Skip to main content
lamk2u
lamk2u
Explorer
May 4, 2023
Solved

SD Wan cannot access Wan2 port 80 & 443

  • May 4, 2023
  • 4 replies
  • 3307 views

My fortigate 90D-POE enabled SD Wan setup from different ISP,

 

the problem is Wan1 can map port 80 & 443 to backend server(A)(DMZ-interface),

while Wan2 port 80 & 443 cannot be map to backend server(B)(LAN-interface),

but if I use 8080 of Wan2, I can successfully map to backend server (B);

 

Can someone help me, if fortigate only allow inbound traffic to Wan1 port 80/443; Wan2 inbound traffic to port 80/443 is not allowed?  I checked both ISP not blocked port 80 & 443

 

My SD Wan setup:

wan1

wan2

 

SD Wan Rules:

DMZ(server A) -> Wan1 (server A outbound traffic through Wan1)

LAN(server B) -> Wan2 (server B outbound traffic through Wan2)

 

Static Routes:

Dest. 0.0.0.0 Gateway 0.0.0.0 Interface SD Wan

 

Firewall Policy allowed

SD-WAN ->DMZ

DMZ -> SD-WAN

LAN -> SD-WAN

SD-WAN -> LAN (server B, port 80/443)

 

Best answer by Christian_89

It seems like there may be an issue with the firewall policy for Wan2 on your FortiGate. By default, the FortiGate should not block incoming traffic on any interface unless you have specifically configured a security policy to block it.

You should verify that you have a security policy in place allowing incoming traffic on port 80 and 443 for server B on the WAN2 interface. You can check this by going to Policy & Objects > Policy > IPv4 and verifying that there is a policy that allows incoming traffic from the source of WAN2 and the destination of the IP address of server B on port 80 and 443.

If the policy is in place, you can check the traffic logs to see if the traffic is being blocked by the firewall. To do this, go to Log & Report > Traffic Log and search for traffic from the source of WAN2 and the destination of the IP address of server B on port 80 and 443.

 

Otherwise, can you show the VIP setting and the SD-WAN setting?

4 replies

gfleming
Staff
gfleming
Staff
May 4, 2023

It should work. Can you show your VIP configs and FW Policy config?

    Christian_89
    Christian_89Answer
    Contributor III
    May 4, 2023

    It seems like there may be an issue with the firewall policy for Wan2 on your FortiGate. By default, the FortiGate should not block incoming traffic on any interface unless you have specifically configured a security policy to block it.

    You should verify that you have a security policy in place allowing incoming traffic on port 80 and 443 for server B on the WAN2 interface. You can check this by going to Policy & Objects > Policy > IPv4 and verifying that there is a policy that allows incoming traffic from the source of WAN2 and the destination of the IP address of server B on port 80 and 443.

    If the policy is in place, you can check the traffic logs to see if the traffic is being blocked by the firewall. To do this, go to Log & Report > Traffic Log and search for traffic from the source of WAN2 and the destination of the IP address of server B on port 80 and 443.

     

    Otherwise, can you show the VIP setting and the SD-WAN setting?

      lamk2u
      lamk2uAuthor
      Explorer
      May 12, 2023

      Hi,

      Thank you for your replies, here are captured pictures of my fortigate rules setting, actually I'm quite new to fortigate, I don't know how to capture the txt config for you, if this is not enough, please let me know, thank you.VIP policiesVIP policiesVIPsVIPsPhysical InterfacesPhysical InterfacesSD wanSD wanSD wan rulesSD wan rulesStatic RulesStatic Rules

      lamk2u
      lamk2uAuthor
      Explorer
      May 12, 2023

      Hello,

      I just did it, I think I made a stupid typo error on my policy forwarding for wan2 port 80 --> 20.124.26.240, should be 20.124.25.240; Everything is working fine now.  Thank you for everyone's comment and help.

      Terms & ConditionsAccessibility statement