Hello,
I have an internal IIS server with one site configured with the following address (for example) : https://toto.test.fr
The IP server is for example : 10.0.10.1
The public ip address is for example : 1.1.1.1
I created the following virtual IP
name : test external ip : 1.1.1.1
internal ip : 10.0.10.1
Port forwarding TCP : 443 to 443
Then I created my policy enabling all from external to access to test on service HTTPS.
It's working but I would like to know how to enable the ping to toto.test.fr because currently it's not working.
I tried to add a new virtual ip by selecting port forwarding ICMP and added ICMP+Ping to my policy but it doesn't work.
Regards,
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hi,
and welcome to the forums.
As ICMP / ping does not use ports, a port-forwarding VIP will not forward it. Make the VIP non-portforwarding, and limit the incoming services in the policy.
Yep, either use multiple port-forwarding VIPs on the same public address, or several public addresses for multiple non-portforwarding VIPs to different internal servers. You cannot combine one pf-VIP with one non-pf-VIP on the same public address.
Pinging the interface will tell you about the state of the firewall or WAN line, not about the internal server.
hi,
and welcome to the forums.
As ICMP / ping does not use ports, a port-forwarding VIP will not forward it. Make the VIP non-portforwarding, and limit the incoming services in the policy.
Hi,
Thank you, the public ip address used in my VIP "test" is already used by another VIP forwarding port 88 to another server. I suppose that I can't use your solution, correct ?
Regards,
Did you have only one IP? If so, you can allow ping on your wan interface...
________________________________________________________
--- NSE 4 ---
________________________________________________________
That is correct. Unfortunately it is one or the other (port forwarding multiples or only non-port forwarding).
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Yep, either use multiple port-forwarding VIPs on the same public address, or several public addresses for multiple non-portforwarding VIPs to different internal servers. You cannot combine one pf-VIP with one non-pf-VIP on the same public address.
Pinging the interface will tell you about the state of the firewall or WAN line, not about the internal server.
Thanks everyone !
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.