Description
This article describes how to configure port forwarding as per the below topology.
Scope
FortiGate.
Solution
From the GUI:
- To create a VIP object, go to Policy and Objects -> Virtual IPs and select 'Create New'.
In the above example, 1.1.1.1 is an external WAN IP and 10.0.0.10 is a mapped internal server IP.
The incoming traffic is on port 80 and is mapped internally to the same port 80.
Using other ports for mapping is also possible.
- To create an IPv4 policy to allow the traffic, go to Policy and Objects -> IPv4 and select 'Create New'.
Above is the IPv4 policy configuration where the WAN interface is port3 and the LAN (Server) connected interface is port4.
A common mistake in firewall policy configuration is to set an IP address object or 'all' as the 'destination', which also refers to IP addresses. The correct action is to set the VIP address.
If NAT is enabled, it is impossible to know the source client IP address details, and clients will know the internal server IP details.
From the CLI:
config firewall vip
edit "Test"
set extip 1.1.1.1
set extintf "port3"
set portforward enable (depends on requirement)
set mappedip 10.0.0.10
set extport 80 (depends on requirement)
set mappedport 80 (depends on requirement)
next
end
edit "Test"
set extip 1.1.1.1
set extintf "port3"
set portforward enable (depends on requirement)
set mappedip 10.0.0.10
set extport 80 (depends on requirement)
set mappedport 80 (depends on requirement)
next
end
config firewall policy
edit 1
set srcintf "port3"
set dstintf "port4"
set srcaddr "all"
set dstaddr "Test"
set action accept
set schedule "always" (depends on the requirement).
set service "ANY" (depends on the requirement).
set nat enable (depends on the requirement).
next
end
edit 1
set srcintf "port3"
set dstintf "port4"
set srcaddr "all"
set dstaddr "Test"
set action accept
set schedule "always" (depends on the requirement).
set service "ANY" (depends on the requirement).
set nat enable (depends on the requirement).
next
end
