Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
judit
New Contributor

[Resolved] Access to official URLs in the DMZ over webproxy

Hello guys, we have access from the LAN to DMZ with private ip addresses over the built-in webproxy. The access are made over dns service. The problem is that the domain names are resolved to the official ip address, so I can not access the URLs with the official ip addresses from LAN. I get from the webproxy the following error: 403 Forbidden: incorrect proxy service was requested The official ip addresses are natted over the external interface to the private dmz ips. So I think the fortigate has a routing problem. Has anyone an idea if there is a workaround for this problem. Thanks, Judit
7 REPLIES 7
ede_pfau
Esteemed Contributor III

Hi, for this special case FortiOS offers a feature called " DNS translation" . It' s not well known but comes in handy here IF the FGT is the DNS that is queried from the LAN hosts. If enabled, you can define alternative IP addresses for the FQDNs you configure. This way, LAN hosts will get the private IP address of a DMZ server, WAN clients get the official IP address. You find a description of the parameter ' dnstranslation' in (...wait...) the CLI Guide, chapter " firewall" , pg. 93 for v4.00MR2.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
judit
New Contributor

Hello, thanks. I have found another solution. If I define under Firewall --> Virtual IP as interface any instead of the external port, address translation works from all interfaces.
Sesch
New Contributor

Hello Judit, I have the same issue, did you resolve this issue just setting VIP outgoing interface to any? I tried the same solution on a lab, but I still receive 403 forbidden error (using web proxy) . Thanks!!
oheigl
Contributor II

Hi Sesch, the FortiGate webproxy can' t work with FortiGate virtual IPs, at least when they are in the same VDOM. You could try to move the webproxy into an extra VDOM, then the virtual IPs would work. Kind regards, Oliver
Sesch
New Contributor

Hello Oliver, Thanks for your message! I have solved this issue with another VDOM (as you said) and a vdom-link to send proxy traffic from the proxy-vdom to the root vdom. Do you know if this limitation is documented? or if exist a KB article that mention this? I searched in KB and documentation without luck. Best regards, Seba
oheigl
Contributor II

Hello Sesch, I didn' t find anything either in the documentation, but here is the statement from development which was forwarded to me: explicit web proxy in Fortigate cannot handle VIP translation, this is by design and can' t be changed with configuration. Explicit web proxy doesn' t allow destination to local IP, which may create an infinite loop. I hope that helps. If you really need this feature in the same VDOM, I guess you have to make a feature request. Have a nice day, Oliver
Sesch
New Contributor

Hello Oliver, It seems that we have to use VDOM' s to overcome this limitation. Unfortunately, VIPS with explicit proxy are a very common scenario. I really appreciate your time and effort. Thank you very much! Greetings from Argentina. Seba
Labels
Top Kudoed Authors