Skip to main content
TheChosenOne
TheChosenOne
New Member
October 8, 2018
Question

Firewall rule to access VirtualServer from internal subnets

  • October 8, 2018
  • 1 reply
  • 4943 views

Hi All,

 

I have trouble debugging my FG200E. Maybe someone here can open my eyes... I have a Virtual Server: IP: 192.168.60.100 Virtual Server Port: 443 Round Robin Real Servers: 192.168.60.11:5601, 192.168.60.12:5601

The Subnet 192.168.60.0/24 exists and is bound to a VLAN-Interface (VLAN60) on my Fortigate (192.168.60.1).

 

I wan't to access this Virtual Server from another subnet (192.168.102.0/24) which is on a VLAN-Interface (VLAN102) of my Fortigate (192.168.102.1).

 

I created a rule

from Interface VLAN102 Source 192.168.102.0/24

to Interface VLAN60 Destination VirtualServer 192.168.60.100

Service 443

 

But theFortigate keeps on telling there is no Rule matching. I played around with the rule but it always ends up telling me there is no rule matching. How does the rule have to look like?

 

Thanks a lot!

1 reply

sw2090
SuperUser
sw2090
SuperUser
October 10, 2018

hmmm sounds correct so far (alas you have not posted the exact configuration).

Where does it say no rule matched? This is not possible because there is always but one route that matches any packet - namely policy #1 which blocks everything. So if none of the other policies matched #1 will and you get blocked then.

Did you try a flow trace to debug it on cli?

If your policy did not match you have to find out why. Is the port not corret? Did it start with 443 but then use something else?

Probably remove the service limitation from your policy to see if it matches without...

 

 

TheChosenOne
TheChosenOneAuthor
New Member
October 10, 2018

Hi and thanks for your answer!

 

I played around again but no changes... And of course you are right, there is a policy matching: The default deny rule.

 

Here are some details:

 

 
config system interface
 edit "VLAN60"
 set vdom "root"
 set ip 192.168.60.1 255.255.255.0
 set allowaccess ping
 set role lan
 set snmp-index 23
 set interface "VLAN Trunk"
 set vlanid 60
 next
end
 
 
 
config system interface
 edit "VLAN104"
 set vdom "root"
 set ip 192.168.104.1 255.255.254.0
 set allowaccess ping
 set device-identification enable
 set role lan
 set snmp-index 53
 set interface "VLAN Trunk"
 set vlanid 104
 next
end
 
 
 
config system interface
 edit "VLAN102"
 set vdom "root"
 set ip 192.168.102.1 255.255.255.0
 set allowaccess ping
 set device-identification enable
 set role lan
 set snmp-index 51
 set interface "VLAN Trunk"
 set vlanid 102
 next
end
 
 
 
config firewall vip
 edit "Kibana"
 set uuid 490c11e2-4fb4-51e8-23bd-d2f8d97339b4
 set type server-load-balance
 set extip 192.168.60.100
 set extintf "any"
 set server-type https
 set monitor "Kibana_HealthCheck"
 set ldb-method round-robin
 set extport 443
 config realservers
 edit 1
 set ip 192.168.60.11
 set port 5601
 next
 edit 2
 set ip 192.168.60.12
 set port 5601
 next
 end
 set http-multiplex enable
 set ssl-mode full
 set ssl-certificate "star.mydomain.com"
 next
end
 
 
 
config firewall vip
 edit "anchoreEngine"
 set uuid 78fa9c8e-72fa-51e8-5c63-96f28400ceb6
 set type server-load-balance
 set extip 192.168.60.101
 set extintf "any"
 set server-type https
 set ldb-method round-robin
 set extport 443
 config realservers
 edit 1
 set ip 192.168.60.11
 set port 8228
 next
 end
 set http-multiplex enable
 set ssl-mode full
 set ssl-certificate "star.mydomain.com"
 next
end
 
 
 
config firewall policy
    edit 100
        set name "LAN to Kiba"
        set uuid 4e477c1e-4fb4-51e8-b23a-1dd609fc1c3b
        set srcintf "VLAN102" "VLAN104"
        set dstintf "any"
        set srcaddr "Office: VLAN104 Subnet" "Office: VLAN102 Subnet"
        set dstaddr "anchoreEngine" "Kibana"
        set action accept
        set schedule "always"
        set service "HTTPS"
    next
end
 
 
 
2018-10-10 11:30:47 id=20085 trace_id=4096 func=print_pkt_detail line=5320 msg="vd-root:0 received a packet(proto=6, 192.168.102.12:54318->192.168.60.100:443) from VLAN102. flag , seq 2492908065, ack 0, win 29200"
2018-10-10 11:30:47 id=20085 trace_id=4096 func=init_ip_session_common line=5480 msg="allocate a new session-1747743c"
2018-10-10 11:30:47 id=20085 trace_id=4096 func=fw_pre_route_handler line=182 msg="VIP-192.168.60.11:5601, outdev-unkown"
2018-10-10 11:30:47 id=20085 trace_id=4096 func=__ip_session_run_tuple line=3240 msg="DNAT 192.168.60.100:443->192.168.60.11:5601"
2018-10-10 11:30:47 id=20085 trace_id=4096 func=vf_ip_route_input_common line=2590 msg="find a route: flag=04000000 gw-192.168.60.11 via VLAN60"
2018-10-10 11:30:47 id=20085 trace_id=4096 func=fw_forward_handler line=597 msg="Denied by forward policy check (policy 0)"
 
 
 
Thanks for your Help!
sw2090
SuperUser
sw2090
SuperUser
October 10, 2018
hmm looks good so far.
You packet trace says it got the packet and it got where to go so your interface configs should be correct.
Could you please additionaly post the config of your vlan trunk interface and the address objects?
 
  "Office: VLAN104 Subnet" "Office: VLAN102 Subnet"
  "anchoreEngine" "Kibana"

        
                                                

        

    


            

                                        

            
                        

                                                                                                            
            






        

                    

    
    





    


                                        

                                                        

            
        
    






                                    
Terms & ConditionsAccessibility statement