Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
itcba
New Contributor

400 bad request with Virtual Servers

Hi everyone

I'm trying to setup a policy with virtual servers to divide the traffic from subdomain1.domain.com and subdomain2.domain.com to different synology nas.

 

I set up the virtual servers:

 

Screenshot 2024-05-31 at 14.52.49.png

and then setup a policy:

 

Screenshot 2024-05-31 at 15.53.44.png

The problem is that i'm obtaining this error:

 

Screenshot 2024-05-31 at 14.40.13.pngWhat could be wrong? 

1 Solution
pminarik
Staff
Staff

We would need to see the details of the individual VIP's configurations, but based on the error message, it looks like you're DNAT-ing plaintext HTTP traffic to the realserver's HTTPS port.

 

This could be a simple :80 -> :443 mis-translation, or maybe you're mistakenly doing an SSL half-offload where the client talks HTTPS to the client, but the FGT talks HTTP to the server. (if that's the case, you should switch the VIP to full-offload SSL)

[ corrections always welcome ]

View solution in original post

3 REPLIES 3
ozkanaltas
Valued Contributor III

Hello @itcba ,

 

When I reviewed your FortiGate configuration, I couldn't see the problem with your configuration.

 

This error page comes from Synology and I did some research about that. I found one YouTube video about how to setup Synology with reverse proxy. Virtual server features work like reverse proxy. Did you make these changes on Synology? 

 

https://www.youtube.com/watch?v=xo3soLHrFOU&ab_channel=DigitalAloha

 

Also, did you define all Synology IPs in the pools as HTTP?

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
pminarik
Staff
Staff

We would need to see the details of the individual VIP's configurations, but based on the error message, it looks like you're DNAT-ing plaintext HTTP traffic to the realserver's HTTPS port.

 

This could be a simple :80 -> :443 mis-translation, or maybe you're mistakenly doing an SSL half-offload where the client talks HTTPS to the client, but the FGT talks HTTP to the server. (if that's the case, you should switch the VIP to full-offload SSL)

[ corrections always welcome ]
itcba
New Contributor

full-offloading SSL seems to have fixed the issue.

Thanks!

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors