Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
guptar
Staff
Staff

Created on ‎05-08-2007 12:00 AM

Technical Tip: Configure port forwarding using FortiGate VIPs

Article
DescriptionPort forwarding using FortiGate Virtual IPs
Components
  • All FortiGate units
  • FortiOS 5.0, 5.2 and 5.4
Steps or Commands

Add Virtual IPs to enable port forwarding

To forward TCP or UDP ports received by your FortiGate unit external interface to an internal server, you need to follow two steps.

  • Add a Virtual IP enabled with Port Forwarding
  • Add a firewall policy with a virtual IP

This example describes how to configure port forwarding to allow access to an internal Windows Server PC with the Remote access protocol which uses the default port of 3389.

To add a virtual IP that forwards RDP packets

  1. In 5.0, Go to Firewall Objects > Virtual IPs > Virtual IPs.
    In 5.2, Go to Policy & Objects > Objects > Virtual IPs.
    In 5.4, Go to Policy & Objects > Virtual IPs.
  2. Select Create New.
  3. Add a name for the virtual IP.
  4. Select the External Interface. This will typically be the interface that connects your FortiGate unit to the Internet.
  5. Set the External IP Address. You can use:
    • The FortiGate unit public IP.
    • If you have a cable or DSL connection with a dynamic IP, you can use 0.0.0.0.
    • If your ISP provides a block of IPs that route to your FortiGate unit external interface, you can add one of these IPs here.
  6. Set Mapped IP Address to the internal IP address of the Windows Server PC.
  7. Select Port Forwarding.
  8. Set protocol to TCP.
  9. Set External Service Port and Map to Port. For this example, the RDP service uses port 3389. Set both External Service Port and Map to Port to 3389.
  10. Select OK.

Now all that’s left is to define a firewall policy that accepts RDP traffic from the Internet and forwards it to the internal Windows Server PC.

To add a firewall policy with a virtual IP

  1. In 5.0, Go to Policy > Policy > Policy.
    In 5.2, Go to Policy & Objects > Policy > IPv4.
    In 5.4, Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Set Source Interface to your WAN/Internet interface.
  4. Set Source Address to all.
  5. Set Destination Interface to internal.
  6. Set Destination Address to the name of the virtual IP.
  7. Usually, the remainder of the options in this firewall policy do not need to be changed. For example, Service can remain ANY, because the virtual IP only forwards packets using port 3389.
  8. Select OK.

164073
0 Kudos
Contributors

Contact Us