Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vorak
New Contributor

Can't view IP DVR from WAN - Fortigate 60C

Hi!

 

Today I'm facing a problem with a FortiGate 60C in transparent mode placed between a Cisco RV320 router and a Cisco SG200-26 L2 switch. I have an IP DVR connected to the switch and want to view live cameras from outside. Port forwarding is set at the router as well as DDNS.

 

When I set up the device in our cam viewer software using DDNS, it appears as connected and available but when I try to view live cameras, video isn't showing at all and get an "device is offline" error although the device appears as connected at the device list. If I try to view recorded video or remote config from the DVR I can do it. Seems that problem is only when trying to view live.

 

I've added the used port (8003) as a service under objects at the Policy & Objects config page an also I've set the IPv4 policy from internal to WAN to allow but still no luck.

 

If I connect IP DVR outside FortiGate but still under RV320, remote access/view is working fine.

 

Find attached a couple of screenshots with RV320 and FortiGate configuration.

 

Hope you can help. Regards.

15 REPLIES 15
ericli_FTNT
Staff
Staff

Hi vorak,

 

I didn't find any attachment here. Can you double check it?

vorak
New Contributor

sorry, now i've uploaded them :)

 

Fortinet Policies below:

 

Cisco open port:

 

Regards.

ericli_FTNT

vorak wrote:

sorry, now i've uploaded them :)

 

Fortinet Policies below:

 

Cisco open port:

 

Regards.

can you view your attachment correctly?

vorak

Yes I can, actually is not a full screenshot, I did cut just the section of the configuration.

rwpatterson
Valued Contributor III

The 'DVR 1' object needs to be a Virtual IP not an address object. I cannot tell from what's posted what you have there. It should in addition be a port forwarded VIP using whatever you want on the outside to the correct IP port on the inside.

 

Could you give us the definition of that object if it is a Virtual IP object?

 

Lastly, the direction is incorrect. It should be outside-any -> to -> inside-Virtual IP object with the correct service for the inside port.

 

The policy in position two will never get used since policies are encountered from the top down and the first policy is a global any-any so all traffic will use it. IF the second one worked, it would simply allow any INSIDE object out the firewall using the 'DVR 1' service group.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
vorak

rwpatterson wrote:

The 'DVR 1' object needs to be a Virtual IP not an address object. I cannot tell from what's posted what you have there. It should in addition be a port forwarded VIP using whatever you want on the outside to the correct IP port on the inside.

 

Could you give us the definition of that object if it is a Virtual IP object?

 

Lastly, the direction is incorrect. It should be outside-any -> to -> inside-Virtual IP object with the correct service for the inside port.

 

The policy in position two will never get used since policies are encountered from the top down and the first policy is a global any-any so all traffic will use it. IF the second one worked, it would simply allow any INSIDE object out the firewall using the 'DVR 1' service group.

It seems  I cannot add VIPs because of the Transparent mode, at least I can't see the option.

 

 

I've deleted the second rule as well.

ericli_FTNT

vorak wrote:

rwpatterson wrote:

The 'DVR 1' object needs to be a Virtual IP not an address object. I cannot tell from what's posted what you have there. It should in addition be a port forwarded VIP using whatever you want on the outside to the correct IP port on the inside.

 

Could you give us the definition of that object if it is a Virtual IP object?

 

Lastly, the direction is incorrect. It should be outside-any -> to -> inside-Virtual IP object with the correct service for the inside port.

 

The policy in position two will never get used since policies are encountered from the top down and the first policy is a global any-any so all traffic will use it. IF the second one worked, it would simply allow any INSIDE object out the firewall using the 'DVR 1' service group.

It seems  I cannot add VIPs because of the Transparent mode, at least I can't see the option.

 

 

I've deleted the second rule as well.

Right, vorak, you can't configure VIP in a TP firewall because VIP actually is a NAT.

vorak

ericli wrote:

vorak wrote:

rwpatterson wrote:

The 'DVR 1' object needs to be a Virtual IP not an address object. I cannot tell from what's posted what you have there. It should in addition be a port forwarded VIP using whatever you want on the outside to the correct IP port on the inside.

 

Could you give us the definition of that object if it is a Virtual IP object?

 

Lastly, the direction is incorrect. It should be outside-any -> to -> inside-Virtual IP object with the correct service for the inside port.

 

The policy in position two will never get used since policies are encountered from the top down and the first policy is a global any-any so all traffic will use it. IF the second one worked, it would simply allow any INSIDE object out the firewall using the 'DVR 1' service group.

It seems  I cannot add VIPs because of the Transparent mode, at least I can't see the option.

 

 

I've deleted the second rule as well.

Right, vorak, you can't configure VIP in a TP firewall because VIP actually is a NAT.

So... am I not going to be able to view my DVR remotely? Unless I change from Transparent Mode to NAT and have the VIPs set up? Is there a solution under my current configuration?

 

I want to keep my network clean from NAT.

rwpatterson
Valued Contributor III

I stand corrected. I missed the transparent piece.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors