FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Description

This article describes how to configure FortiGate to securely access the Internal Application running on private IP from Internet.

 

Diagram:

 

ppatel_0-1640967220253.png

 

Use case:

 

1) To require access to corporate Application from Internet.

 

2) It is necessary to grant third party or customer access to internal application.

Scope

 

 

Solution

To configure a FortiGate to grant access to the internal App.

 

From Internet, DNAT (Destination NAT) is required-  when is going to translate the Public IP and may be port that you pointed to behind Internet to the real IP and real port (if port is also hidden from outsider).

 

Two things are required to configure this solution: User account and VIP.

 

This example assumed that a user account (local, radius, ldap etc) is already obtained, which FortiGate can use to authentication user.

 

Configure VIP:

 

Go to Policy & Objects -> Virtual Ips and select 'Create New'.

Fill appropriate parameters (see example below).

 

ppatel_1-1640967243715.png

 

Configure Firewall Policy to permit traffic from Internet to the VIP object and add users/group to be permitted by this policy.

 

Go to Policy & Objects -> Firewall Policy and select 'Create New'. 

Fill appropriate parameters (see example below).

 

ppatel_2-1640967256357.png

 

It is necessary to make below modification under 'user settings' since the application is running on non-standard port (tcp 5201 in this case), if not the policy will NOT match and it will get denied by implicit policy (drop).

 

# config user settin

# config auth-port

        edit 1

            set port 5201     <----- This is the mapped-to port in the VIP object.

        next

    end

end

Contributors