Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jlim11
Staff
Staff

Created on ‎06-28-2024 01:26 AM Edited on ‎06-28-2024 02:07 AM By Community Manager

Article Id 318322

Troubleshooting Tip: Firewall Policy with specified service for Virtual IP not being matched

Description

This article describes why incoming traffic to the FortiGate does not match the expected firewall policy configured. 

For some setups, Port forwarding may use a different port on the external port which is different from the actual port of the server.

 

Example setup:


[Internal Server]10.149.3.240:443---------------------------[FortiGate]10.47.1.37:55555--------------------------Internet.

 

  • Internal server with TCP port 443 or HTTPS service opened.
  • FortiGate is listening on the public-facing interface for TCP port 55555 to port forward to the actual server.

Virtual IP config.PNG
On the Firewall Policy, the configuration shows that the 'Service' field has been specified to use TCP port 55555 and allow the traffic to the Virtual IP configured.


vip policy c0nfig.PNG

But when trying to access the external IP address using TCP port 55555, it does not match the Firewall Policy as expected.

 

sniffer.PNG

 

debug flow.PNG
 It will show 'Denied by forward policy check(policy 0)' which indicates that it is not matching any firewall policy.
Scope FortiGate.
Solution

To allow the traffic, the service needed on the Firewall Policy should be the port connecting to the server (HTTPS/TCP port 443).

newFortiGate 5555.PNG
In this example, the FortiGate is listening to TCP port 55555 and the actual server is listening to TCP port 443 (or HTTPS).

To understand this behavior on FortiOS:
 

  • The traffic to the FortiGate on external IP using TCP port 55555 will be accepted by the Virtual IP created(DNAT/VIP).
  • And the traffic to the actual server will be accepted by the Firewall Policy with the specified service configured (allowed by Policy-x).

The debug flow will then show it matches the expected policy after changing the service from TCP port 55555 to HTTPS/TCP port 443.


debug flow2.PNG

Related articles:
Technical Tip: Using Virtual IPs to configure port forwarding
Parallel Path Processing
526
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.