Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Sydney1323
New Contributor II

Created on ‎04-09-2024 12:33 PM Edited on ‎04-09-2024 12:33 PM

Issues with Firewall Policies for RDP Access

Dear Team 

 

Im having issues with RDP Firewall Policies and accessing the Web Gui of Fortigate. This is my WAN to LAN network from the Host Machine to Guest. Im accessing the Firewall from the Host Machine (DMZ network).
I have created a Firewall policy for my Windows RDP Server as follows :

      

 

 

 

  From: WAN(192.168.2.47)   To: LAN(10.10.10.1)
   
   Source: All              Destination: RDP Server Virtual IP
                                         External Network: 0.0.0.0 mapped to 10.10.10.22
                                                                         (Windows Server)                        
                                         External Port: 3389 MappedtoPort: 3389
              SERVICE: RDP
              NAT : ENABLED
              AV: default SSL: deep-inspection

 

 

 

        The Issue with it is once i enable the policy and Remote access to the Server, I loose access to the Firewall at 192.168.2.47 (external Ip). It just wont open. Though in the Windows Server Virtual Machine i can access the firewall at 10.10.10.1

 

Any solutions on the same and what could be the possible reasons for the situation ..... 

 

Regards.....

Labels:
1540
0 Kudos
1 Solution
dbu
Staff
Staff

Created on ‎04-10-2024 12:43 AM Edited on ‎04-10-2024 12:45 AM

Hi @Sydney1323 ,
It should look like this where mapped from is the external public IP. In my case is the WAN interface IP

 

vipp.PNG

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

1466
7 REPLIES 7
dbhavsar
Staff
Staff

Created on ‎04-09-2024 01:42 PM

Hi @Sydney1323 ,

 

- Because the VIP you created is for any IP [0.0.0.0], can you bind the specific IP to your internal IP. i.e., 1.1.1.1:3389 -> DNAT -> 192.168.1.1:3389

DNB
1516
0 Kudos
Sydney1323
New Contributor II
In response to dbhavsar

Created on ‎04-10-2024 11:44 AM

Hi 

My RDP Server is 10.10.10.22 which is the virtual ip 10.10.10.22 and not 0.0.0.0

 

1382
0 Kudos
kubank1
New Contributor

Created on ‎04-09-2024 11:34 PM Edited on ‎04-17-2024 03:29 AM

It does tunnelling but it is not demanding. 4 CPUs and 8Go RAM will work for 500 users. I strongly suggest not having too many roles because of port issues https://mobdro.bio/ .

1472
dbu
Staff
Staff

Created on ‎04-10-2024 12:43 AM Edited on ‎04-10-2024 12:45 AM

Hi @Sydney1323 ,
It should look like this where mapped from is the external public IP. In my case is the WAN interface IP

 

vipp.PNG

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
1467
Sydney1323
New Contributor II
In response to dbu

Created on ‎04-10-2024 12:03 PM

Hi 

This worked for me. i missed on the port forwarding part and of mapping port 443. what also has worked for me is adding Addresses rather than a Virtual IP ..

 

Regards ... 

1378
0 Kudos
hbac
Staff
Staff

Created on ‎04-10-2024 06:22 AM

Hi @Sydney1323,

 

Which port are you using for GUI access? You can collect debug flow by following this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Regards, 

1421
0 Kudos
abelio
SuperUser
SuperUser

Created on ‎04-10-2024 06:24 AM

Hi Sydney1323,

Just a off topic comment: besides the technical part related to FTG config,  already answered here in the forum, let me say that to publish RDP services to the whole internet is a really bad bad idea nowadays, in terms of cybersecurity.

RDP is a widely used vector for external threats.
The core of Fortinet products is security, but there's no defense against bad or not recommended deployments.

Your Fortigate provides VPN access, ZTNA, and even SASE to enable secure access to your internal

network resources.
(VPN SSL is really straightforward, you don't need open RDP ports to the whole internet)

regards




/ Abel

regards / Abel
1420
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.