Technical Tip : Changing the administration TCP ports to avoid conflict when using a VIP with same external IP address as the FortiGate

This article describes a precaution to take when configuring VIP (Virtual IP) with same external IP address as the FortiGate port and no port forwarding is set.

Example :

                       External IP :                     

             VIP --> a.b.c.d to WEB server
                     no port forwarding set

In this situation, when accessing to  http://a.b.c.d  or https://a.b.c.d , the FortiGate would forward all the traffic to the WEB server, and HTTP or HTTPS administration access to the FortiGate itself will be impossible.

The problem is the conflict between the VIP and FortiGate administrative access port.
This can be resolved by first changing, and releasing, the default TCP ports used by the FortiGate, and in a second step by configuring Port Forwarding on the VIP.

For example, HTTPS administration port could be set to 1443.

 

1.a - Changing the administration ports from the GUI :

Go to : System --> Admin --> Settings  and change the port numbers, like shown below :

1.b - Changing the administration ports from the CLI :

config system global
    set admin-sport 1443
    set admin-port  <new_port>
end


2.a - Configuring port forwarding on the VIP  from the GUI :




2.b - Configuring port forwarding from the CLI (this example show port forwarding for the TCP range 80 to 443) :

config firewall vip
    edit "VIP"
        set portforward enable
        set extport 80
        set mappedport 80-443
    next
end