Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Camilian
New Contributor

FortiWIFI 60E Attacks on Port 80

I have FortiWiFi 60E

 

I had to open port 80 and port 443 to support a web page

I am getting daily attacks on port 80 and need to know the steps to protect it.

 

On my server IIS I am forwarding port 80 -> 443 and is working fine 

 

The attacks continue to happened port 80 and FortiWIFI 60E allows incoming IP addresses from other countries.

Is there a way to forward port 80 ->443 in FortiWiFI?

Is there a policy that I can set to ensure that port 80 does not accept IPs from other countries 

What is everyone doing to stop attacks in port 80?

 

 

6 REPLIES 6
orani
Contributor II

There are many ways to stop attacks at some port. But lets focus on what your target is.

 

You said that you want to port forward. Yes this can be done. You have to configure a VIP and then use this VIP in an IPv4 rule. That is the first part.

 

If you want then to allow traffic only from a specific country/countries, you have to configure an address object with type Geography (Geolocation) and then use this object as source at the policy you previously created.

 

Before you do that make sure that everybody who will access your server on your specified port is from the country/countries you created at the address object/s

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
Camilian
New Contributor

orion,

Thank you for the suggestions.

Is there a step by step procedure as what to do on the port forward and specific country solution?

I am new to Fortigate and don't want to make any mistakes.

 

Thank you

orani

Ok.

First lets create the address object. Go to "Policy&Objects"-->"Addresses" and click "Create New"- "Address"

Set a desired name, for the "Type" choose "Geography", choose your desired country (the one you want to allow traffic), "Interface" = any and click "OK".

 

Then you have to create you VIP.

Go to "Policy&Objects"-->"Virtual IPs" and click "Create New" - "Virtual IP"

Set a desired name. At the "Interface" choose your external interface/internet (the source of the traffic). At the External IP Address/Range set your interface's ip address. At the Mapped IP Address/Range set your IIS ip address. Enable the "Port Forwarding" option and set the external and internal ports.

 

Lastly you have to create a rule to allow traffic go through.

Go to "Policy&Objects"-->"IPv4 Policy" and click "Create New"

Set a desired name, Incoming intrface= your external interface/internet, Outgoing interface=The interface where IIS is physicaly connected to, Source= the address object you created before with the country you want to allow, Destination=your previously created Virtual ip object, Service=All, Nat = enabled, Log all sessions, enable this policy (on) and click ok.

 

And now you must be ready to safely use your server 

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
Camilian
New Contributor

Orion,

I have a question on Policy&Objects"-->"Virtual IPs"

Enable the "Port Forwarding" option and set the external and internal ports.

 Protocol = TCP

External Service Port = 80

Map to port = 80

 

Is this correct? Looks like I am not doing a Port Forwarding because I am using port 80 for external and and Mapping

 

 

orani

Yeah it seams right. In this scenario you just forward traffic on port 80 from external network to port 80 on your server at the internal network.

 

Another option is to forward/translate port. For example if you set external port 8888 and mapped port 80 you will forward external traffic from 8888 to 80 at your internal server.

 

This has to do on what you want. If your server listens to port 80 then mapped port should be 80. If you want your external users to hit port 80 then also your external port should be port 80.

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
Camilian
New Contributor

Orani. Thank you for your help. I got it working now. I now using port 80 because is not secure. I am using port 443 and is working.

Labels
Top Kudoed Authors