Hi all,
i have fortiweb on reverse proxy mode, on HHTP/HHTPS works good but i have problème with SSH (fortiweb drop SSH traffic) so how i can bypass fortiweb for LAN access via SSH, for information i have Fortigate firewall.
Thank's in advance
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
use CLI:
config router setting
set ip-forward enable
end
regards
regards
/ Abel
Hi Abelio,
Thank you for reply.
So i must use Pserver IP to access to my server with SSH not with Vserver IP.
Younes wrote:So i must use Pserver IP to access to my server with SSH not with Vserver IP.
Exactly; same thing for FTP/SFTP/SCP access.
regards
regards
/ Abel
Hi abelio thank you for your repley,
i have another problème:
- may fortiweb is on mode reverse proxy.
- port 3 : connected to the DMZ
- port 2 : conneted to firwall fortigate.
- port 6 : gateway of sevrer on the DMZ
so i created the to Vserver and when i modify the gateway oh the physical to IP of the port 3 i can't reach the server via Vserver so i turned the gateway to @ IP of port 6 ,the server will be reachable Via Vserver.
i didn't understand Why and where is th problème.
Please help.
Younes wrote:- port 3 : connected to the DMZ
- port 2 : conneted to firwall fortigate.
- port 6 : gateway of sevrer on the DMZ
so i created the to Vserver and when i modify the gateway oh the physical to IP of the port 3 i can't reach the server via Vserver so i turned the gateway to @ IP of port 6 ,the server will be reachable Via Vserver.
Younes, sans voir la topologie, je ne suis pas exactement certain que je comprends le problème... mais il semble que port2 de FortiWeb devrait avoir le vserver attaché ... et pas le port6. Comme celui-ci:
Internet --- FortiGate --- port2•FortiWeb•port3 --- web servers
vserver1
route 0.0.0.0/0 via port3
vserver1 (reverse proxy) va accepter le HTTP et après, FortiWeb utilise sa table routing. J'espère que ça aide...
Courtney
Hi Courtney,
thanks for your answer, I can´t find the solution for this problem ..
I have config in the Fortigate two rules :
1. MPLS( SRddres 192.168.0.78) to WAF( with VIP 172.10.15.62---->172.18.15.62 (vserver ) forwarding only port 80 )
2. MPLS( SRddres 192.168.0.78) to LAN (back-end server 172.10.15.62 for rdp,ssh etc..)
the first policy is working good but second rule not working drop the requests for port rdp,ssh etc.. you can to watch how the second rule go to the back-end server but drop the request.
what can I do ?
attach new topology,
thanks,
Hi Abelio,
I have a fortiweb on reverse proxy mode , I´m configuring a VIP in the firewall Fortigate for forward the traffic web to virtual sever and is working good but the others protocols how RDP ,FTP and SSH not working when the user does request to Sever in the LAN . I enable ip forward in the fortiweb but nothing happend .. How I can do that this protocols baypass the fortiweb ?.
Attach my topology ,
Thanks,
Hi Dieorqui,
Your topology is like FortiWeb 5.5.3 Administration Guide page 79.
It shows a FortiGate RDP/SSH/FTP port forward to the physical web servers' IP -- not to FortiWeb's vserver IP, which is a proxy that only receives HTTP/HTTPS and will drop everything else. (Abelio is correct.)
That's why your FortiWeb setting should be "set ip-forward disable" -- not enabled. Your router should also port forward RDP/SSH/SFTP to your web servers, not to FortiWeb, which is an extra hop. (FortiWeb cannot scan RDP/SSH, so there is no benefit. It would just increase latency.)
"set ip-forward enable" is not recommended. If you really want to use it, though, try this config + topology.
In the docs it describes more:
[ul]
Regards,
Courtney
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.