172.30.157.99
      • FIS_IP: 172.30.157.19

    Settings of IP-Mapping-HA-443:

    Settings of IP-Mapping-HA-8887:

  3. Go to Policy & Objects > IPv4 Policy > Create New.
  4. Create an IPv4 policy that includes the two virtual IPs that you created.

Client system configuration

Complete the following steps on the client system (for example, Windows 10).

  1. In Windows 10, launch CMD as administrator.
  2. Use the following commands to add the FortiGate IP address to the routing table on the client system:
    1. At the command prompt, type route -p ADD <external_IP_address> Mask 255.255.255.255 <FGT_IP_address>.

      For example, route –p ADD <external_IP_address> MASK 255.255.255.255 172.30.157.48

    2. To confirm the setup, type route print.

  3. To verify that it works in a browser, browse to:

    https://<external_IP_address>:<port_map_to_HA_443>/isolator/https://www.fortinet.com

    e.g.:

    https://172.30.147.207:14443/isolator/https://www.fortinet.com

    (It will now redirect to: https://172.30.147.207:12443/isolator/https://www.fortinet.com)

Multiple-nodes setting (one-master-one-slave)

FortiIsolator configuration

Use the FortiIsolator CLI to configure port forwarding mappings. Use the following commands:

Under FIS Master:

  1. set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

    • set fis-ipmap 12443 12887 172.30.147.207

  2. set fis-ipmap-vip <external IP> <vip_port_map_to_443> <vip_port_map_to_8887>

    • set fis-ipmap-vip 172.30.147.207 14443 14887

  3. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:master> <port_map_to_443> <port_map_to_8887>

    • set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 12443 12887

  4. set fis-ipmap-ha <priority> <external_IP_address> <internal_IP_address:slave1> <port_map_to_443> <port_map_to_8887>

    • set fis-ipmap-ha 20 172.30.147.207 172.30.157.20 13443 13887

  5. Under FIS slave

    set fis-ipmap <port_map_to_443> <port_map_to_8887> <external_IP_address>

    • set fis-ipmap 13443 13887 172.30.147.207

Summary of examples

Master: 172.30.156.19

> set fis-ipmap 12443 12887 172.30.147.207

> set fis-ipmap-vip 172.30.147.207 14443 14887

> set fis-ipmap-ha 19 172.30.147.207 172.30.157.19 12443 12887

> set fis-ipmap-ha 20 172.30.147.207 172.30.157.20 13443 13887

Slave: 172.30.156.20

> set fis-ipmap 13443 13887 172.30.147.207

FortiGate configuration

Follow the FortiGate configuration in Configuring IP mapping in regular mode to create IPv4 Virtual IP mapping for Slave node under Virtual IPs.

Complete the following steps in the FortiGate UI.

  1. Go to Policy & Objects > Virtual IPs.

  2. Create two IPv4 virtual IPs with the following information:

    • IP-Mapping-HA-443: external_IP_address -> FIS_IP (TCP: 14443 > 443)

      e.g. 172.30.147.207 -> 172.30.157.99 (TCP: 14443 > 443)

    • IP-Mapping-HA-8887: external_IP_address -> FIS_IP (TCP: 14887 > 8887)

      e.g. 172.30.147.207 -> 172.30.157.99 (TCP: 14887 > 8887)

    Note

    The example uses the following:

    External_IP_address: 172.30.147.207

    FIS HA Virtual IP: 172.30.157.99

    FIS_IP_Master: 172.30.157.19

    FIS_IP_Slave: 172.30.157.20

    Settings of second IP-Mapping-HA-443:

    Settings of IP-Mapping-HA-8887:

  3. Go to Policy & Objects > IPv4 Policy > Create New.

  4. Create an IPv4 policy that includes the two more virtual IPs that you created.

Client system configuration

Complete the following steps on the client system (for example, Windows 10).

  1. In Windows 10, launch CMD as administrator.

  2. Use the following commands to add the FortiGate IP address to the routing table on the client system:

    • At the command prompt, type

      route –p ADD <external_IP_address> Mask 255.255.255.255 <FGT_IP_address>

      For example,

      route –p ADD 172.30.147.207 MASK 255.255.255.255 172.30.157.48

    • To confirm the setup, type route print.

  3. To verify that it works in a browser, browse to:

    https://<external_IP_address>:<port_map_to_HA_443>/isolator/https://www.fortinet.com

    e.g.:

    https://172.30.147.207:14443/isolator/https://www.fortinet.com

    (It will now redirect to Master node: https://172.30.147.207:12443/isolator/https://www.fortinet.com

    Or, it will redirect to Slave node:

    https://172.30.147.207:13443/isolator/https://www.fortinet.com

    )