Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Issue with VIP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue with VIP
Hi Everyone,
I have a problem that someone may be able to help me with / point me in the right direction. I come from a Sonicwall background so this may just be terminology that is throwing me :)
I've searched the forum and tried a few things but can't get past my VIP issue, namely that the port 25 VIP that I set up is not sent on to the mail server.
I have set up a VIP, a policy, according to the cookbook, on my 60C (4.0) with an external ip of 0.0.0.0 (it's dynamic / dhcp delivered), internal IP of my mail server (private net), port forwarding on and TCP port 25 specified in the external and map to port fields.
My policy has the source interface as wan1, source address "all", destination interface of internal and destination address my VIP. Schedule is always, service is SMTP and Action is ACCEPT (and no NAT).
Problem is nothing gets through. I can telnet from the firewall (SSH) to the mail server on port 25, but when I try it from an external internet host I see lots of "wan 1 in" records (diag sniffer packet any "tcp and dst port 25" 4) but nothing ever out to the mail server.
The mail server is on the same subnet as the firewall's internal interface, and the firewall is running in NAT mode. I can ping from the mail server to the external internet test host, so connectivity seems to be fine.
Thoughts?
Thanks!
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
and welcome to the forums.
At first glance your setup looks correct.
In the policy, do you really use the VIP object?
What if..you disable port forwarding, does it work then? An additional benefit of this is that you can now ping the server through the VIP (no portless ICMP through port-forwarding VIPs).
Which firmware are you using - main is 4.0, MR is ?, patch ? (or just the build #).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Beware, you can only remove the port forwarding if no other VIP definitions are using that same external IP (0.0.0.0 in this instance).
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, can it be that your isp is blocking smtp ? Some providers do that, to prevent you run your own mailserver. Test it with a different port, since your setup looks correct.
Ralph
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, and thanks for the welcome :)
The FortiOS version is: v4.0,build5907,120604 (MR2)
Bought off ebay, just waiting for the transfer to come through so that I can register it and get the latest firmware. I did a factory reset of course.
Attached is the firewall policy screenshot of what I have done.
Does the device have some sort of UTM functions that could interfere with port 25?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem, I only have the one VIP and policy from wan to internal :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This was working on my sonicwall, so the ISP is definitely not getting in the way (thankfully) :)
Tried some other ports too, like TCP 1352 to make sure, same result.
Thanks for replying :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some diagnose debug flow will give more insight on what is happening.
Try to run:
diagnose debug reset #Reset debug
diagnose debug enable #Show debug
diagnose debug flow filter addr <IP of mail server or from IP accessing the service> #Filter by IP
diagnose debug flow trace start 20 #Start debug
if needed:
diagnose debug flow filter port 25 #Filter by port
By the way, you have proper routing?
If you still don't find the answer with the debug,you can share it here.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, UTM cannot interfere as you've got none enabled in the policy.
As a quick test, change the VIP to non-port forwarding, open up the service in the policy to ANY (or is it ALL?? ancient fw version), and test with ping. Tighten the screws from there.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ede_pfau wrote:No, UTM cannot interfere as you've got none enabled in the policy.
As a quick test, change the VIP to non-port forwarding, open up the service in the policy to ANY (or is it ALL?? ancient fw version), and test with ping. Tighten the screws from there.
Cool, just wanted to check. Very strange things going on once I remove port forwarding.. Basically a ping from the Internet hosts works at that point! But any other TCP ports (have tried 25, 80, 443, 1352 now) do not work. However I can see the requests hitting the Fortigate in debug mode, it's just not passing them on.
The unit registration should be transferred to me shortly so that I can get the latest Firmware, at least in the 4.x stream, and I'll be purchasing support I think :)
I'll post back here when I have the firmware updated.
Thanks to you (and others) for assistance so far, appreciate the help :)
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,697 -
FortiClient
1,763 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
432 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
209 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1712 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.