Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,247 questions
Azure User Define Route with Fortigate Firewall (Cannot Access to Virtual Server IP in LAN Network)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 22%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Johnie Steve
0
Reputation points
I would like to ask you some user defined route in azure.
I have the following information with VNET.
VNET network address: 192.168.0.0/16
ExternalWan-subnet: 192.168.200.0/24
InternalLan-subnet: 192.168.90.0/24
ProtectedSubnet: 192.168.100.0/24
The fortigate firewall is deploy in this VNET with Wan interfac in ExternalWan-subnet and Lan interface in InternalLan-subnet. And I create user define route table with below information.
Fortigate Firewall Static Interface
Fortigate Firewall Static Route
Fortigate Firewall Rule
Foritgate firewall virtual server
When I trace route with network watcher, the next hop address show as fortigate firewall "192.168.99.4".
And I have two internal servers (192.168.100.4 and 192.168.100.5) in "protectedsubnet". I installed oracle database on these two server and listening as TCP port 1521. I would like to use my client computer in the same lan network (192.168.100.0/24) to access this two servers from virtual ip. So , I setup virtual server in fortigate firewall with the virtual server ip 192.168.100.240 with two backend servers 192.168.100.4 and 5. if client request tcp port 1521 with the virtual ip 192.168.100.240, it redirects traffic to two backupend server. Here is the problem come in. I cannot access my virtual ip 192.168.100.240. Any routing problem?
I cannot receive any traffic to 192.168.100.240 virtual server ip in fortigate firewall.
{count} votes
-
GitaraniSharma-MSFT 49,001 Reputation points Microsoft Employee2024-06-24T11:24:58.6366667+00:00 Hello @Johnie Steve ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I'm not sure if I understand your setup completely as it involves the 3rd party Fortigate Firewall.
But after doing a bit of research, it looks like the below documents may help:
As per the above doc, traffic accessing the virtual server IP is forwarded in turn to the real servers.
So, could you please clarify your ask here?
- If your ask is that you cannot see any traffic on the Virtual server IP, then it is Fortigate related issue and from the above documents, it looks like it will only forward the traffic to the real servers. I cannot comment on the logging part, so it is better to reach out to the Fortinet support team for more information on same.
- If your ask is that the next hop in the UDR and Network Watcher should show the Virtual server IP, then this is not possible as the virtual IP "192.168.100.240" is not part of Azure and Azure will not know what this IP is, unless and until there is a NIC with the IP "192.168.100.240". Refer: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-up-public-IP-access-of-FortiGate-VM-in/ta-p/196397
Regards,
Gita
-
GitaraniSharma-MSFT 49,001 Reputation points Microsoft Employee
2024-06-25T11:31:43.7566667+00:00 @Johnie Steve , could you please provide an update on this post?
Sign in to comment