Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CC_Mike
New Contributor II

Access web server in DMZ via port 80

Hello


I would like to access a web server in our DMZ from our public IP.
Access via https (port 443) works find but the access via http (port 80) does not work.
Here are some screenshots of my configuration:

 

CC_Mike_0-1669029256570.png

 

CC_Mike_1-1669029402944.png

 

CC_Mike_2-1669029433370.png

 

If I change the external service port from 80 to for example 81, then I can reach the web server via

http://....:81.

 

Is another service running on port 80? I disabled "Administrative Access" over HTTP for wan 1 under interfaces. From my internal network I can reach the web server via port 443 and 80.

How could I find out what might cause the problem?

Thanks in advance.

1 Solution
bpozdena_FTNT

It's definitely possible that the traffic never reaches your Fortigate.  It's also possible the traffic matched a pre-existing session that is offloaded into NPx (if equipped). 

 

// check for existing sessions (that are may be offloaded)
diag sys session filter clear
diag sys session filter dst 192.168.0.38
diag sys session filter dport 80
diag sys session list


// clear existing sessions if they exist
NOTE: Ensure to specify the above session filters so that you do not accidentally clear all your sessions :-).
diag sys session clear

 

You can also double check by capturing the traffic with the bellow CLI command:

diag sniff packet any 'host <WAN1_IP_Address> and port 80' 4

 

If there are no established sessions and no output is generated by the sniffer/debug, then your Fortigate is not receiving the traffic and you should troubleshoot upstream.  

 

 

HTH,
Boris

View solution in original post

8 REPLIES 8
distillednetwork
Contributor III

You could try checking the Local-In Policies.  System > Config > Features and enable Local In Policy.  Then under Policy & Objects, you should see Local In Policy.  You can look for port 80 there.

 

You said you had administrative access turned off on wan1, do you have any other services on?

 

CC_Mike

Thanks, I tried that and I could not find anything that could cause the problem.

bpozdena_FTNT

Hi Mike,

 

the best approach would be to perform a flow debug. The output should clearly show if the correct policy/VIP is matched or why the traffic is dropped.

 

diagnose debug flow filter clear
diagnose debug flow filter addr <WAN1_IP_Address>
diagnose debug flow filter port 80
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug flow trace start 5
// Now attempt to connect to <WAN1_IP_Address>:80 from the internet.

 

If you wish to share the debug outputs here, also please include the relevant Fortigate configuration snippets. If you don't wish to share such information here, please open a TAC support ticket with the collected details.

HTH,
Boris
CC_Mike

That is very interesting.
When I connect to <WAN1_IP_Address>:80 from my network, I get a debug log. However, when I connect to <WAN1_IP_Address>:80 from outside of my network, I do not get any debug log. Does that mean that Fortigate does not receive the request at all?

bpozdena_FTNT

It's definitely possible that the traffic never reaches your Fortigate.  It's also possible the traffic matched a pre-existing session that is offloaded into NPx (if equipped). 

 

// check for existing sessions (that are may be offloaded)
diag sys session filter clear
diag sys session filter dst 192.168.0.38
diag sys session filter dport 80
diag sys session list


// clear existing sessions if they exist
NOTE: Ensure to specify the above session filters so that you do not accidentally clear all your sessions :-).
diag sys session clear

 

You can also double check by capturing the traffic with the bellow CLI command:

diag sniff packet any 'host <WAN1_IP_Address> and port 80' 4

 

If there are no established sessions and no output is generated by the sniffer/debug, then your Fortigate is not receiving the traffic and you should troubleshoot upstream.  

 

 

HTH,
Boris
CC_Mike

Thanks a lot! Traffic never reached our Fortigate, and now I could prove it. Thanks again!

abelio
Valued Contributor

Hi,

Change HTTP port in 'Administrative settings'  (System > Settings)  to any other port  than 80;  81, or 8080 whatever.

regards




/ Abel

regards / Abel
CC_Mike
New Contributor II

Hi, that is already done. Thanks!

Labels
Top Kudoed Authors