fortinet importer NAT - destination nat with vip obj

[tpurschke]

• the config for destination nat rules contains "match-vip" (at least in some cases)
• the FortiManager UI shows the dynamic mapping (mouse over) but does not really show the place where you can configure it
• see: https://www.fortinetguru.com/2019/10/policy-with-destination-nat/ --> keyword in config should be "mappedip" for address the vip gets natted to; alternative to VIP seems to be using the "Central NAT Table"
• [x] ip/mapped ip + port/mapped port
• [x] get NAT rules fmgr_pkg_central_dnat (DNAT policy has dependency with virtual IP, name must be same with a name in Virtual IPs)
• [x] get NAT rules fmgr_pkg_central_dnat6 no description.

sign for destination nat rules: "match-vip": 1

Example rule with DNAT object that is not defined in the currently fetched objects

     {
        "obj seq": 27,
        "vpn_dst_node": null,
        "vpn_src_node": null,
        "policyid": 5233,
        "srcintf": [
          "any"
        ],
        "dstintf": [
          "it_10.0.29.129-27_zras"
        ],
        "srcaddr": [
          "all"
        ],
        "dstaddr": [
          "DNAT_10.0.29.134--10.0.29.135"
        ],
        "match-vip": 1,

on vip from https://fndn.fortinet.net/index.php?/forums/topic/2709-fmg-central-dnat-policy-apis-are-providing-only-policy-name/&tab=comments#comment-10458

DNAT table only keep the VIP name and seq (for install order) and config still in VIP table so you need to query VIP for the config details

Request:

{ "client": "gui forward:22886", "id": "72ec839e-e1c4-4485-b41b-5cfb95a9e5bd", "keep_session_idle": 1, "method": "get", "params": [{ "expand datasrc": [], "loadsub": 1, "object template": 0, "option": ["scope member", "get flags", "get meta", "extra info"], "sub fetch": 1, "target start": 2, "url": "pm\/config\/adom\/root\/pkg\/default\/central\/dnat\/d1"}], "session": 17482}

Chkperm Response:

{ "id": "72ec839e-e1c4-4485-b41b-5cfb95a9e5bd", "result": [{ "status": { "code": 0, "message": "OK"}, "url": "pm\/config\/adom\/root\/pkg\/default\/central\/dnat\/d1"}], "session": 17482}

Response:

{ "id": "72ec839e-e1c4-4485-b41b-5cfb95a9e5bd", "result": [{ "data": { "_created timestamp": 1626816831, "_last-modified-by": "admin", "_modified timestamp": 1626816831, "name": ["d1"], "obj seq": 1, "obj ver": 1}, "status": { "code": 0, "message": "OK"}, "url": "pm\/config\/adom\/root\/pkg\/default\/central\/dnat\/d1"}]}

Request:

{ "client": "gui forward:22890", "id": "73b53fe2-2b27-4053-92f3-3441ed4202f5", "keep_session_idle": 1, "method": "get", "params": [{ "object template": 0, "option": ["get used", "get flags", "get devobj mapping", "get meta", "loadsub", "extra info"], "target start": 2, "url": "pm\/config\/adom\/root\/obj\/firewall\/vip\/d1"}], "session": 17482}

Chkperm Response:

{ "id": "73b53fe2-2b27-4053-92f3-3441ed4202f5", "result": [{ "status": { "code": 0, "message": "OK"}, "url": "pm\/config\/adom\/root\/obj\/firewall\/vip\/d1"}], "session": 17482}

Response:

{ "id": "73b53fe2-2b27-4053-92f3-3441ed4202f5", "result": [{ "data": { "_created timestamp": 1626816830, "_if_no_default": 0, "_last-modified-by": "admin", "_modified timestamp": 1626817775, "add-nat46-route": 1, "arp-reply": 1, "color": 0, "comment": null, "dns-mapping-ttl": 0, "dynamic_mapping": null, "extaddr": [], "extintf": ["any"], "extip": ["0.0.0.1"], "extport": "0", "gratuitous-arp-interval": 0, "http-cookie-age": 60, "http-cookie-domain": null, "http-cookie-domain-from-host": 0, "http-cookie-generation": 0, "http-cookie-path": null, "http-cookie-share": 1, "http-ip-header": 0, "http-ip-header-name": null, "http-multiplex": 0, "http-redirect": 0, "https-cookie-secure": 0, "id": 0, "ipv6-mappedip": "::", "ipv6-mappedport": "0", "ldb-method": 0, "mapped-addr": [], "mappedip": ["0.0.0.2"], "mappedport": "0", "max-embryonic-connections": 1000, "monitor": [], "name": "d1", "nat-source-vip": 0, "nat44": 1, "nat46": 0, "obj flags": 1, "obj seq": 2, "obj ver": 2, "outlook-web-access": 0, "persistence": 1, "portforward": 0, "portmapping-type": 0, "protocol": 1, "realservers": null, "server-type": 0, "service": [], "src-filter": [], "srcintf-filter": [], "ssl-algorithm": 0, "ssl-certificate": [], "ssl-cipher-suites": null, "ssl-client-fallback": 1, "ssl-client-rekey-count": 0, "ssl-client-renegotiation": 14, "ssl-client-session-state-max": 1000, "ssl-client-session-state-timeout": 30, "ssl-client-session-state-type": 3, "ssl-dh-bits": 3, "ssl-hpkp": 0, "ssl-hpkp-age": 5184000, "ssl-hpkp-backup": [], "ssl-hpkp-include-subdomains": 0, "ssl-hpkp-primary": [], "ssl-hpkp-report-uri": null, "ssl-hsts": 0, "ssl-hsts-age": 5184000, "ssl-hsts-include-subdomains": 0, "ssl-http-location-conversion": 0, "ssl-http-match-host": 1, "ssl-max-version": 0, "ssl-min-version": 0, "ssl-mode": 1, "ssl-pfs": 0, "ssl-send-empty-frags": 1, "ssl-server-algorithm": 6, "ssl-server-cipher-suites": null, "ssl-server-max-version": 16, "ssl-server-min-version": 16, "ssl-server-session-state-max": 100, "ssl-server-session-state-timeout": 60, "ssl-server-session-state-type": 3, "status": 1, "type": 0, "uuid": "2cb79eb8-e9a2-51eb-2052-997983ed7636", "weblogic-server": 0, "websphere-server": 0}, "status": { "code": 0, "message": "OK"}, "url": "pm\/config\/adom\/root\/obj\/firewall\/vip\/d1"}]}

[tpurschke]

fixing in #1461
fixing in #1466