Hello
I would like to access a web server in our DMZ from our public IP.
Access via https (port 443) works find but the access via http (port 80) does not work.
Here are some screenshots of my configuration:
If I change the external service port from 80 to for example 81, then I can reach the web server via
Is another service running on port 80? I disabled "Administrative Access" over HTTP for wan 1 under interfaces. From my internal network I can reach the web server via port 443 and 80.
How could I find out what might cause the problem?
Thanks in advance.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It's definitely possible that the traffic never reaches your Fortigate. It's also possible the traffic matched a pre-existing session that is offloaded into NPx (if equipped).
// check for existing sessions (that are may be offloaded)
diag sys session filter clear
diag sys session filter dst 192.168.0.38
diag sys session filter dport 80
diag sys session list
// clear existing sessions if they exist
NOTE: Ensure to specify the above session filters so that you do not accidentally clear all your sessions :-).
diag sys session clear
You can also double check by capturing the traffic with the bellow CLI command:
diag sniff packet any 'host <WAN1_IP_Address> and port 80' 4
If there are no established sessions and no output is generated by the sniffer/debug, then your Fortigate is not receiving the traffic and you should troubleshoot upstream.
You could try checking the Local-In Policies. System > Config > Features and enable Local In Policy. Then under Policy & Objects, you should see Local In Policy. You can look for port 80 there.
You said you had administrative access turned off on wan1, do you have any other services on?
Thanks, I tried that and I could not find anything that could cause the problem.
Hi Mike,
the best approach would be to perform a flow debug. The output should clearly show if the correct policy/VIP is matched or why the traffic is dropped.
diagnose debug flow filter clear
diagnose debug flow filter addr <WAN1_IP_Address>
diagnose debug flow filter port 80
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug flow trace start 5
// Now attempt to connect to <WAN1_IP_Address>:80 from the internet.
If you wish to share the debug outputs here, also please include the relevant Fortigate configuration snippets. If you don't wish to share such information here, please open a TAC support ticket with the collected details.
That is very interesting.
When I connect to <WAN1_IP_Address>:80 from my network, I get a debug log. However, when I connect to <WAN1_IP_Address>:80 from outside of my network, I do not get any debug log. Does that mean that Fortigate does not receive the request at all?
It's definitely possible that the traffic never reaches your Fortigate. It's also possible the traffic matched a pre-existing session that is offloaded into NPx (if equipped).
// check for existing sessions (that are may be offloaded)
diag sys session filter clear
diag sys session filter dst 192.168.0.38
diag sys session filter dport 80
diag sys session list
// clear existing sessions if they exist
NOTE: Ensure to specify the above session filters so that you do not accidentally clear all your sessions :-).
diag sys session clear
You can also double check by capturing the traffic with the bellow CLI command:
diag sniff packet any 'host <WAN1_IP_Address> and port 80' 4
If there are no established sessions and no output is generated by the sniffer/debug, then your Fortigate is not receiving the traffic and you should troubleshoot upstream.
Thanks a lot! Traffic never reached our Fortigate, and now I could prove it. Thanks again!
Hi,
Change HTTP port in 'Administrative settings' (System > Settings) to any other port than 80; 81, or 8080 whatever.
regards
/ Abel
Hi, that is already done. Thanks!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.