What Are Virtual IPs And How to Use Them?
HTML-код
- Опубликовано: 11 сен 2024
- Simple explanation of what Virtual IPs are with regards to how they are used, why they are needed, and how to configure them in a simple 1:1 deployment. www.fortinetgu...
Buy Hardware: bit.ly/2QZVeqh
Get Consulting: bit.ly/36FinSU
My Other Projects:
Office Of The CISO: bit.ly/3HGMH1o
Packet Llama: bit.ly/3SEX3H4
###### SOCIAL LINKS ######
Twitter: bit.ly/2WXiRAv
Facebook: bit.ly/3eigz4D
Instagram: bit.ly/3cZneAz
######################
it'd be better when clear and step by step explanation
Subbed, just started w a company using these so your channel will be a nice resource. Thank you
Hey Thanx Mike, I alway had some issues to differentiate virtual IP vs virtual server and now with your explanation when you said it's like a DNAT, I now have much better understanding. I found that both of those terminology (virtual IP and Virtual server) is kind of confusing.
Thanks for this. I think it answered a problem I have been experiencing and trying to learn around!
thanks
Hello, Mike thanks alot for the direct explanation. Please is the communication bidirectional? or do we need to create an outbound policy to make it bidirectional.
Good info, man I love this channel...thanks !!!
I respect your content... but I gotta throw a Roll Tide in the chat for that shirt!
So far its been a very good intro series and I am looking forward to finishing it out over then next few days.
Imma cut you 😂😂
@@FortinetGuru 😂 😂 Happy New Years brother. Hope your 2021 is prosperous and plentiful. Stay safe!
Thx Mike!
Question:
How to do when there is several ports on the VIP, but with different ports that are not in range.
E.g. 443 and 4394. Outside to VIP with port forward to 443 AND 4394.
Is it possible to insert something on the "many to many" in the VIP creation?
Range is ok .e.g. TCP 20-30, but not e.g. 20 AND 30(?)
Is it possible to configure a public range IP to a group of internal devices and give access to those devices access to internet?
Good one, but where could I get this information in my computer?
Nice video Mike; I think I disagree on the policy though. If I'm not mistaken, if you want proper UTM inspection (and therefore must add Deep SSL Inspection) to your policies, it's better to create a Virtual Server address in stead of a Virtual IP as SSL offloading is done by the FortiGate and is therefore able to inspect traffic as it should.
Thanks for the reply Rowan! Virtual Servers are used for offloading SSL connections at times but is mostly used for load-balancing in order to make multiple backend servers appear as one. At the end of the day you are going to have your servers SSL Cert presented by the FortiGate via the policy in order to do SSL Deep inspection. There are a lot of ways to skin the cat but the one mentioned in the video is indeed factual.
No problem at all Mike, I love your video's.
I totally agree with you that Virtual Servers are primarily used for Load Balancing. My comment specifically pointing towards Virtual Servers for SSL Offloading/Termination and thereby allowing for proper Deep Packet Inspection comes from a Knowledge Base article that I read months ago and stuck with eversince.
The following quote from kb.fortinet.com/kb/documentLink.do?externalID=FD40937 states: "Typically the server certificate would be installed on the HTTPS server behind the FortiGate, but in this case it must be installed on the FortiGate for Inbound Deep Inspection to be configured.".
I am aware that this article is scoped for FortiOS 5.2 but in my knowledge this is still true for FortiOS 6.0 today. By using a Virtual IP, the FortiGate - as far as I know - merely forwards IP and/or ports to another IP and/or port without doing anything to layer 5 until 7. This serves as the typical Destination NAT scenario still broadly used today.
As far as I know, in order to succesfully maintain security handles, the FortiGate needs to be able to properly inspect the traffic by performing Deep Packet Inspection in order to gain full visibility into layer 5-7 packets. This way it can performs its restrictions/controls provided by the UTM profiles. In order to do so, I can relate to the KB's statement pointing out that the FortiGate must be the one to serve the TLS connection and therefore the according certificate.
By using a Virtual IP, the FortiGate does not allow you to specificy a certificate whilst the Virtual Server does. As an added bonus, by tweaking the Virtual Server configuration one can gain an A+ rating on ssllabs.com whilst the underlying Web Server may not (possibly for various reasons, such as not having control over an appliance's Virtual Host configuration or its TLS library).
Hi, i am trying to configure FTP serve on a DMZ port in Fortigate 60E. i can ping the server and the public ip, but since i am using fortiddns (ADSL not having a fix IP) not able to access from Public, can you help?
Mike...I'm confused. VIP is NAT, just complicated with customization options and features that the more general NAT comes with out of box. Que no? (Right?)
VIPs are destination NATs, yes.
What can I do to avoid latency between my virtual IPs?
Do you have a manual or articles about VIPs that can i read
thanks bro
Excellent video. I was wondering if you could answer a question? I have a server in a private network behind a FortiGate VM. The FortiGate has one WAN interface with two IPSEC tunnels to another private network across the internet. The server has an VIP assigned and needs to be accessible on the tunnels only. The only way I have found to do this is to specify any as the interface because the same VIP can't be used on multiple interface unless it's set to any. When the server goes out the WAN for updates, I want it to NAT to the WAN interface IP but with any interface specified on the VIP, it NATs to the VIP instead of the WAN port IP. I was looking into central NAT as a possible solution. Is this feasible or is there a more simple solution that I am overlooking?
The VIP is taking precedence over policy. Look at your VIP in the CLI and see if NAT-SOURCE-VIP is enabled or disabled. Change it from what it is and see if it behaves properly.
@@FortinetGuru If I am ready the CLI reference right, that will prevent it from using a VIP. I want it to NAT to the VIP out two interfaces but use the interface IP when exiting the third interface.
Mike, if you have the port forwarded in the Virtual IP, do you need to specify the service in the IPV4 Policy as well?
No but it is best practice
@@FortinetGuru Cool, as long as it's not "recommended against". Thank you sir.
subscribed
Is this what "Floating IPN" means? Please forgive my ignorance.
www.rdoproject.org/networking/difference-between-floating-ip-and-private-ip/