Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
myrdin
New Contributor

Issue with port forwarding

Hi,

 

i am running latest version of the FortiOS. I had this issue on both a 60D and a 100D.

 

This is the issue:

 

- i want to port forward, for example 3389 public to an internal host. With 3389 everything works. In fact with any STANDARD port it seems to work. So i create a VIP 3389 to 3389, and a firewall rule with the VIP as destination, and service 3389

 

- If i do the same with port translation because 3389 is already used, it does not work. I set the VIP with translation from 3390 to 3389, and a firewall rule to point the the VIP, then service set to 3390. 

 

Debug shows that the i hit the DNAT (i can see the translation happening), but then i hit the default deny policy.

 

I have opened a ticket with Fortinet, and they said i need set the service to ALL and the VIP will take care of filtering the port. This for me is a horrible solution, and i dont understand why with 3389 it works. I have triple checked the custom service 3390 and it is exaclty configured as the 3389 one.

 

Thoughts?

 

thanks

 

7 REPLIES 7
MattM
New Contributor

I'd agree with support on that.  The VIP does the port filtering for you so you don't need to do it again in the firewall rule.  P

 

If it is important to you though you can still do it.  Just remember that you are using two different ports:  3389 and 3390.  You must allow both in the firewall rule and it should work.  I tested this with port 33333 forwarded to 3389.  With just custom service TCP 33333 listed as a service in the firewall rule it doesn't work.  With 33333 and RDP listed as a service I am able to connect.  Of course with All as the service in the firewall rule it also works.

 

Matt

myrdin
New Contributor

now, i might disagree on that. The firewall should see only traffic hitting 3390 not 3389. Then the firewall does the translation to 3389, but that is internal. If i am putting a rule on the ext interface to allow 3390 that should be it i shouldnt allow 3389 as well.

 

From a firewall when i see the firewall table it should be very clear what is allowed and what not, this way i am obliged to double check firewall AND VIPs, which is very confusing. 

 

 

neonbit
Valued Contributor

You shouldn't need an ALL policy. For the firewall policy your service port needs to only be the destination port used in the VIP.

 

For your example that uses the VIP translation from 3390 to 3389, the firewall policy should have the service as 3389, not 3390.

 

I've tested this in the lab using VNC and it works fine. My VNC VIP translates 59001 > 59000. My policy that references the VIP only has port 59000 as the service. I'm able to connect to the VNC server using 59001. There is no requirement for me to add 59001 or ALL to the firewall service.

myrdin
New Contributor

thanks. The ALL suggestion has been made by Fortinet Support when i opened the ticket, but i didnt like the solution. Now it looks like for some reason the logic is that you have to put the destination port, which is rather confusing since i am hitting the firewall with 3390 not 3389. But i guess it is how things work. I found also very confusing as if you want to review the firewall rules, what you see it is not what it really is (i should see port 3390 opened, not 3389).

 

 

emnoc
Esteemed Contributor III

The same here, the  trans-dport is what you want.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
gschmitt
Valued Contributor

myrdin wrote:

I have opened a ticket with Fortinet, and they said i need set the service to ALL and the VIP will take care of filtering the port. This for me is a horrible solution, and i dont understand why with 3389 it works. I have triple checked the custom service 3390 and it is exaclty configured as the 3389 one.

Try setting the service to your custom 3390 Port AND RDP

ede_pfau

No need for all this confusion - NAT is processed before policy matching. So you need to specify the "real" service which you connect to using a non-standard port.

If you look at it from an inside perspective, the firewall policies show the services (destination ports) actually used within the network, no matter what fancy ports are used from outside.

 

Finally, if you look at the reply traffic it makes sense that RDP traffic on port 3389 is called "RDP" and accepted by a policy with service "RDP".

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors