- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Issue with port forwarding
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue with port forwarding
Hi,
i am running latest version of the FortiOS. I had this issue on both a 60D and a 100D.
This is the issue:
- i want to port forward, for example 3389 public to an internal host. With 3389 everything works. In fact with any STANDARD port it seems to work. So i create a VIP 3389 to 3389, and a firewall rule with the VIP as destination, and service 3389
- If i do the same with port translation because 3389 is already used, it does not work. I set the VIP with translation from 3390 to 3389, and a firewall rule to point the the VIP, then service set to 3390.
Debug shows that the i hit the DNAT (i can see the translation happening), but then i hit the default deny policy.
I have opened a ticket with Fortinet, and they said i need set the service to ALL and the VIP will take care of filtering the port. This for me is a horrible solution, and i dont understand why with 3389 it works. I have triple checked the custom service 3390 and it is exaclty configured as the 3389 one.
Thoughts?
thanks
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd agree with support on that. The VIP does the port filtering for you so you don't need to do it again in the firewall rule. P
If it is important to you though you can still do it. Just remember that you are using two different ports: 3389 and 3390. You must allow both in the firewall rule and it should work. I tested this with port 33333 forwarded to 3389. With just custom service TCP 33333 listed as a service in the firewall rule it doesn't work. With 33333 and RDP listed as a service I am able to connect. Of course with All as the service in the firewall rule it also works.
Matt
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
now, i might disagree on that. The firewall should see only traffic hitting 3390 not 3389. Then the firewall does the translation to 3389, but that is internal. If i am putting a rule on the ext interface to allow 3390 that should be it i shouldnt allow 3389 as well.
From a firewall when i see the firewall table it should be very clear what is allowed and what not, this way i am obliged to double check firewall AND VIPs, which is very confusing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You shouldn't need an ALL policy. For the firewall policy your service port needs to only be the destination port used in the VIP.
For your example that uses the VIP translation from 3390 to 3389, the firewall policy should have the service as 3389, not 3390.
I've tested this in the lab using VNC and it works fine. My VNC VIP translates 59001 > 59000. My policy that references the VIP only has port 59000 as the service. I'm able to connect to the VNC server using 59001. There is no requirement for me to add 59001 or ALL to the firewall service.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks. The ALL suggestion has been made by Fortinet Support when i opened the ticket, but i didnt like the solution. Now it looks like for some reason the logic is that you have to put the destination port, which is rather confusing since i am hitting the firewall with 3390 not 3389. But i guess it is how things work. I found also very confusing as if you want to review the firewall rules, what you see it is not what it really is (i should see port 3390 opened, not 3389).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The same here, the trans-dport is what you want.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
myrdin wrote:Try setting the service to your custom 3390 Port AND RDPI have opened a ticket with Fortinet, and they said i need set the service to ALL and the VIP will take care of filtering the port. This for me is a horrible solution, and i dont understand why with 3389 it works. I have triple checked the custom service 3390 and it is exaclty configured as the 3389 one.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No need for all this confusion - NAT is processed before policy matching. So you need to specify the "real" service which you connect to using a non-standard port.
If you look at it from an inside perspective, the firewall policies show the services (destination ports) actually used within the network, no matter what fancy ports are used from outside.
Finally, if you look at the reply traffic it makes sense that RDP traffic on port 3389 is called "RDP" and accepted by a policy with service "RDP".
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
- VIP Port Forwarding Settings for Mapping... 116 Views
- Port forward fail 198 Views
- Fortinet external AD Connector and retrieving... 150 Views
- fortigate ipsec s2s VPN with starlink... 744 Views
- Split Session sync / heartbeat 133 Views
Labels
-
FortiGate
6,765 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
347 -
FortiAP
346 -
FortiClient EMS
274 -
FortiMail
263 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
FortiMonitor
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
FortiSOAR
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.