Skip to main content
Younes
Younes
Visitor III
February 24, 2016
Question

SSH ACCESS

  • February 24, 2016
  • 2 replies
  • 18934 views

Hi all,

i have fortiweb on reverse proxy mode, on HHTP/HHTPS works good but i have problème with SSH (fortiweb drop SSH traffic) so how i can bypass fortiweb for LAN access via SSH, for information i have Fortigate firewall.

 

Thank's in advance

    2 replies

    abelio
    SuperUser
    abelio
    SuperUser
    February 24, 2016

    Hi,

    use CLI:

     

    config router setting

       set ip-forward enable

    end

     

    regards

     

    Younes
    YounesAuthor
    Visitor III
    February 25, 2016

    Hi Abelio,

    Thank you for reply.

    So i must use Pserver IP to access to my server with SSH not with Vserver IP. 

     

    abelio
    SuperUser
    abelio
    SuperUser
    February 25, 2016

    Younes wrote:

    So i must use Pserver IP to access to my server with SSH not with Vserver IP. 

    Exactly; same thing for FTP/SFTP/SCP access.

     

    regards

    Dieorqui
    Dieorqui
    New Member
    May 13, 2016

     

    Hi Abelio,

     

    I have  a fortiweb on reverse proxy mode , I´m configuring a VIP in the firewall Fortigate  for forward  the traffic  web to virtual sever  and  is working  good but  the others protocols  how  RDP ,FTP and SSH not working  when the user does request to Sever in the LAN .  I enable  ip forward in the fortiweb but nothing happend .. How I can do that this protocols  baypass the fortiweb ?.

     

    Attach my topology ,

     

    Thanks,

     

    Courtney_Schwartz
    Staff
    Courtney_Schwartz
    Staff
    May 18, 2016

    Hi Dieorqui,

     

    Your topology is like FortiWeb 5.5.3 Administration Guide page 79.

     

    It shows a FortiGate RDP/SSH/FTP port forward to the physical web servers' IP -- not to FortiWeb's vserver IP, which is a proxy that only receives HTTP/HTTPS and will drop everything else. (Abelio is correct.)

     

    That's why your FortiWeb setting should be "set ip-forward disable" -- not enabled. Your router should also port forward RDP/SSH/SFTP to your web servers, not to FortiWeb, which is an extra hop. (FortiWeb cannot scan RDP/SSH, so there is no benefit. It would just increase latency.)

     

    "set ip-forward enable" is not recommended. If you really want to use it, though, try this config + topology.

     

    In the docs it describes more:

    [ul]
  • "Why is FortiWeb not forwarding non-HTTP traffic (for example, RDP, FTP) to back-end servers even though set ip-forward is enabled?" on page 784 http://docs.fortinet.com/uploaded/files/3019/FortiWeb_5_5_Patch_3_Administration_Guide_Revision1.pdf
  • "router setting" on page 117 http://docs.fortinet.com/d/fortiweb-5-5-3-cli-1[/ul]

     

    Regards,

    Courtney

    • Terms & ConditionsAccessibility statement