Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ronald_Diaz
New Contributor

Port Forwarding

Hi , First of all I just wanted to say " Thank you" for all the nice videos that you' ve shared it helps a lot on my part. I' ve seen on the video on how to do port forwarding on Fortigate 100D which in coincidence the same unit on mine. I' ve followed all the steps on the video but still the port on 7882-7999 is closed. At first I used to mapped my CCTV server, turn off the windows firewall and Avast anti-virus. Second, I tried to configure my Ip camera to port 7882 but still no lack. On my Ip camera I can connect and I can view it on web browser. I tried as well to check on fortigate CLI to key in these command " diagnose sniffer packet any ' port 7882' but nothing happens otherwise If I' m going to do a telnet that' s the time I can see an activity on the fortigate CLI screen but on the otherhand, the result of my telnet still the same. Any help would be appreciated a lot. Thank you.
18 REPLIES 18
emnoc
Esteemed Contributor III

Your following the right track but I would suggest you use the diag debug flow option. If you your camera is really using port 7882 and diag sniffer show nothing , than maybe your have the wrong port defined I would use diag debug flow e.g diag debug reset diag debug en diag debug flow filter addr x.x.x.x diag debug flow show console enable diag debug flow trace start 100 And then monitor for the port and traffic and what interfaces After where ensure that you disable the diag and reset it. Also you can post configuration of the VIP if you want us to review. FWIW: Ensure that the fwpolicy for the vip has [B[no nat enabled.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
SuperUser
SuperUser

In the sniffer command, I' d use ' tcp and port 7882' that is, specify the protocol as well. If you don' t see ANY traffic traces using sniffer then the traffic is not reaching the FGT at all. I recommend using sniffer as a first-aid tool to see if any intended traffic is reaching the FGT at all. If so, use the debug flow command to see where the firewall drops it. But without input - no output.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Ronald_Diaz
New Contributor

Hi Emnoc, Please find
Ronald_Diaz
New Contributor

Here' s my VIp' s
Ronald_Diaz
New Contributor

Here is my Ip cam configuration.
emnoc
Esteemed Contributor III

curious what does it mean second http port? Are other listeners available on this cam? Does any of other traffic hits the other VIPs port(s)? Did you do what I and Ede suggested earlier? If traffic doesn' t hot the fortigate than nothing will get to the VIP.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Ronald_Diaz
New Contributor

Yes. I tried the commands that you' ve advise on me but still.. on the Ip cam there is no other port assign on that, only the 7882 which i configured. by the way my Ip camera brand and model is trendnet tv-ip501p.
netmin
Contributor II

I was wondering ... why the udp ports (?) - but I eventually found it. OK, following items that you can check: - on a local PC you can access the camera via port 7882 (http://192.168.4.204:7882) - the defined gateway 192.168.4.252 is also used by other PCs (so ... not the fortigate mgmt address only) - the ip address of the camera 192.168.4.204 is not within the DHCP range of the fortigate interface so that another PC may have received it as well - the udp port used in the linked example should not be needed (?) - try disabling UPNP on the trendnet camera, other users appear to have issues with it' s functionality - normally a VIP from the external address to the single port 7882 should do - alternatively, try creating a VIP using the camera default port 80 Edit:typo
Dave_Hall
Honored Contributor

The TV-IP501P Internet Camera User Manual doesn' t give much info on what ports is used -- it' s implied that port 80 is the default port with an optional secondary HTTP port. So setting up a port forward should be straight forward -- however, I would set it up a bit differently, along the lines of the following....

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors