Cannot open port 443 on Fortigate60E

Adrián_Bárdossy · ‎10-30-2020

Dear all,

We wanna set monitoring of the office WAN IP address 176.74.140.8 to the service 24x7 so I have to fully open the port 443. Those are the steps I set:

[ul][ul]

Created virtual IP

FW-MAIN # show firewall vip 24x7 
config firewall vip
    edit "24x7"
        set uuid c9886ad2-03e9-51eb-091b-8c2431f4ac90
        set extip 176.74.140.8
        set mappedip "172.16.2.1"
        set extintf "wan1"
        set portforward enable
        set extport 443
        set mappedport 443
    next
end

Created firewall rule:

FW-MAIN # show firewall policy 8
config firewall policy
    edit 8
        set status disable
        set name "Open HTTPS"
        set uuid 8dbe4ac8-031a-51eb-570c-9678721d149f
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "24x7"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set logtraffic all
        set comments "Allow 24x7 monitoring"
        set nat enable
    next
end

[/ul][/ul]

Here is the list of the firewall rules:

Rule number 1:
FW-MAIN # show firewall policy 5
config firewall policy
    edit 5
        set name "Internal"
        set uuid 6a4dd636-ec62-51ea-9f46-29c5c9ce9afb
        set srcintf "internal" "VLAN16-WIFI" "VLAN12-INTERNAL"
        set dstintf "internal" "VLAN16-WIFI" "VLAN12-INTERNAL"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
Rule 2:
FW-MAIN # show firewall policy 3
config firewall policy
    edit 3
        set name "Internal to WAN"
        set uuid 948ca2f2-8e7a-51e9-276c-73602409600d
        set srcintf "internal" "VLAN16-WIFI" "VLAN12-INTERNAL"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set dnsfilter-profile "default"
        set nat enable
    next
end
Next rule:
FW-MAIN # show firewall policy 2
config firewall policy
    edit 2
        set name "GUEST-VLAN20-ALLOW"
        set uuid 306efa4a-8c40-51e9-d3dd-f71a581b638d
        set srcintf "GUEST-VLAN20"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
Next to last rule:
FW-MAIN # show firewall policy 8
config firewall policy
    edit 8
        set status disable
        set name "Open HTTPS"
        set uuid 8dbe4ac8-031a-51eb-570c-9678721d149f
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "24x7"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set logtraffic all
        set comments "Allow 24x7 monitoring"
        set nat enable
    next
end
Last rule:
FW-MAIN # show firewall policy 3
config firewall policy
    edit 0
        set name "Implicit Deny"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action Deny
        set schedule "always"
        set service "ALL"
        set utm-status enable
    next
end

By following those steps, port 443 is still not opened. Can you help me with solving of this issue please?

Kind regards,

Adrián

Thanks a lot. Hope to hear you soon.

Adrian

emnoc · ‎10-30-2020

1st off I would undo nat enable in that policy. It's not required for a VIP

2nd I would use "diag debug flow". It's the 1st thing you should for tracing flow and the final action

e.g

diag debug reset

diag debug enable

diag debug flow filter addr 176.74.140.8

# to ensure the filter is set

diag debug flow filter

diag debug flow trace start 40

Then generate traffic and monitor the output. Afterward

diag debug reset

diag debug disable

Ken Felix

PCNSE

NSE

StrongSwan

Toshi_Esumi · ‎10-30-2020

I would sniff it first to see if the access goes out to the internal interface. If not, then run flow debugging Ken suggested. If it's going out instead, obviously you need to look at the server side.

By the way, you're putting multiple interfaces into src/dst field in policies. So the order of enter firewall policies in the config really matter. I'm concerned with the policy 3 you named "Implicit Deny" explicitly and where it's positioned among all policies. It's not needed because of the real implicit deny policy.

Yurisk · ‎10-30-2020

I guess 176.74.140.8 is not WAN IP of the Fortigate to which you connect on port 443 to manage the Fortigate GUI as well?

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.

Adrián_Bárdossy · ‎11-03-2020

Hello Yuri,

yes 176.74.140.8 is a public IP accessible from GUI and cli as well.

Kind,

Adrian

Thanks a lot. Hope to hear you soon.

Adrian

Adrián_Bárdossy · ‎11-03-2020

Hey Toshi,

how do you mean to sniff using packet sniffer? Or something else?

Kind,

Adrian

Thanks a lot. Hope to hear you soon.

Adrian

brycemd · ‎11-03-2020

The firewall policy appears to be disabled? At least based on your cli output

Adrián_Bárdossy · ‎11-03-2020

Hello Bryce,

it was disabled because it did not work, when I enabled it the result was the same.

Kind,

Adrian

Thanks a lot. Hope to hear you soon.

Adrian

boneyard · ‎11-06-2020

please do what Ken (emnoc) suggested, it will most likely tell us what is wrong.

Ashik_Sheik · ‎11-07-2020

Hi

Could you please share the high-level architecture, also mention if you have any other firewall in the path. Your conf looks fine.

Yes, diag report also will help to get more details.

Regards,

Ashu