Hi guys, I'm trying to make a server accessible from WAN, I configured virtual ip and port for the server, and then I created a local in policy to test :
config firewall local-in-policy
edit 1
set intf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set schedule "always"
next
end
but I cannot access the server and related traffic still matches policy 0 :
id=20085 trace_id=114 func=print_pkt_detail line=5822 msg="vd-root:0 received a packet(proto=6, [my ip]:2084->[FW IP]:50022) from port1. flag [S], seq 2666835964, ack 0, win 64240"
id=20085 trace_id=114 func=init_ip_session_common line=5993 msg="allocate a new session-01e45466"
id=20085 trace_id=114 func=vf_ip_route_input_common line=2615 msg="find a route: flag=80000000 gw-[FW IP] via root"
id=20085 trace_id=114 func=fw_local_in_handler line=447 msg="iprope_in_check() check failed on policy 0, drop"
Am I doing it wrong? Please help, thanks!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It looks like you did not matched any policy and went to the implicit deny at the end " policy 0, drop" .
Here is how policy should look like :
set name "internet to server"
set uuid 6584f36c-d22b-51ed-4090-7207acdf3e83
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "vipfac" <<<<<<here you specify the VIP
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
VIP object
edit "vipfac"
set uuid 33eef826-d22a-51ed-3e64-395817669040
set extip 10.x.x.x
set mappedip "192.168.100.200"
set extintf "port1"
set portforward enable
set extport 11443
set mappedport 443
Hi @Yesolo ,
You can't use use local-in policy for forward traffic. If you've already created the VIP on your Fortigate, simply specify it as destination object in your regular (forward) firewall policy.
You can find all necessary details with examples in the documentation at: https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/510402/static-virtual-ips
Hi @Yesolo,
You need to create a firewall policy not local-in policy. You also need to put the VIP in the destination of the firewall policy. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-port-forwarding-using-FortiGate-...
Regards,
Hi @Yesolo , just to clarify, "local in" policies are used for traffic that has as destination the interface itself, not for traffic that will flow through the fortigate, or if you want to see it differently, traffic that has an incoming and an outgoing interface.
Best regards.
It looks like you did not matched any policy and went to the implicit deny at the end " policy 0, drop" .
Here is how policy should look like :
set name "internet to server"
set uuid 6584f36c-d22b-51ed-4090-7207acdf3e83
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "vipfac" <<<<<<here you specify the VIP
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
VIP object
edit "vipfac"
set uuid 33eef826-d22a-51ed-3e64-395817669040
set extip 10.x.x.x
set mappedip "192.168.100.200"
set extintf "port1"
set portforward enable
set extport 11443
set mappedport 443
Hi, thanks for the reply and detailed description.
I did Firewall Policy at the beginning, but I just found that the "Destination" I chose was wrong. It should be the "Virtual IP/Server" object instead of "Address" object.
Thank you all for the help!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.