Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
itcba
New Contributor

Created on ‎05-31-2024 06:55 AM

400 bad request with Virtual Servers

Hi everyone

I'm trying to setup a policy with virtual servers to divide the traffic from subdomain1.domain.com and subdomain2.domain.com to different synology nas.

 

I set up the virtual servers:

 

Screenshot 2024-05-31 at 14.52.49.png

and then setup a policy:

 

Screenshot 2024-05-31 at 15.53.44.png

The problem is that i'm obtaining this error:

 

Screenshot 2024-05-31 at 14.40.13.pngWhat could be wrong? 

Labels:
270
0 Kudos
1 Solution
pminarik
Staff
Staff

Created on ‎05-31-2024 07:56 AM

We would need to see the details of the individual VIP's configurations, but based on the error message, it looks like you're DNAT-ing plaintext HTTP traffic to the realserver's HTTPS port.

 

This could be a simple :80 -> :443 mis-translation, or maybe you're mistakenly doing an SSL half-offload where the client talks HTTPS to the client, but the FGT talks HTTP to the server. (if that's the case, you should switch the VIP to full-offload SSL)

[ corrections always welcome ]

View solution in original post

245
0 Kudos
3 REPLIES 3
ozkanaltas
Valued Contributor II

Created on ‎05-31-2024 07:45 AM Edited on ‎05-31-2024 07:55 AM

Hello @itcba ,

 

When I reviewed your FortiGate configuration, I couldn't see the problem with your configuration.

 

This error page comes from Synology and I did some research about that. I found one YouTube video about how to setup Synology with reverse proxy. Virtual server features work like reverse proxy. Did you make these changes on Synology? 

 

https://www.youtube.com/watch?v=xo3soLHrFOU&ab_channel=DigitalAloha

 

Also, did you define all Synology IPs in the pools as HTTP?

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
251
0 Kudos
pminarik
Staff
Staff

Created on ‎05-31-2024 07:56 AM

We would need to see the details of the individual VIP's configurations, but based on the error message, it looks like you're DNAT-ing plaintext HTTP traffic to the realserver's HTTPS port.

 

This could be a simple :80 -> :443 mis-translation, or maybe you're mistakenly doing an SSL half-offload where the client talks HTTPS to the client, but the FGT talks HTTP to the server. (if that's the case, you should switch the VIP to full-offload SSL)

[ corrections always welcome ]
246
0 Kudos
itcba
New Contributor
In response to pminarik

Created on ‎05-31-2024 10:56 AM

full-offloading SSL seems to have fixed the issue.

Thanks!

198
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.