Port 8080

Report Inappropriate Content · ‎07-23-2009

HI, we host a webcam. A Canon GC-10. It sits on port 8080 internal to our network. I have setup virtual ip for the camera, NAT no port forwarding and set up a firewall policy to forward port 8080 traffic to the VIP camera. But nothing. Is there some kind of Fortinet admin service that grabs 8080? Any ideas?

g3rman · ‎07-23-2009

Hi David, welcome to the forums. Here is what the config should look like: Firewall -> Virtual IP Name: Camera IP: External/1.2.3.4 (public IP) Map to IP: 192.168.1.100 (private IP) Custom Service Firewall -> Service -> Custom -> Create New Name: TCP-8080 Protocol: TCP Source Low: 1 Source High: 65535 Destination Low: 8080 Destination High: 8080 Then there should be a rule Firewall -> Policy Source Interface: External Source Address: all Destination Interface: internal Destination Address: Camera Service: TCP-8080 The NAT checkbox on the firewall rule should not be enabled.

A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com

Report Inappropriate Content · ‎07-23-2009

Hi g3rman, I set this exactly as you say but it is still not working. What other info can I gather?

g3rman · ‎07-24-2009

Run this command from the CLI: diag sniffer packet internal ' host 192.168.1.100' -Notice they are single quotes -Substitute your internal interface name and the physical IP of your webcam Then try to access the camera from the outside and see if you see any traffic coming inbound on the command line. If not you can try diag sniffer packet wan1 ' host 1.2.3.4' to see if packets on port 8080 are even getting to your firewall. Also, is the VIP the same as your external firewall IP address or a different IP?

A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com

Report Inappropriate Content · ‎07-24-2009

Thank you g3rman! IP VIP and external: 10.0.x.x VIP 12.157.xx.xx external firewall address Ok I am seeing this constantly in the log: 6.796679 125.90.xx.xx.49164 -> 10.0.xx.xx.21: fin 3387191081 ack 3865568601 6.796728 125.90.xx.xx.49369 -> 10.0.xx.xx.21: syn 3386482840 6.797701 10.0.xx.xx.21 -> 125.90.xx.xx.49164: psh 3865568601 ack 3387191082 6.800826 10.0.xx.xx.21 -> 125.90.xx.xx.49164: fin 3865568615 ack 3387191082 6.819566 10.0.xx.xx.21 -> 125.90.xx.xx.49369: syn 3871957392 ack 3386482841 6.983824 125.90.xx.xx.49164 -> 10.0.xx.xx.21: rst 3387191082 6.986954 125.90.xx.xx.49164 -> 10.0.xx.xx.21: rst 3387191082 7.005702 125.90.xx.xx.49369 -> 10.0.xx.xx.21: ack 3871957393 7.017453 10.0.xx.xx.21 -> 125.90.xx.xx.49369: psh 3871957393 ack 3386482841 7.203951 125.90.xx.xx.49369 -> 10.0.xx.xx.21: ack 3871957437 7.203970 125.90.xx.xx.49369 -> 10.0.xx.xx.21: psh 3386482841 ack 3871957437 7.204479 10.0.xx.xx.21 -> 125.90.xx.xx.49369: ack 3386482861 7.205723 10.0.xx.xx.21 -> 125.90.xx.xx.49369: psh 3871957437 ack 3386482861 7.455444 125.90.xx.xx.49369 -> 10.0.xx.xx.21: psh 3386482861 ack 3871957473 7.461078 10.0.xx.xx.21 -> 125.90.xx.xx.49369: psh 3871957473 ack 3386482868 7.647326 125.90.xx.xx.49369 -> 10.0.xx.xx.21: fin 3386482868 ack 3871957504 7.647507 125.90.xx.xx.49586 -> 10.0.xx.xx.21: syn 3381131554 7.647972 10.0.xx.xx.21 -> 125.90.xx.xx.49586: syn 3861402502 ack 3381131555 7.648347 10.0.xx.xx.21 -> 125.90.xx.xx.49369: psh 3871957504 ack 3386482869 7.652470 10.0.xx.xx.21 -> 125.90.xx.xx.49369: fin 3871957518 ack 3386482869 7.834503 125.90.xx.xx.49586 -> 10.0.xx.xx.21: ack 3861402503 7.834527 125.90.xx.xx.49369 -> 10.0.xx.xx.21: rst 3386482869 7.838467 125.90.xx.xx.49369 -> 10.0.xx.xx.21: rst 3386482869

Report Inappropriate Content · ‎07-24-2009

Wait, I opened it up entirely to see if that fixes it. I didn' t. Now I closed it to just the custom service and I don' t see any traffic. Trying the 2nd command in your port.

Report Inappropriate Content · ‎07-24-2009

OK, here are the real results from the first command: 186.997632 arp who-has 10.0.xx.xx tell 10.0.xx.xx 308.920020 arp who-has 10.0.xx.xx tell 10.0.xx.xx 308.920307 arp reply 10.0.xx.xx is-at 0:0:85:22:bf:e7 308.920326 24.25.xx.xx.32794 -> 10.0.xx.xx.8080: syn 1283307571 308.920804 10.0.xx.xx.8080 -> 24.25.xx.xx.32794: rst 0 ack 1283307572 309.427874 24.25.xx.xx.32794 -> 10.0.xx.xx.8080: syn 1283307571 309.428277 10.0.xx.xx.8080 -> 24.25.xx.xx.32794: rst 0 ack 1283307572 309.933225 24.25.xx.xx.32794 -> 10.0.xx.xx.8080: syn 1283307571 309.933745 10.0.xx.xx.8080 -> 24.25.xx.xx.32794: rst 0 ack 1283307572 313.915739 arp who-has 10.0.12.1 tell 10.0.xx.xx 313.915750 arp reply 10.0.12.1 is-at 0:9:f:c6:9a:b3 331.719104 24.25.xx.xx.32786 -> 10.0.xx.xx.8080: syn 1909296192 331.719586 10.0.xx.xx.8080 -> 24.25.xx.xx.32786: rst 0 ack 1909296193 332.287388 24.25.xx.xx.32786 -> 10.0.xx.xx.8080: syn 1909296192 332.287770 10.0.xx.xx.8080 -> 24.25.xx.xx.32786: rst 0 ack 1909296193 333.077197 24.25.xx.xx.32786 -> 10.0.xx.xx.8080: syn 1909296192 24.25.xx.xx is me hitting the address from the outside. 10.0.xx.xx VIP address

g3rman · ‎07-24-2009

This one is easy. Essentially what is happening is that you are hitting the camera and the camera is refusing the connection on port 8080. This is not a firewall issue but related to your camera config.

A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com

Report Inappropriate Content · ‎07-24-2009

right you are g3rman. I did a pwer on/off of the camera and it started working. I think your fix suggestion last night of opening source ports for all TCP ports fixed it, but the camera was hung up at that point and was not working. All is well. THank you Thank you g3rman