Fortigate Limitation
March 4, 2009I discovered a real annoying limitation to the Fortigate firewalls today. And although this limitation wont be encountered on a daily basis, I know this is not a unusual setup, and above that I know that Cisco Pix Firewall support this, as I have done this before.
Suppose the the following scenario:
Suppose traffic from the Big Bad Internet is destined to company BOB’s application server at 170.1.1.1:8081.
On the Fortigate you create a port-nat to the server’s internal address of 192.168.102.1.
Assume BOB.COM has their DMZ-Internal VRF behind the firewall. And assume for financial/latency reasons, that BOB.COM has a third-party VRF used by clients from the same ISP to route their traffic via MPLS, destined to 170.1.1.1. This makes sense right, and provides these client with optimal routing to 170.1.1.1 and optionally a back-up via their Internet connection, in the event that something goes wrong in the MPLS network.
But this is where you will get stuck. You won’t be able to create a nat on the Fortigate MPLS interface for 197.1.1.1, because a Fortigate ties each NAT to ONLY ONE interface. Really silly considering there are a coule scenarios where this would be needed. Obviously there are some work arounds, like doing a double nat or using a different IP via MPLS, but this is non-optimal.
This was reported to Fortigate as a bug, but their reply implied it is a feature, and something they will not be correcting.
