Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nbctcp
New Contributor III

Fortigate Reverse Proxy not working when gateway deleted

SW INFO: -Fortigate 6.2.3 kvm eval license

 

PROBLEMS:

when I WWW1 and WWW2 has gateway ip, I can access both of them from WAN

but when I delete the gateway, I can't access them anymore from WAN

my friend said in FortiWeb with WWW server without gateway no problem

 

QUESTIONS: 1. is Fortigate not 100% Reverse Proxy

What is wrong with my config

Do you think WWW server without gateway is possible?

tq 

 

CONFIGS:

config system global set admin-sport 8443 set admin-ssh-port 8022 set alias "FortiGate-VM64-KVM" set gui-ipv6 enable set hostname "FGT1" set timezone 53 end config system interface edit "port1" set vdom "root" set ip 10.0.1.11 255.255.255.0 set allowaccess ping https ssh http fgfm set type physical next edit "port2" set vdom "root" set type physical next edit "port3" set vdom "root" set ip 10.0.3.1 255.255.255.0 set allowaccess ping https ssh fgfm set type physical next edit "port4" set vdom "root" set type physical next end config router static edit 1 set gateway 10.0.1.2 set device "port1" next end config firewall address edit "WWW-VIP" set type iprange set associated-interface "port3" set start-ip 10.0.1.11 set end-ip 10.0.1.12 next end config firewall vip edit "www.ngtrain.com" set type server-load-balance set extip 10.0.1.11 set extintf "port1" set server-type http set monitor "1" set ldb-method least-session set extport 8000 config realservers edit 1 set ip 10.0.3.11 set port 80 next edit 2 set ip 10.0.3.12 set port 80 next end next end

config firewall policy edit 1 set name "DMZtoWAN" set srcintf "port3" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next edit 2 set name "www.ngtrain.com" set srcintf "port1" set dstintf "port3" set srcaddr "all" set dstaddr "www.ngtrain.com" set action accept set schedule "always" set service "HTTP" set inspection-mode proxy next end

http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
2 REPLIES 2
rdumitrescu
New Contributor III

you have to apply a source NAT using outgoing interface for the policy from port 1 to port 3, otherwise the real server cannot reply.

nbctcp
New Contributor III

at last WORKING after I modified a bit. I don't know my method correct or not I am following this https://kb.fortinet.com/k....do?externalId=FD31893

 

config system global set admin-sport 8443 set admin-ssh-port 8022 set alias "FortiGate-VM64-KVM" set gui-ipv6 enable set hostname "FGT1" set timezone 53 end config system interface edit "port1" set vdom "root" set ip 10.0.1.11 255.255.255.0 set allowaccess ping https ssh http fgfm set type physical next edit "port2" set vdom "root" set type physical next edit "port3" set vdom "root" set ip 10.0.3.1 255.255.255.0 set allowaccess ping https ssh fgfm set type physical next edit "port4" set vdom "root" set type physical next end config router static edit 1 set gateway 10.0.1.2 set device "port1" next end config firewall address edit "WWW-VIP" set type iprange set associated-interface "port3" set start-ip 10.0.1.11 set end-ip 10.0.1.12 next end config firewall vip edit "www.ngtrain.com" set type server-load-balance set extip 10.0.1.11 set extintf "port1" set server-type http set nat-source-vip enable set srcintf-filter "port3" set ldb-method least-session set extport 8000 config realservers edit 1 set ip 10.0.3.11 set port 80 next edit 2 set ip 10.0.3.12 set port 80 next end next end config firewall policy edit 1 set name "DMZtoWAN" set srcintf "port3" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set inspection-mode proxy set nat enable next edit 2 set name "www.ngtrain.com" set srcintf "port1" set dstintf "port3" set srcaddr "all" set dstaddr "www.ngtrain.com" set action accept set schedule "always" set service "HTTP" set inspection-mode proxy set logtraffic disable set nat enable next end

http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors