Skip to main content
techevo
techevo
New Member
March 29, 2016
Question

VIP on port 80

  • March 29, 2016
  • 1 reply
  • 7866 views

I'm trying to create a VIP on fortios 5.4 from wan to internal on port 80 and it doesn't work.

 

I changed the fortigate management port for http to 8181.

 

If I use port 85 it does work but nothing on port 80.  Also for strange reason I don't see anything with sniffer packet on the port 80.  

 

It there some other setting to disable ( maybe the fortigate use port 80 for someting else ?? ).

 

Let me know! 

    1 reply

    emnoc
    emnoc
    New Member
    March 29, 2016

    What happens if you telnet to the port locally ?

     

    e.g

    execute telnet 127.0.0.1 80 

     

    We are assuming your local access on port 8181 is working ?

     

     

    I would check 1st by using  diag debug flow and review any local-in policies. If these exhibit nothing you might find a clue from diag debug app  httpd

     

    techevo
    techevoAuthor
    New Member
    March 29, 2016

    What happens if you telnet to the port locally ?

     

    # execute telnet 127.0.0.1 80

    Trying 127.0.0.1...

    Failed to connect to specified unit.

     

    We are assuming your local access on port 8181 is working ?
     

     

    Yes access to http via 8181 is working fine from internet. Strange thing is diag debug flow filter port 80 doesn't give me anything !! If I change the vip to port 84 and change the flow filter to port 84 I it see the packet hitting the firewall. Also there is no port 80 anywhere in local-in policies. It does work if the traffic is coming from inside the firewall ( from the lan using the wan IP ) but not if coming from a remote machine on the Internet.

    And before you ask there is not IP restrictions on administrators, the slide is off. I tried diag debug app http ( I ussume that's what you meant but i'm not sure what integer to use for debuging - tried 1 and 99 but did not give me anything ). I can replicate this behaviour on a 60D with fortios 5.4 ( the one I'm testing on is a 100D ). Is it a bug in 5.4 ? Can you replicate it on your hand ?

    emnoc
    emnoc
    New Member
    March 30, 2016

    If packets are not hitting tcp/80 on a diag debug flow or sniffer, than something upstream is blocking the packets. diag debug flow and sniffer will on work if the packets make it to the firewall.

     

     

    Terms & ConditionsAccessibility statement