Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
down_under
New Contributor

Created on ‎03-03-2025 05:28 PM Edited on ‎03-03-2025 05:31 PM

Port Forwarding Not Working

Hi all

 

I am very new to Fortigate. Just set up a FG 60F that needed port forwarding from a cloud service to an internal printer on port 9102.

 

What I have done so far:

Set up VIP with external IP of WAN interface and internal IP of printer:

 

Screenshot 2025-03-04 122056.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Created firewall policy with the source being the public IP of the cloud service, destination the VIP

Screenshot 2025-03-04 122346.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Debug logs give these messages:

id=65308 trace_id=9 func=init_ip_session_common line=5995 msg="allocate a new session-0009a61c"
id=65308 trace_id=9 func=get_new_addr line=1205 msg="find DNAT: IP-<printerIP>, port-9102"
id=65308 trace_id=9 func=fw_pre_route_handler line=180 msg="VIP-<printerIP>:9102, outdev-wan1"
id=65308 trace_id=9 func=__ip_session_run_tuple line=3413 msg="DNAT <WAN_INT_IP>:9102-><PrinterIP>:9102"
id=65308 trace_id=9 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-<printerIP> via internal"
id=65308 trace_id=9 func=__iprope_tree_check line=539 msg="gnum-100004, use addr/intf hash, len=3"
id=65308 trace_id=9 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=10 func=print_pkt_detail line=5811 msg="vd-root:0 received a packet(proto=6, <cloud server_public_IP>:57804-><WAN_INT_IP>:9102) tun_id=0.0.0.0 from wan1. flag [

 

Apologies if I have missed something very basic!

Labels:
183
0 Kudos
3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-03-2025 07:02 PM Edited on ‎03-03-2025 07:02 PM

The source of the IP is the real source of the incoming packet, which is generally "any" unless you limit access from one particular location. Not the FGT's interface IP. You need to know the IP the packets are coming from if you want to limit the access over the internet. That's why the FGT can't find the matching policy and giving you "denied by forward policy check (policy 0)".

Also NAT(SNAT) of the policy is optional. If you enables NAT, the device the packets are destined to can't see the real source IP. But in case of a printer, it wouldn't be a problem and it should work either with or without NAT.

Toshi

170
down_under
New Contributor
In response to Toshi_Esumi

Created on ‎03-03-2025 07:35 PM

Thanks for replying Toshi_Esumi.

I have got it passing the policy now but printing still not working 

 

Screenshot 2025-03-04 143449.jpg

145
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to down_under

Created on ‎03-03-2025 08:00 PM

Would it work if you forward everything, not port-forwarding?

140
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.