Hello,
We have a server (Server A) in our internal network which needs to be reached out over port 443, which is OK, but we need also to forward all the traffic that hits that server over port 3389 into another server (Server B).
We've tried to configure DNAT rule with port forwarding, but this caused the HTTPS traffic to be lost.
Can someone help understanding why other traffic to Server A is being lost when having the NAT rule in place ?
Below diagram to clarify the traffic flow
Hi Ydaew
Please share screenshot of the VIP configured for server A and server B traffic on FGT
Just to confirm the requirement, you want the traffic hitting FW for External IP , port 3389 should be forwarded to server B
you want the traffic hitting FW for External IP , port 443should be forwarded to server A
Please correct me if I am wrong here.
Thanks
Hi @ntaneja
The diagram might be miss leading a bit. the scenario is to configure only on VIP to forward the traffic that hits Server A IP address over port 3389, to Server B.
While keep other traffic destined to Server A as is without any configured forwarding.
so the VIP should be configured only for the below flow:
Source: Client IP --> Destination port: 3389 --> Destination: Server A IP
Destination NAT for the above flow as the below
Source: Client IP --> Destination port: 3389 --> Destination NAT IP: Server B IP
Which is OK, and working perfectly. But when having the above rule configured, we are losing all other traffic to server A.
As an example we are losing the below flow
Source: Client IP --> Destination port: 443 --> Destination: Server A IP
Please let me know if still not clear.
Hey Ydaew,
I'm a bit confused by this:
"Source: Client IP --> Destination port: 3389 --> Destination: Server A IP"
and
"Source: Client IP --> Destination port: 3389 --> Destination NAT IP: Server B IP"
That sounds a bit as if you want port 3389 to be forwarded to server A and B? Other parts of your comments read as if port 3389 should only be forwarded to server B.
Essentially you need two VIPs:
- one for port 3389 (either just to server B, or set as type load-balancing and forward to both server A and B)
- one for port 443 (forward this to server A only)
-> the VIPs would have to restricted to these ports externally as well.
You would then need policies for these VIPs to allow the traffic.
In addition, with port 443 - make sure the FortiGate admin port and SSLVPN ports are different, otherwise this could interfere with the VIP.
Hi Ydaew
Can you configure your 3389 rule and then run below commands on FGT for 443 traffic and share:
Putty 1:
di de reset
di de di
diag debug console timestamp enable
diag debug flow filter clear
diag debug flow filter addr X.X.X.X <<------[Replace X.X.X.X with src IP address]
diag debug flow filter dport 443
diag debug flow trace start 999
Now generate 443 traffic from src client
Disable debug using "di de di"
Putty 2:
get router info routing-table details <src ip>
get router info routing-table details <dst ip>
get router info routing-table all
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.