Hi,
I am trying to setting up a linux server in our DMZ behind Fortigate. I need to allow connection from Internet to Tcp port 2012 on our public IP address which will be forwarded or translated to linux server private IP TCP Port 22.
Here is what I configured. Just need to get some validation from you guys here.
Address Object:
edit "Linux-TCP-2012" set tcp-portrange 2012-2012 next
Virtual IP:
edit "DMZ-Linux-P2012-VIP"
set extip 2.2.2.2 set extintf "port19" set portforward enable set mappedip "172.16.24.11" set extport 2012 set mappedport 22 next
Firewall Policy:
edit 2 set srcintf "port19" set dstintf "DMZ" set srcaddr "all" set dstaddr "DMZ-Linux-P2012-VIP" set action accept set schedule "always" set service "Linux-TCP-2012" set nat enable next
The part I am not sure is: Do I use "SSH" for the Service parameter inside firewall policy OR use "Linux-TCP-2012" like I did OR simply use "ALL"?
Thanks,
/S
Solved! Go to Solution.
Your setup is correct as it is, except for a minor detail: you do not have to check "NAT" in the policy. Checking it will "source NAT" incoming traffic to the interface's IP address. You will lose any information about the host accessing your server, for no obvious benefit.
On the other hand, using the VIP will do "destination NAT", i.e. changing the destination address (and/or port).
Service port: the service should match the port used from outside, i.e. your custom port 2012.
Your setup is correct as it is, except for a minor detail: you do not have to check "NAT" in the policy. Checking it will "source NAT" incoming traffic to the interface's IP address. You will lose any information about the host accessing your server, for no obvious benefit.
On the other hand, using the VIP will do "destination NAT", i.e. changing the destination address (and/or port).
Service port: the service should match the port used from outside, i.e. your custom port 2012.
Thanks :) Make sense.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.