- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Issue with VIP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue with VIP
Hi Everyone,
I have a problem that someone may be able to help me with / point me in the right direction. I come from a Sonicwall background so this may just be terminology that is throwing me :)
I've searched the forum and tried a few things but can't get past my VIP issue, namely that the port 25 VIP that I set up is not sent on to the mail server.
I have set up a VIP, a policy, according to the cookbook, on my 60C (4.0) with an external ip of 0.0.0.0 (it's dynamic / dhcp delivered), internal IP of my mail server (private net), port forwarding on and TCP port 25 specified in the external and map to port fields.
My policy has the source interface as wan1, source address "all", destination interface of internal and destination address my VIP. Schedule is always, service is SMTP and Action is ACCEPT (and no NAT).
Problem is nothing gets through. I can telnet from the firewall (SSH) to the mail server on port 25, but when I try it from an external internet host I see lots of "wan 1 in" records (diag sniffer packet any "tcp and dst port 25" 4) but nothing ever out to the mail server.
The mail server is on the same subnet as the firewall's internal interface, and the firewall is running in NAT mode. I can ping from the mail server to the external internet test host, so connectivity seems to be fine.
Thoughts?
Thanks!
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
and welcome to the forums.
At first glance your setup looks correct.
In the policy, do you really use the VIP object?
What if..you disable port forwarding, does it work then? An additional benefit of this is that you can now ping the server through the VIP (no portless ICMP through port-forwarding VIPs).
Which firmware are you using - main is 4.0, MR is ?, patch ? (or just the build #).
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Beware, you can only remove the port forwarding if no other VIP definitions are using that same external IP (0.0.0.0 in this instance).
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, can it be that your isp is blocking smtp ? Some providers do that, to prevent you run your own mailserver. Test it with a different port, since your setup looks correct.
Ralph
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, and thanks for the welcome :)
The FortiOS version is: v4.0,build5907,120604 (MR2)
Bought off ebay, just waiting for the transfer to come through so that I can register it and get the latest firmware. I did a factory reset of course.
Attached is the firewall policy screenshot of what I have done.
Does the device have some sort of UTM functions that could interfere with port 25?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem, I only have the one VIP and policy from wan to internal :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This was working on my sonicwall, so the ISP is definitely not getting in the way (thankfully) :)
Tried some other ports too, like TCP 1352 to make sure, same result.
Thanks for replying :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some diagnose debug flow will give more insight on what is happening.
Try to run:
diagnose debug reset #Reset debug
diagnose debug enable #Show debug
diagnose debug flow filter addr <IP of mail server or from IP accessing the service> #Filter by IP
diagnose debug flow trace start 20 #Start debug
if needed:
diagnose debug flow filter port 25 #Filter by port
By the way, you have proper routing?
If you still don't find the answer with the debug,you can share it here.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, UTM cannot interfere as you've got none enabled in the policy.
As a quick test, change the VIP to non-port forwarding, open up the service in the policy to ANY (or is it ALL?? ancient fw version), and test with ping. Tighten the screws from there.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ede_pfau wrote:No, UTM cannot interfere as you've got none enabled in the policy.
As a quick test, change the VIP to non-port forwarding, open up the service in the policy to ANY (or is it ALL?? ancient fw version), and test with ping. Tighten the screws from there.
Cool, just wanted to check. Very strange things going on once I remove port forwarding.. Basically a ping from the Internet hosts works at that point! But any other TCP ports (have tried 25, 80, 443, 1352 now) do not work. However I can see the requests hitting the Fortigate in debug mode, it's just not passing them on.
The unit registration should be transferred to me shortly so that I can get the latest Firmware, at least in the 4.x stream, and I'll be purchasing support I think :)
I'll post back here when I have the firmware updated.
Thanks to you (and others) for assistance so far, appreciate the help :)
Related Posts
- FortiNAC not responding to PA connections 77 Views
- Issue with SD-WAN 95 Views
- Possible memory issues with 7.2.8 122 Views
- Resolve FortiGate Connectivity Issue Same As... 60 Views
- Fortigate DNS Database (conditional DNS forwarder)... 82 Views
Labels
-
FortiGate
6,562 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
566 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
336 -
FortiAP
336 -
FortiClient EMS
266 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
107 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
IP address management - IPAM
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
Traffic shaping policy
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Schedule
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Web rating
1 -
FortiManager-VM
1 -
Email filter profile
1 -
Multicast routing
1 -
Internet Service Database
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.