Port range forwarding

You should use the Firewall policies to allow multiple ports through on an interface. I' d only use VIP to NAT incoming traffic to an internal device which would normally use a public IP.

I think its a good idea personally, be nice to say these ports ... either in a range or a list (like a comma seperated one). Problem with using static nat each time Dean is, not many customers have that many external IP addresses and dont always want a dedicated external Ip allocated to them.

I would agree with this. There are $40 firewalls (as well as comparable firewalls from competitors) that can do this much more easily than FortiOS 2.80. I' d love to have the ability to register ranges of port addresses when creating VIPs. Thanks. David

The lack of this feature is causing me major headache. I want to use Vonage and have only a single public IP address off of the WAN1 interface. Vonage requires UDP 5060-5061, 53, 69, and 10000-20000. The first three are manageable as individual port forwarding virtual IPs. However, the third range of 10,001 ports is actually impossbile to accomplish in the current FortiOS (2.80 MR9) as the upper limit (according to the max value matrix) is 500 virtual IPs (although I saw 1024 as the upper limit in the FortiGate-60 administration guide; conflicting documentation).

I agree, there should be an option to allow for this in the VIP configuration. Currently, there are two option, one for a static port forwarding and the other giving the ability to forward an outside port to a different inside port. It would do Fortinet well to make an option between these two they currently offer. Perhaps they could call it port range forwarding. The only issue I see is the possibility of overlapping external ports for forwarding internally, but when that happens, there are other issues. Anyway you look at it, this needs to be taken care of.

Have run into this exact kind of problem with a couple of my customers, and another one just today. Still stuck w/ doing a static nat and drilling down the accept policy in the firewall to accomodate only the port range that the customer wants. Right now the customer has a good argument which I have no way around that is why can a Firebox 2 manufactured more than 5 years ago be able to perform this exact functionality with ease, while a Fortinet box that is on top of today' s technology fumbling over such a trivial task. Right now I believe I can get by w/ eating up an External IP cause my customer has 8 useables. But still, it' s a tough thing to make the customer realize, much less configure. I have yet to run into a customer which needs this functionality and does not have the external IP address to burn up. But if we do run into one, they only have one choice, and that' s to go with a different firewall solution. I hope Fortinet puts this feature in which I recall being requested even in v2.36, much less 2.80... If your customer needs to do a port range to multiple internal servers, better hope they have quiet a large IP address pool on their external network assigned to them by their ISP...

[Deleted by Admins]

I' m assuming Vonage is no longer an issue as MR10 seems to support port forwarding ranges - can anyone confirm Vonage/Other SIP phones work from behind a FG 2.8 MR10 unit? Thanks, TJ

Vonage is now working for me through my Fortigate-60 which is running MR10. But exactly where have you seen that the MR10 FortiOS supports port range forwarding? I just tried both through the web UI and the console to use every syntax I' ve seen them use for ranges in other places and any I could imagine; none worked. The extport and mappedport fields accept only a single integer value; not a range.

When you define a new service it seems you can define port ranges. So for vonage I am assuming you could simply define you ports and port ranges, bundle them into a service group and use that in your policy/rule... TJ