Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexFerenX
New Contributor III

ACME Clarification

Hi!

In ACME certificate support see "It must not have any VIPs, or port forwarding on port 80 (HTTP) or 443 (HTTPS)". Since port-forwarding and Virtual Servers are a feature of VIP object, this text is unclear (to me).

Does the requirement refer to ALL VIPs (ie. config firewall vip), or only those with portforward=enable?

Does the requirement also include VIPs configured with realservers?

Thanks!

6 REPLIES 6
arahman
Staff
Staff

Hi, it means the VIP that has the port forward enabled over the ports 80 or 443, VIP if doesnt have port forwarding enable will apply to all ports so this will also cause issue

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support

AlexFerenX
New Contributor III

Hi! 
anyone at Fortinet can answer my two questions?

Thanks!

tpatel

Hello Alex, 

 

For acme certificate port 443 and port 80 is going to be used so if vip is configured for port 443 or 80 then all traffic is going to dnat using vip which is going cause issue for acme. 
Not for all VIP but with vip which is created using fortigate wan interface ipaddress and it will be only for port 443 and port 80. 


Regarding VIP configuration. 
 we can configured port forward then only specific port traffic is dnat or if we disable port forwading then all traffic is DNAT to internal server means it going to be 443 and port 80 also.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-port-forwarding-using-FortiGate-...

 

In virtual server if we configured for port 443 and 80then only it going to dnat acme traffic also.

 

AlexFerenX
New Contributor III

Hi @tpatel !

if I configure a VIP with “extport” set to 443, will Fortigate use port 80 for ACME?

Thanks!

hbac
AlexFerenX
New Contributor III

Hi @hbac @tpatel 

 

is the answer to my question is that I can force ACME to use port 80 only if I also set “admin-telnet-port 443” and exclude “telnet” from “allowaccess” on interface being used for ACME - correct?


So, similarly, if my current “management-port” is the default “443”, and “https” is excluded from “allowaccess”, as it normally would be on external interface, wouldn’t Fortigate use port 80 for ACME by default?

Thanks!

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors