Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
medusanyc
New Contributor

Need to Open Port 443 to Specific External Address Range

Hi all,

I am new to Fortinet products,  in particular the Fortigate60E running OS6.0.0 build 0076.  My client who has this device is looking to setup Backstop CRM and they require port 443 be open to their addresses for their program to run properly.  This is the info posted on their webquestionaire

 

Permit your firewall to allow the following Backstop IP addresses 

US Office Network IP: 38.98.151.64/28 US Production Network IP: 64.27.172.240/28, 216.34.179.0/25 Port: 443[/ul]

I was told opening traffic to incoming traffic is most important but if it can be setup to allow traffic both to and from those addresses on port 443 that would be optimal. Tried poking around but it is not obvious how to accomplish this.  

 

Andrew Bernstein

 

1 Solution
ede_pfau
Esteemed Contributor III

hi,

 

you 'open' a port for external access to an internal server by using a VIP (policy/VIP). Here you can define to have traffic destined to your public address and port 443 translated to some other internal address and the same or a different port.

 

create a VIP (values as an example):

name: backstop_access

external addr: <your public IP> or the wildcard '0.0.0.0'

external port: 443

mapped to addr: 192.168.x.y

mapped to port: 443

 

You will need additionally a policy for this:

src interface: WAN

src address: the public addresses for the backstop servers (add multiple addresses if needed)

dst intf: LAN

dst address: your VIP (!)

service: HTTPS (for port 443)

action: accept

 

This way, you a) activate the VIP and b) limit external access to those 'trusted' servers. You might feel a bit uncomfortable doing this, as I am. Whatever.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
3 REPLIES 3
ede_pfau
Esteemed Contributor III

hi,

 

you 'open' a port for external access to an internal server by using a VIP (policy/VIP). Here you can define to have traffic destined to your public address and port 443 translated to some other internal address and the same or a different port.

 

create a VIP (values as an example):

name: backstop_access

external addr: <your public IP> or the wildcard '0.0.0.0'

external port: 443

mapped to addr: 192.168.x.y

mapped to port: 443

 

You will need additionally a policy for this:

src interface: WAN

src address: the public addresses for the backstop servers (add multiple addresses if needed)

dst intf: LAN

dst address: your VIP (!)

service: HTTPS (for port 443)

action: accept

 

This way, you a) activate the VIP and b) limit external access to those 'trusted' servers. You might feel a bit uncomfortable doing this, as I am. Whatever.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
medusanyc

that sounds like what i need except that we are not connecting to an internal server per se.  there is no specific machine that this port needs to be opened to so i am not sure what to enter for "mapped to addr: 192.168.x.y"

 

i need all addresses under 192.168.x.y to be open to that port. is there a way to designate that?

ede_pfau
Esteemed Contributor III

No. You would need one VIP per internal host.

Seems to me the whole concept is flawed.

 

Mind you, if the internal host establishes a session to the external server, you don't need anything else to allow the reply traffic. No extra policy, no VIP.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors