Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Younes
New Contributor

SSH ACCESS

Hi all,

i have fortiweb on reverse proxy mode, on HHTP/HHTPS works good but i have problème with SSH (fortiweb drop SSH traffic) so how i can bypass fortiweb for LAN access via SSH, for information i have Fortigate firewall.

 

Thank's in advance

8 REPLIES 8
abelio
Valued Contributor

Hi,

use CLI:

 

config router setting

   set ip-forward enable

end

 

regards

 

regards




/ Abel

regards / Abel
Younes
New Contributor

Hi Abelio,

Thank you for reply.

So i must use Pserver IP to access to my server with SSH not with Vserver IP. 

 

abelio
Valued Contributor

Younes wrote:

So i must use Pserver IP to access to my server with SSH not with Vserver IP. 

Exactly; same thing for FTP/SFTP/SCP access.

 

regards

regards




/ Abel

regards / Abel
Younes
New Contributor

Hi abelio thank you for your repley,

 

i have another problème:

- may fortiweb is on mode reverse proxy.

- port 3 : connected to the DMZ

 - port 2 : conneted to firwall fortigate.

- port 6 : gateway of sevrer on the DMZ 

so i created the to Vserver and when i modify the gateway oh the physical to IP of the port 3 i can't reach the server via Vserver so i turned the gateway to @ IP of port 6 ,the server will be reachable Via Vserver.

 

i didn't understand Why and where is th problème.

Please help. 

Courtney_Schwartz

Younes wrote:

- port 3 : connected to the DMZ

 - port 2 : conneted to firwall fortigate.

- port 6 : gateway of sevrer on the DMZ 

so i created the to Vserver and when i modify the gateway oh the physical to IP of the port 3 i can't reach the server via Vserver so i turned the gateway to @ IP of port 6 ,the server will be reachable Via Vserver.

 

Younes, sans voir la topologie, je ne suis pas exactement certain que je comprends le problème... mais il semble que  port2 de FortiWeb devrait avoir le vserver attaché ... et pas le port6. Comme celui-ci:

 

Internet --- FortiGate --- port2•FortiWeb•port3 --- web servers

                           vserver1

 

                           route 0.0.0.0/0 via port3

vserver1 (reverse proxy) va accepter le HTTP et après, FortiWeb utilise sa table routing. J'espère que ça aide...

 

Courtney

Dieorqui

Hi Courtney,

 

thanks for your answer,  I can´t  find  the solution for this problem ..

 

 I  have config in the Fortigate two rules :

 

 1. MPLS( SRddres 192.168.0.78)   to WAF( with VIP  172.10.15.62---->172.18.15.62 (vserver ) forwarding only port 80  )

 

 2. MPLS( SRddres 192.168.0.78)  to  LAN (back-end server 172.10.15.62  for  rdp,ssh etc..) 

 

the first policy is working good but second rule  not  working  drop  the requests for port rdp,ssh etc.. you can to watch how  the second rule go to  the back-end server  but drop  the request.

 

what can I do ?

 

attach new topology,

 

 

thanks,

 

 

 

 

 

 

 

Dieorqui
New Contributor

 

Hi Abelio,

 

I have  a fortiweb on reverse proxy mode , I´m configuring a VIP in the firewall Fortigate  for forward  the traffic  web to virtual sever  and  is working  good but  the others protocols  how  RDP ,FTP and SSH not working  when the user does request to Sever in the LAN .  I enable  ip forward in the fortiweb but nothing happend .. How I can do that this protocols  baypass the fortiweb ?.

 

Attach my topology ,

 

Thanks,

 

Courtney_Schwartz

Hi Dieorqui,

 

Your topology is like FortiWeb 5.5.3 Administration Guide page 79.

 

It shows a FortiGate RDP/SSH/FTP port forward to the physical web servers' IP -- not to FortiWeb's vserver IP, which is a proxy that only receives HTTP/HTTPS and will drop everything else. (Abelio is correct.)

 

That's why your FortiWeb setting should be "set ip-forward disable" -- not enabled. Your router should also port forward RDP/SSH/SFTP to your web servers, not to FortiWeb, which is an extra hop. (FortiWeb cannot scan RDP/SSH, so there is no benefit. It would just increase latency.)

 

"set ip-forward enable" is not recommended. If you really want to use it, though, try this config + topology.

 

In the docs it describes more:

[ul]
  • "Why is FortiWeb not forwarding non-HTTP traffic (for example, RDP, FTP) to back-end servers even though set ip-forward is enabled?" on page 784 http://docs.fortinet.com/uploaded/files/3019/FortiWeb_5_5_Patch_3_Administration_Guide_Revision1.pdf
  • "router setting" on page 117 http://docs.fortinet.com/d/fortiweb-5-5-3-cli-1[/ul]

     

    Regards,

    Courtney

  • Labels
    Top Kudoed Authors