Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lamk2u
New Contributor II

SD Wan cannot access Wan2 port 80 & 443

My fortigate 90D-POE enabled SD Wan setup from different ISP,

 

the problem is Wan1 can map port 80 & 443 to backend server(A)(DMZ-interface),

while Wan2 port 80 & 443 cannot be map to backend server(B)(LAN-interface),

but if I use 8080 of Wan2, I can successfully map to backend server (B);

 

Can someone help me, if fortigate only allow inbound traffic to Wan1 port 80/443; Wan2 inbound traffic to port 80/443 is not allowed?  I checked both ISP not blocked port 80 & 443

 

My SD Wan setup:

wan1

wan2

 

SD Wan Rules:

DMZ(server A) -> Wan1 (server A outbound traffic through Wan1)

LAN(server B) -> Wan2 (server B outbound traffic through Wan2)

 

Static Routes:

Dest. 0.0.0.0 Gateway 0.0.0.0 Interface SD Wan

 

Firewall Policy allowed

SD-WAN ->DMZ

DMZ -> SD-WAN

LAN -> SD-WAN

SD-WAN -> LAN (server B, port 80/443)

 

2 Solutions
gfleming
Staff
Staff

It should work. Can you show your VIP configs and FW Policy config?

Cheers,
Graham

View solution in original post

Christian_89
Contributor III

It seems like there may be an issue with the firewall policy for Wan2 on your FortiGate. By default, the FortiGate should not block incoming traffic on any interface unless you have specifically configured a security policy to block it.

You should verify that you have a security policy in place allowing incoming traffic on port 80 and 443 for server B on the WAN2 interface. You can check this by going to Policy & Objects > Policy > IPv4 and verifying that there is a policy that allows incoming traffic from the source of WAN2 and the destination of the IP address of server B on port 80 and 443.

If the policy is in place, you can check the traffic logs to see if the traffic is being blocked by the firewall. To do this, go to Log & Report > Traffic Log and search for traffic from the source of WAN2 and the destination of the IP address of server B on port 80 and 443.

 

Otherwise, can you show the VIP setting and the SD-WAN setting?

View solution in original post

4 REPLIES 4
gfleming
Staff
Staff

It should work. Can you show your VIP configs and FW Policy config?

Cheers,
Graham
Christian_89
Contributor III

It seems like there may be an issue with the firewall policy for Wan2 on your FortiGate. By default, the FortiGate should not block incoming traffic on any interface unless you have specifically configured a security policy to block it.

You should verify that you have a security policy in place allowing incoming traffic on port 80 and 443 for server B on the WAN2 interface. You can check this by going to Policy & Objects > Policy > IPv4 and verifying that there is a policy that allows incoming traffic from the source of WAN2 and the destination of the IP address of server B on port 80 and 443.

If the policy is in place, you can check the traffic logs to see if the traffic is being blocked by the firewall. To do this, go to Log & Report > Traffic Log and search for traffic from the source of WAN2 and the destination of the IP address of server B on port 80 and 443.

 

Otherwise, can you show the VIP setting and the SD-WAN setting?

lamk2u
New Contributor II

Hi,

Thank you for your replies, here are captured pictures of my fortigate rules setting, actually I'm quite new to fortigate, I don't know how to capture the txt config for you, if this is not enough, please let me know, thank you.VIP policiesVIP policiesVIPsVIPsPhysical InterfacesPhysical InterfacesSD wanSD wanSD wan rulesSD wan rulesStatic RulesStatic Rules

lamk2u
New Contributor II

Hello,

I just did it, I think I made a stupid typo error on my policy forwarding for wan2 port 80 --> 20.124.26.240, should be 20.124.25.240; Everything is working fine now.  Thank you for everyone's comment and help.

Labels
Top Kudoed Authors