Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Adrián_Bárdossy
New Contributor

Cannot open port 443 on Fortigate60E

Dear all,

We wanna set monitoring of the office WAN IP address 176.74.140.8 to the service 24x7 so I have to fully open the port 443. Those are the steps I set:

[ul][ul]
  • Created virtual IP
  • FW-MAIN # show firewall vip 24x7 
    config firewall vip
        edit "24x7"
            set uuid c9886ad2-03e9-51eb-091b-8c2431f4ac90
            set extip 176.74.140.8
            set mappedip "172.16.2.1"
            set extintf "wan1"
            set portforward enable
            set extport 443
            set mappedport 443
        next
    end
  • Created firewall rule:
  • FW-MAIN # show firewall policy 8
    config firewall policy
        edit 8
            set status disable
            set name "Open HTTPS"
            set uuid 8dbe4ac8-031a-51eb-570c-9678721d149f
            set srcintf "wan1"
            set dstintf "internal"
            set srcaddr "all"
            set dstaddr "24x7"
            set action accept
            set schedule "always"
            set service "HTTPS"
            set logtraffic all
            set comments "Allow 24x7 monitoring"
            set nat enable
        next
    end
    [/ul][/ul]

     

    Here is the list of the firewall rules:

    Rule number 1:
    FW-MAIN # show firewall policy 5
    config firewall policy
        edit 5
            set name "Internal"
            set uuid 6a4dd636-ec62-51ea-9f46-29c5c9ce9afb
            set srcintf "internal" "VLAN16-WIFI" "VLAN12-INTERNAL"
            set dstintf "internal" "VLAN16-WIFI" "VLAN12-INTERNAL"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next
    end
    Rule 2:
    FW-MAIN # show firewall policy 3
    config firewall policy
        edit 3
            set name "Internal to WAN"
            set uuid 948ca2f2-8e7a-51e9-276c-73602409600d
            set srcintf "internal" "VLAN16-WIFI" "VLAN12-INTERNAL"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set dnsfilter-profile "default"
            set nat enable
        next
    end
    Next rule:
    FW-MAIN # show firewall policy 2
    config firewall policy
        edit 2
            set name "GUEST-VLAN20-ALLOW"
            set uuid 306efa4a-8c40-51e9-d3dd-f71a581b638d
            set srcintf "GUEST-VLAN20"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
    Next to last rule:
    FW-MAIN # show firewall policy 8
    config firewall policy
        edit 8
            set status disable
            set name "Open HTTPS"
            set uuid 8dbe4ac8-031a-51eb-570c-9678721d149f
            set srcintf "wan1"
            set dstintf "internal"
            set srcaddr "all"
            set dstaddr "24x7"
            set action accept
            set schedule "always"
            set service "HTTPS"
            set logtraffic all
            set comments "Allow 24x7 monitoring"
            set nat enable
        next
    end
    Last rule:
    FW-MAIN # show firewall policy 3
    config firewall policy
        edit 0
            set name "Implicit Deny"
            set srcintf "any"
            set dstintf "any"
            set srcaddr "all"
            set dstaddr "all"
            set action Deny
            set schedule "always"
            set service "ALL"
            set utm-status enable
        next
    end

     

    By following those steps, port 443 is still not opened. Can you help me with solving of this issue please?

     

    Kind regards,

    Adrián

     

  • Thanks a lot. Hope to hear you soon.

    Adrian

    Thanks a lot. Hope to hear you soon. Adrian
    9 REPLIES 9
    emnoc
    Esteemed Contributor III

    1st off I would undo nat enable in that policy. It's not  required for a VIP

     

    2nd I would use "diag debug flow". It's the 1st thing you should for tracing flow and the final action

     

    e.g 

     

     

    diag debug reset 

    diag debug enable 

    diag debug flow filter addr 176.74.140.8

     

    # to ensure the filter is set

                  diag debug flow filter

     

    diag debug flow trace start 40

     

     

    Then generate traffic and monitor the output. Afterward 

     

    diag debug reset

    diag debug disable

     

     

    Ken Felix

     

     

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    Toshi_Esumi

    I would sniff it first to see if the access goes out to the internal interface. If not, then run flow debugging Ken suggested. If it's going out instead, obviously you need to look at the server side.

     

    By the way, you're putting multiple interfaces into src/dst field in policies. So the order of enter firewall policies in the config really matter. I'm concerned with the policy 3 you named "Implicit Deny" explicitly and where it's positioned among all policies. It's not needed because of the real implicit deny policy.

    Yurisk

    I guess 176.74.140.8 is not WAN IP of the Fortigate to which you connect on port 443 to manage the Fortigate GUI as well?

    Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
    Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
    Adrián_Bárdossy

    Hello Yuri,

     

    yes 176.74.140.8 is a public IP accessible from GUI and cli as well.

     

    Kind,

    Adrian

    Thanks a lot. Hope to hear you soon.

    Adrian

    Thanks a lot. Hope to hear you soon. Adrian
    Adrián_Bárdossy

    Hey Toshi,

     

    how do you mean to sniff using packet sniffer? Or something else?

     

    Kind,

    Adrian

    Thanks a lot. Hope to hear you soon.

    Adrian

    Thanks a lot. Hope to hear you soon. Adrian
    brycemd

    The firewall policy appears to be disabled? At least based on your cli output

    Adrián_Bárdossy

    Hello Bryce, 

     

    it was disabled because it did not work, when I enabled it the result was the same.

     

    Kind,

    Adrian

    Thanks a lot. Hope to hear you soon.

    Adrian

    Thanks a lot. Hope to hear you soon. Adrian
    boneyard

    please do what Ken (emnoc) suggested, it will most likely tell us what is wrong.

    Ashik_Sheik

    Hi

     

    Could you please share the high-level architecture, also mention if you have any other firewall in the path. Your conf looks fine.

     

    Yes, diag report also will help to get more details.

     

    Regards,

    Ashu 

     

    Ashu
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors