Dear all,
We wanna set monitoring of the office WAN IP address 176.74.140.8 to the service 24x7 so I have to fully open the port 443. Those are the steps I set:
[ul][ul]FW-MAIN # show firewall vip 24x7
config firewall vip
edit "24x7"
set uuid c9886ad2-03e9-51eb-091b-8c2431f4ac90
set extip 176.74.140.8
set mappedip "172.16.2.1"
set extintf "wan1"
set portforward enable
set extport 443
set mappedport 443
next
end
FW-MAIN # show firewall policy 8[/ul][/ul]
config firewall policy
edit 8
set status disable
set name "Open HTTPS"
set uuid 8dbe4ac8-031a-51eb-570c-9678721d149f
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "24x7"
set action accept
set schedule "always"
set service "HTTPS"
set logtraffic all
set comments "Allow 24x7 monitoring"
set nat enable
next
end
Here is the list of the firewall rules:
Rule number 1:
FW-MAIN # show firewall policy 5
config firewall policy
edit 5
set name "Internal"
set uuid 6a4dd636-ec62-51ea-9f46-29c5c9ce9afb
set srcintf "internal" "VLAN16-WIFI" "VLAN12-INTERNAL"
set dstintf "internal" "VLAN16-WIFI" "VLAN12-INTERNAL"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
Rule 2:
FW-MAIN # show firewall policy 3
config firewall policy
edit 3
set name "Internal to WAN"
set uuid 948ca2f2-8e7a-51e9-276c-73602409600d
set srcintf "internal" "VLAN16-WIFI" "VLAN12-INTERNAL"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set dnsfilter-profile "default"
set nat enable
next
end
Next rule:
FW-MAIN # show firewall policy 2
config firewall policy
edit 2
set name "GUEST-VLAN20-ALLOW"
set uuid 306efa4a-8c40-51e9-d3dd-f71a581b638d
set srcintf "GUEST-VLAN20"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
Next to last rule:
FW-MAIN # show firewall policy 8
config firewall policy
edit 8
set status disable
set name "Open HTTPS"
set uuid 8dbe4ac8-031a-51eb-570c-9678721d149f
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "24x7"
set action accept
set schedule "always"
set service "HTTPS"
set logtraffic all
set comments "Allow 24x7 monitoring"
set nat enable
next
end
Last rule:
FW-MAIN # show firewall policy 3
config firewall policy
edit 0
set name "Implicit Deny"
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action Deny
set schedule "always"
set service "ALL"
set utm-status enable
next
end
By following those steps, port 443 is still not opened. Can you help me with solving of this issue please?
Kind regards,
Adrián
Thanks a lot. Hope to hear you soon.
Adrian
1st off I would undo nat enable in that policy. It's not required for a VIP
2nd I would use "diag debug flow". It's the 1st thing you should for tracing flow and the final action
e.g
diag debug reset
diag debug enable
diag debug flow filter addr 176.74.140.8
# to ensure the filter is set
diag debug flow filter
diag debug flow trace start 40
Then generate traffic and monitor the output. Afterward
diag debug reset
diag debug disable
Ken Felix
PCNSE
NSE
StrongSwan
I would sniff it first to see if the access goes out to the internal interface. If not, then run flow debugging Ken suggested. If it's going out instead, obviously you need to look at the server side.
By the way, you're putting multiple interfaces into src/dst field in policies. So the order of enter firewall policies in the config really matter. I'm concerned with the policy 3 you named "Implicit Deny" explicitly and where it's positioned among all policies. It's not needed because of the real implicit deny policy.
I guess 176.74.140.8 is not WAN IP of the Fortigate to which you connect on port 443 to manage the Fortigate GUI as well?
Hello Yuri,
yes 176.74.140.8 is a public IP accessible from GUI and cli as well.
Kind,
Adrian
Thanks a lot. Hope to hear you soon.
Adrian
Hey Toshi,
how do you mean to sniff using packet sniffer? Or something else?
Kind,
Adrian
Thanks a lot. Hope to hear you soon.
Adrian
The firewall policy appears to be disabled? At least based on your cli output
Hello Bryce,
it was disabled because it did not work, when I enabled it the result was the same.
Kind,
Adrian
Thanks a lot. Hope to hear you soon.
Adrian
please do what Ken (emnoc) suggested, it will most likely tell us what is wrong.
Hi
Could you please share the high-level architecture, also mention if you have any other firewall in the path. Your conf looks fine.
Yes, diag report also will help to get more details.
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.