Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Magroll73
New Contributor II

Fortigate VIP AWS Problem

Hi @ all,

I have an Fortigate 7.2.2 in AWS with two VDOM. On for Management (root) and one for Traffic.

The Traffic VDOM has two Interfaces

  • internal (10.1.1.1)
  • external (10.2.2.2) with an Elastic IP 1.2.3.4

Actually I'm trying to reach an Internal Instance via SSH. For this I want to use Port Forwarding on Port 222 on the Elastic IP Interface 1.2.3.4. (VIP 1.2.3.4 -> 10.1.1.100 : TCP 222 -> 22)

Else I created an approbiate Firewallrule (any / VIP / 222 / allow)

If I try to ssh to 1.2.3.4 then I got the following error:

 

id=65308 trace_id=159 func=print_pkt_detail line=5892 msg="vd-aws-fw:0 received a packet(proto=6, x.x.x.x:52547->10.1.1.100:222) tun_id=0.0.0.0 from port2. flag [S], seq 3936964361, ack 0, win 64240"
id=65308 trace_id=159 func=init_ip_session_common line=6073 msg="allocate a new session-000035cb, tun_id=0.0.0.0"
id=65308 trace_id=159 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-10.2.2.2 via aws-fw"
id=65308 trace_id=159 func=fw_local_in_handler line=536 msg="iprope_in_check() check failed on policy 0, drop" 

 

Does someone of you have an helpful idea?

Always an valid answer: 42
Always an valid answer: 42
1 Solution
Magroll73
New Contributor II

After done some testing, I found out that this was caused by an routing misconfig on the Forti.

Always an valid answer: 42

View solution in original post

Always an valid answer: 42
2 REPLIES 2
distillednetwork
Contributor III

On your firewall policy try setting the service to SSH (TCP 22) instead of 222.

Magroll73
New Contributor II

After done some testing, I found out that this was caused by an routing misconfig on the Forti.

Always an valid answer: 42
Always an valid answer: 42
Top Kudoed Authors