Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Problem with VIP / Port Forwarding
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem with VIP / Port Forwarding
What am I missing here ? My traffic is hitting my WAN address, but is not hitting the LAN. First of all, this is on an old 90D that I am playing with, so it's on it's highest release of 6.0.18
I am trying to hit a server inside my network from the outside. My ISP router is outside the Firewall, and has all ports Port Forwarded. I can see the traffic hit my Firewall
Spirit-FW # diag sniffer pack any "port 22" 4 0 a |
But it won't hit my inside LAN. I have a fully open Any Src / Any Dst / All services rule in place
I have a Virtual IP for 192.168.1.17 --> 10.10.5.100 (TCP: 22 --> 22)
Doing a Packet Capture too confirms the traffic to the WAN, but never his the LAN Interface
I'm sure that this is something stupidly simple that I am overlooking :(
Thanks in advance
Cormac Champion
Cormac Champion
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The policy should have the VIP object as destination, and LAN interface as destination interface.
AEK
AEK
Created on 10-21-2024 08:36 AM Edited on 10-21-2024 09:41 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I actually created two rules, one for source specific IP to the VIP object, and then a secondary rule from Any to Any over interfaces WAN1 to LAN. By messing about with things, I'm gradually getting hits.
Cormac Champion
Cormac Champion
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Please refer to this article and make sure your configuration is correct :- How to configure VIP access where specifi... - Fortinet Community
Created on 10-21-2024 08:52 AM Edited on 10-21-2024 09:44 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This example if for a specific destination. What about when a specific port is required ? Suppose I want to route all traffic for HTTPS connections
As I see it, there are two options
Option 1 - Tick the Optional Filters and add HTTPS to Services, and in Port Forwarding, add 443
OR
Option 2 - Leave Optional Unticked, tick Port Forwarding, and add 443 as both External Service Port and the Map to Port
Or is there another way that I have missed ?
Also, regarding filtering for a specific source, is there any way to filter for a specific source DynDNS name FQDN rather than an IP ? If I wanted to allow a specific source only to reach a specific server internally, but if the source IP could change periodically ???
Cormac Champion
Cormac Champion
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VIPs should only really be used for external access I've never used them for internal facing port forwarding. If you're trying to get internal to internal that's segregated via vlan then you just need a simple policy and route setup correctly from destination to destination. Throwing a VIP into the equation makes this a bit more complicated then it needs to be https://tutuapp.uno/ .
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are you saying Internal to Internal ? Even the Diag Sniffer shows it arrives from a public IP on the WAN1 interface. Or am I missing something ?
Cormac Champion
Cormac Champion
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You can try to run the debug commands with public IP address of your test machine as that will give you clear idea on what is missing on the configuration part.
# diagnose debug reset
# diagnose debug flow filter addr x.x.x.x [public IP address of your test machine]
# diagnose debug flow show function-name enable
# diagnose debug console timestamp enable
# diagnose debug flow trace start 999
# diagnose debug enable
--- try to generate the traffic from test machine to external IP address of VIP ---
# diagnose debug disable ---- to stop the debug
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi also attach your configuration related to vip to make sure the policies are correct and the vip is configured correctly
Created on 10-23-2024 02:02 PM Edited on 10-23-2024 02:08 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again,
While I have got VIP from any IP working OK, I just cannot get VIP with a specific SOURCE working. The source connects to a Public ISP IP which port forwards All Ports to the WAN1 Ip address of 192.168.1.17. The VIP Points this IP at 10.10.5.111. I am trying to connect on Port 9000
Here is the config
[code]
config firewall vip
edit "Spirit-Portainer"
set uuid 75bbf530-8fc8-51ef-df2a-8a35661cf4f2
set src-filter "193.147.205.221"
set service "TCP-9000"
set extip 192.168.1.17
set extintf "wan1"
set portforward enable
set mappedip "10.10.5.111"
set mappedport 9000
next
end
[/code]
and then
[code]
config firewall policy
edit 17
set name "Spirit-Portainer"
set uuid 73b5e1e0-8fca-51ef-d361-71437267bdf5
set srcintf "wan1"
set dstintf "Mgmt"
set srcaddr "championc"
set dstaddr "Spirit-Portainer"
set action accept
set schedule "always"
set service "TCP-9000"
set logtraffic all
set fsso disable
set comments "Specific Source to port 9000"
next
end
[/code]
and
[code]
config firewall address
edit "championc"
set uuid c3dad6c2-8fd3-51ef-7151-8db0818b9447
set associated-interface "wan1"
set subnet 193.147.205.221 255.255.255.255
next
end
[/code]
Cormac Champion
Cormac Champion
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Ask - Use Fortigate - Web... 41 Views
- SSH not answering through VIP 266 Views
- Fortiswitch Port Update Problem 138 Views
- Fortinac-F Multiple Host Problem 236 Views
- Output traffic with default route BGP 757 Views
Labels
-
FortiGate
8,522 -
FortiClient
1,724 -
5.2
801 -
FortiManager
716 -
5.4
639 -
FortiAnalyzer
548 -
FortiSwitch
463 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
225 -
FortiWeb
201 -
5.0
196 -
IPsec
191 -
FortiNAC
181 -
FortiGuard
136 -
6.4
128 -
SD-WAN
112 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
85 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
74 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
54 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
48 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
41 -
DNS
41 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
34 -
Authentication
33 -
SSO
31 -
Interface
31 -
NAT
31 -
RADIUS
30 -
FortiConnect
28 -
FortiLink
27 -
FortiWAN
26 -
Web profile
26 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
FortiPAM
22 -
Virtual IP
22 -
SSL SSH inspection
21 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
Intrusion prevention
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1665 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.