Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Everstay
New Contributor II

Created on ‎03-24-2024 11:40 PM Edited on ‎03-24-2024 11:47 PM

SSL for HTTPS

Hi all,

 

I'm having some issues with port forwarding. I'm running fortinet v7.0.5. I have a Windows Server running Tomcat 8.5 which is running my website. I've succesfully managed to import my SSL certificates into tomcat (on my windows server, going into https://localhost:8443/ i can see the certificate (shows as error, because the domain doesnt match, but all of the information about the CA etc is there, so its working okay). But when i go through https://domain.com:8443/ i get Unable to connect - An error occurred during a connection to domain.com. If i go to https://domain.com (without the port) i get The connection has timed out - An error occurred during a connection to

 

 

Now i have a public ip on my fortinet wan, which is used mostly just for ssl-vpn to remote into my workspace when im at home.

 

I've added 2 VIP's one for port 80 and one for port 8443(https) - port 8443 seems to get hits, but cant load, and port 8443 reports as closed when using tools to check for open ports.

 

I've attached some screenshots of my vip's and firewall policies (im guessing the issue might be within the firewall rules, as im a complete newbie at this).

 

I've attached 2 screenshots - 1 of the vip settings, and other of the firewall rule. I would greatly appreciate if someone more experienced could point be to the right direction, i've fought this for 3 days without any luck.

 

If you require any more information, please do say and i will provide them!

 

Many thanks!

 

screenshots:vips2.png

firewall.pngvip.png

2368
0 Kudos
1 Solution
pminarik
Staff
Staff
In response to Everstay

Created on ‎03-25-2024 04:17 AM Edited on ‎03-25-2024 04:19 AM

Look at this single flow (which repeats throughout the capture):

 

2024-03-25 08:23:57.044783 wan in PUBLIC_IP.114.53929 -> PUBLIC_IP.110.8443: syn 800780839
2024-03-25 08:23:57.044848 vlan99 out 10.1.99.30.53929 -> 10.1.2.63.8443: syn 800780839
2024-03-25 08:23:57.044853 lan out 10.1.99.30.53929 -> 10.1.2.63.8443: syn 800780839
2024-03-25 08:23:57.045227 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53929: rst 0 ack 800780840
2024-03-25 08:23:57.045249 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53929: rst 0 ack 800780840

 

Or in short:

-> SYN

<- RST

 

This is very much an explicit rejection of the attempt to communicate by 10.1.2.63 (or whoever else may be acting on its behalf, such as another firewall, on the path, on the server, etc.).

 

From the FortiGate's point of view, the important thing to notice is that the SYN packet goes through, i.e. the packet/session was allowed to pass.

[ corrections always welcome ]

View solution in original post

2286
0 Kudos
8 REPLIES 8
pminarik
Staff
Staff

Created on ‎03-25-2024 01:11 AM Edited on ‎03-25-2024 01:13 AM

At a glance the setup looks OK. Here's a list of semi-random points that may be worth checking:

  • Does "domain.com" resolve to the WAN interface IP, exclusively? (not resolving to two IPs, or giving multiple results rotated in round-robin fashion)
  • Is the mapped-ip 10.1.2.63 actually reachable via the "lan" interface? (is "lan" in the same subnet? Or does it at least have a route towards the IP via another router?)
  • You wrote "localhost:8443". Is the server configured correctly? A) is it listening on its ethernet interface connected to the 10.1.2.63/xx subnet? B) Is the local firewall (if any is enabled) on the server allowing incoming traffic to TCP/8443?
  • Is the server application configured with any source-ip restrictions for incoming connections? (less likely to be relevant with SNAT enabled in the FGT firewall policy, but it may become more relevant later)

If all else fails, start with basics and make a packet capture and check the packet flow:

diag sniffer packet any "port 8443" 4 0 a

(CTRL+C when done)

[ corrections always welcome ]
2348
0 Kudos
Everstay
New Contributor II
In response to pminarik

Created on ‎03-25-2024 01:31 AM

Hi and thanks for your pointers.

  • The domain.com is our main website hosted via a hosting providers, we've  created a subdomain for our main domain. Said subdomain has an A record pointing to the public fortinet WAN ip address which i failed to mention; so to answer your question, i guess yes it does
  • The mapped address is reachable, there's no issue with this. I can easily access the website using my subdomain, but without the https port (i can only access it using port 80 or port 8080 (which is default non ssl for tomcat)
  • Im 90% certain server-wise everything is correct. Is there any commands i can run on the windows server that would tell me if there is something blocking it from reaching the outside world using the ssl  port?
  • I dont think so, we never had anything similar done on our network, so if it hasn't came by default, its not there.

 

Here's a glance at the sniffer command. I've changed most parts of the public ip to PUBLIC_IP leaving .114 and .110 which is the ends of that WAN ip address. Is there something you see that i dont?

 

Many thanks!

2340
0 Kudos
pminarik
Staff
Staff
In response to Everstay

Created on ‎03-25-2024 02:21 AM

Looks like the sniffer output wasn't attached, can you retry?

[ corrections always welcome ]
2326
0 Kudos
Everstay
New Contributor II
In response to pminarik

Created on ‎03-25-2024 02:25 AM Edited on ‎03-25-2024 02:48 AM

Sorry! Here it is (10.1.99.30 is fortinets ip that i access web ui with)

Spoiler
ID420 # diag sniffer packet any "port 8443" 4 0 a
interfaces=[any]
filters=[port 8443]
2024-03-25 08:23:56.524975 wan in PUBLIC_IP.114.53929 -> PUBLIC_IP.110.8443: syn 800780839
2024-03-25 08:23:56.525208 vlan99 out 10.1.99.30.53929 -> 10.1.2.63.8443: syn 800780839
2024-03-25 08:23:56.525222 lan out 10.1.99.30.53929 -> 10.1.2.63.8443: syn 800780839
2024-03-25 08:23:56.525887 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53929: rst 0 ack 800780840
2024-03-25 08:23:56.525935 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53929: rst 0 ack 800780840
2024-03-25 08:23:56.779074 wan in PUBLIC_IP.114.53930 -> PUBLIC_IP.110.8443: syn 3868203969
2024-03-25 08:23:56.779178 vlan99 out 10.1.99.30.53930 -> 10.1.2.63.8443: syn 3868203969
2024-03-25 08:23:56.779184 lan out 10.1.99.30.53930 -> 10.1.2.63.8443: syn 3868203969
2024-03-25 08:23:56.779844 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53930: rst 0 ack 3868203970
2024-03-25 08:23:56.779873 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53930: rst 0 ack 3868203970
2024-03-25 08:23:57.044783 wan in PUBLIC_IP.114.53929 -> PUBLIC_IP.110.8443: syn 800780839
2024-03-25 08:23:57.044848 vlan99 out 10.1.99.30.53929 -> 10.1.2.63.8443: syn 800780839
2024-03-25 08:23:57.044853 lan out 10.1.99.30.53929 -> 10.1.2.63.8443: syn 800780839
2024-03-25 08:23:57.045227 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53929: rst 0 ack 800780840
2024-03-25 08:23:57.045249 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53929: rst 0 ack 800780840
2024-03-25 08:23:57.296572 wan in PUBLIC_IP.114.53930 -> PUBLIC_IP.110.8443: syn 3868203969
2024-03-25 08:23:57.296625 vlan99 out 10.1.99.30.53930 -> 10.1.2.63.8443: syn 3868203969
2024-03-25 08:23:57.296630 lan out 10.1.99.30.53930 -> 10.1.2.63.8443: syn 3868203969
2024-03-25 08:23:57.297177 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53930: rst 0 ack 3868203970
2024-03-25 08:23:57.297202 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53930: rst 0 ack 3868203970
2024-03-25 08:23:57.562318 wan in PUBLIC_IP.114.53929 -> PUBLIC_IP.110.8443: syn 800780839
2024-03-25 08:23:57.562436 vlan99 out 10.1.99.30.53929 -> 10.1.2.63.8443: syn 800780839
2024-03-25 08:23:57.562442 lan out 10.1.99.30.53929 -> 10.1.2.63.8443: syn 800780839
2024-03-25 08:23:57.563006 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53929: rst 0 ack 800780840
2024-03-25 08:23:57.563033 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53929: rst 0 ack 800780840
2024-03-25 08:23:57.811778 wan in PUBLIC_IP.114.53930 -> PUBLIC_IP.110.8443: syn 3868203969
2024-03-25 08:23:57.811851 vlan99 out 10.1.99.30.53930 -> 10.1.2.63.8443: syn 3868203969
2024-03-25 08:23:57.811856 lan out 10.1.99.30.53930 -> 10.1.2.63.8443: syn 3868203969
2024-03-25 08:23:57.812474 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53930: rst 0 ack 3868203970
2024-03-25 08:23:57.812501 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53930: rst 0 ack 3868203970
2024-03-25 08:23:58.078690 wan in PUBLIC_IP.114.53929 -> PUBLIC_IP.110.8443: syn 800780839
2024-03-25 08:23:58.078741 vlan99 out 10.1.99.30.53929 -> 10.1.2.63.8443: syn 800780839
2024-03-25 08:23:58.078746 lan out 10.1.99.30.53929 -> 10.1.2.63.8443: syn 800780839
2024-03-25 08:23:58.079336 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53929: rst 0 ack 800780840
2024-03-25 08:23:58.079357 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53929: rst 0 ack 800780840
2024-03-25 08:23:58.330470 wan in PUBLIC_IP.114.53930 -> PUBLIC_IP.110.8443: syn 3868203969
2024-03-25 08:23:58.330516 vlan99 out 10.1.99.30.53930 -> 10.1.2.63.8443: syn 3868203969
2024-03-25 08:23:58.330521 lan out 10.1.99.30.53930 -> 10.1.2.63.8443: syn 3868203969
2024-03-25 08:23:58.331066 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53930: rst 0 ack 3868203970
2024-03-25 08:23:58.331091 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53930: rst 0 ack 3868203970
2024-03-25 08:23:58.595017 wan in PUBLIC_IP.114.53929 -> PUBLIC_IP.110.8443: syn 800780839
2024-03-25 08:23:58.595131 vlan99 out 10.1.99.30.53929 -> 10.1.2.63.8443: syn 800780839
2024-03-25 08:23:58.595136 lan out 10.1.99.30.53929 -> 10.1.2.63.8443: syn 800780839
2024-03-25 08:23:58.595807 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53929: rst 0 ack 800780840
2024-03-25 08:23:58.595833 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53929: rst 0 ack 800780840
2024-03-25 08:23:58.648388 wan in PUBLIC_IP.114.53932 -> PUBLIC_IP.110.8443: syn 154603566
2024-03-25 08:23:58.648444 vlan99 out 10.1.99.30.53932 -> 10.1.2.63.8443: syn 154603566
2024-03-25 08:23:58.648449 lan out 10.1.99.30.53932 -> 10.1.2.63.8443: syn 154603566
2024-03-25 08:23:58.648973 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53932: rst 0 ack 154603567
2024-03-25 08:23:58.648995 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53932: rst 0 ack 154603567
2024-03-25 08:23:58.850293 wan in PUBLIC_IP.114.53930 -> PUBLIC_IP.110.8443: syn 3868203969
2024-03-25 08:23:58.850341 vlan99 out 10.1.99.30.53930 -> 10.1.2.63.8443: syn 3868203969
2024-03-25 08:23:58.850346 lan out 10.1.99.30.53930 -> 10.1.2.63.8443: syn 3868203969
2024-03-25 08:23:58.850915 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53930: rst 0 ack 3868203970
2024-03-25 08:23:58.850940 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53930: rst 0 ack 3868203970
2024-03-25 08:23:59.157790 wan in PUBLIC_IP.114.53932 -> PUBLIC_IP.110.8443: syn 154603566
2024-03-25 08:23:59.157853 vlan99 out 10.1.99.30.53932 -> 10.1.2.63.8443: syn 154603566
2024-03-25 08:23:59.157858 lan out 10.1.99.30.53932 -> 10.1.2.63.8443: syn 154603566
2024-03-25 08:23:59.158458 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53932: rst 0 ack 154603567
2024-03-25 08:23:59.158483 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53932: rst 0 ack 154603567
2024-03-25 08:23:59.689252 wan in PUBLIC_IP.114.53932 -> PUBLIC_IP.110.8443: syn 154603566
2024-03-25 08:23:59.689362 vlan99 out 10.1.99.30.53932 -> 10.1.2.63.8443: syn 154603566
2024-03-25 08:23:59.689367 lan out 10.1.99.30.53932 -> 10.1.2.63.8443: syn 154603566
2024-03-25 08:23:59.690041 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53932: rst 0 ack 154603567
2024-03-25 08:23:59.690067 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53932: rst 0 ack 154603567
2024-03-25 08:23:59.924807 wan in PUBLIC_IP.114.53936 -> PUBLIC_IP.110.8443: syn 2808865711
2024-03-25 08:23:59.924897 vlan99 out 10.1.99.30.53936 -> 10.1.2.63.8443: syn 2808865711
2024-03-25 08:23:59.924902 lan out 10.1.99.30.53936 -> 10.1.2.63.8443: syn 2808865711
2024-03-25 08:23:59.925532 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53936: rst 0 ack 2808865712
2024-03-25 08:23:59.925561 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53936: rst 0 ack 2808865712
2024-03-25 08:24:00.218368 wan in PUBLIC_IP.114.53932 -> PUBLIC_IP.110.8443: syn 154603566
2024-03-25 08:24:00.218469 vlan99 out 10.1.99.30.53932 -> 10.1.2.63.8443: syn 154603566
2024-03-25 08:24:00.218476 lan out 10.1.99.30.53932 -> 10.1.2.63.8443: syn 154603566
2024-03-25 08:24:00.219096 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53932: rst 0 ack 154603567
2024-03-25 08:24:00.219126 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53932: rst 0 ack 154603567
2024-03-25 08:24:00.443486 wan in PUBLIC_IP.114.53936 -> PUBLIC_IP.110.8443: syn 2808865711
2024-03-25 08:24:00.443550 vlan99 out 10.1.99.30.53936 -> 10.1.2.63.8443: syn 2808865711
2024-03-25 08:24:00.443555 lan out 10.1.99.30.53936 -> 10.1.2.63.8443: syn 2808865711
2024-03-25 08:24:00.444111 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53936: rst 0 ack 2808865712
2024-03-25 08:24:00.444138 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53936: rst 0 ack 2808865712
2024-03-25 08:24:00.728945 wan in PUBLIC_IP.114.53932 -> PUBLIC_IP.110.8443: syn 154603566
2024-03-25 08:24:00.729065 vlan99 out 10.1.99.30.53932 -> 10.1.2.63.8443: syn 154603566
2024-03-25 08:24:00.729072 lan out 10.1.99.30.53932 -> 10.1.2.63.8443: syn 154603566
2024-03-25 08:24:00.729762 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53932: rst 0 ack 154603567
2024-03-25 08:24:00.729792 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53932: rst 0 ack 154603567
2024-03-25 08:24:00.962171 wan in PUBLIC_IP.114.53936 -> PUBLIC_IP.110.8443: syn 2808865711
2024-03-25 08:24:00.962229 vlan99 out 10.1.99.30.53936 -> 10.1.2.63.8443: syn 2808865711
2024-03-25 08:24:00.962234 lan out 10.1.99.30.53936 -> 10.1.2.63.8443: syn 2808865711
2024-03-25 08:24:00.962914 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53936: rst 0 ack 2808865712
2024-03-25 08:24:00.962942 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53936: rst 0 ack 2808865712
2024-03-25 08:24:01.485487 wan in PUBLIC_IP.114.53936 -> PUBLIC_IP.110.8443: syn 2808865711
2024-03-25 08:24:01.485598 vlan99 out 10.1.99.30.53936 -> 10.1.2.63.8443: syn 2808865711
2024-03-25 08:24:01.485603 lan out 10.1.99.30.53936 -> 10.1.2.63.8443: syn 2808865711
2024-03-25 08:24:01.486256 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53936: rst 0 ack 2808865712
2024-03-25 08:24:01.486285 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53936: rst 0 ack 2808865712
2024-03-25 08:24:02.003018 wan in PUBLIC_IP.114.53936 -> PUBLIC_IP.110.8443: syn 2808865711
2024-03-25 08:24:02.003096 vlan99 out 10.1.99.30.53936 -> 10.1.2.63.8443: syn 2808865711
2024-03-25 08:24:02.003101 lan out 10.1.99.30.53936 -> 10.1.2.63.8443: syn 2808865711
2024-03-25 08:24:02.003805 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53936: rst 0 ack 2808865712
2024-03-25 08:24:02.003832 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53936: rst 0 ack 2808865712
2024-03-25 08:24:05.755612 wan in PUBLIC_IP.114.53941 -> PUBLIC_IP.110.8443: syn 1209223164
2024-03-25 08:24:05.755718 vlan99 out 10.1.99.30.53941 -> 10.1.2.63.8443: syn 1209223164
2024-03-25 08:24:05.755723 lan out 10.1.99.30.53941 -> 10.1.2.63.8443: syn 1209223164
2024-03-25 08:24:05.756258 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53941: rst 0 ack 1209223165
2024-03-25 08:24:05.756283 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53941: rst 0 ack 1209223165
2024-03-25 08:24:05.756741 wan in PUBLIC_IP.114.53942 -> PUBLIC_IP.110.8443: syn 952748999
2024-03-25 08:24:05.756792 vlan99 out 10.1.99.30.53942 -> 10.1.2.63.8443: syn 952748999
2024-03-25 08:24:05.756797 lan out 10.1.99.30.53942 -> 10.1.2.63.8443: syn 952748999
2024-03-25 08:24:05.757247 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53942: rst 0 ack 952749000
2024-03-25 08:24:05.757273 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53942: rst 0 ack 952749000
2024-03-25 08:24:06.010889 wan in PUBLIC_IP.114.53943 -> PUBLIC_IP.110.8443: syn 2818390585
2024-03-25 08:24:06.010942 vlan99 out 10.1.99.30.53943 -> 10.1.2.63.8443: syn 2818390585
2024-03-25 08:24:06.010948 lan out 10.1.99.30.53943 -> 10.1.2.63.8443: syn 2818390585
2024-03-25 08:24:06.011614 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53943: rst 0 ack 2818390586
2024-03-25 08:24:06.011637 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53943: rst 0 ack 2818390586
2024-03-25 08:24:06.275441 wan in PUBLIC_IP.114.53941 -> PUBLIC_IP.110.8443: syn 1209223164
2024-03-25 08:24:06.275448 wan in PUBLIC_IP.114.53942 -> PUBLIC_IP.110.8443: syn 952748999
2024-03-25 08:24:06.275494 vlan99 out 10.1.99.30.53941 -> 10.1.2.63.8443: syn 1209223164
2024-03-25 08:24:06.275495 vlan99 out 10.1.99.30.53942 -> 10.1.2.63.8443: syn 952748999
2024-03-25 08:24:06.275499 lan out 10.1.99.30.53941 -> 10.1.2.63.8443: syn 1209223164
2024-03-25 08:24:06.275500 lan out 10.1.99.30.53942 -> 10.1.2.63.8443: syn 952748999
2024-03-25 08:24:06.276194 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53941: rst 0 ack 1209223165
2024-03-25 08:24:06.276196 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53942: rst 0 ack 952749000
2024-03-25 08:24:06.276215 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53941: rst 0 ack 1209223165
2024-03-25 08:24:06.276219 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53942: rst 0 ack 952749000
2024-03-25 08:24:06.522602 wan in PUBLIC_IP.114.53943 -> PUBLIC_IP.110.8443: syn 2818390585
2024-03-25 08:24:06.522650 vlan99 out 10.1.99.30.53943 -> 10.1.2.63.8443: syn 2818390585
2024-03-25 08:24:06.522655 lan out 10.1.99.30.53943 -> 10.1.2.63.8443: syn 2818390585
2024-03-25 08:24:06.523297 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53943: rst 0 ack 2818390586
2024-03-25 08:24:06.523318 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53943: rst 0 ack 2818390586
2024-03-25 08:24:06.798774 wan in PUBLIC_IP.114.53941 -> PUBLIC_IP.110.8443: syn 1209223164
2024-03-25 08:24:06.798780 wan in PUBLIC_IP.114.53942 -> PUBLIC_IP.110.8443: syn 952748999
2024-03-25 08:24:06.798889 vlan99 out 10.1.99.30.53941 -> 10.1.2.63.8443: syn 1209223164
2024-03-25 08:24:06.798890 vlan99 out 10.1.99.30.53942 -> 10.1.2.63.8443: syn 952748999
2024-03-25 08:24:06.798894 lan out 10.1.99.30.53941 -> 10.1.2.63.8443: syn 1209223164
2024-03-25 08:24:06.798895 lan out 10.1.99.30.53942 -> 10.1.2.63.8443: syn 952748999
2024-03-25 08:24:06.799615 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53941: rst 0 ack 1209223165
2024-03-25 08:24:06.799618 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53942: rst 0 ack 952749000
2024-03-25 08:24:06.799641 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53941: rst 0 ack 1209223165
2024-03-25 08:24:06.799643 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53942: rst 0 ack 952749000
2024-03-25 08:24:07.040136 wan in PUBLIC_IP.114.53943 -> PUBLIC_IP.110.8443: syn 2818390585
2024-03-25 08:24:07.040192 vlan99 out 10.1.99.30.53943 -> 10.1.2.63.8443: syn 2818390585
2024-03-25 08:24:07.040197 lan out 10.1.99.30.53943 -> 10.1.2.63.8443: syn 2818390585
2024-03-25 08:24:07.040871 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53943: rst 0 ack 2818390586
2024-03-25 08:24:07.040892 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53943: rst 0 ack 2818390586
2024-03-25 08:24:07.324408 wan in PUBLIC_IP.114.53941 -> PUBLIC_IP.110.8443: syn 1209223164
2024-03-25 08:24:07.324416 wan in PUBLIC_IP.114.53942 -> PUBLIC_IP.110.8443: syn 952748999
2024-03-25 08:24:07.324460 vlan99 out 10.1.99.30.53941 -> 10.1.2.63.8443: syn 1209223164
2024-03-25 08:24:07.324461 vlan99 out 10.1.99.30.53942 -> 10.1.2.63.8443: syn 952748999
2024-03-25 08:24:07.324465 lan out 10.1.99.30.53941 -> 10.1.2.63.8443: syn 1209223164
2024-03-25 08:24:07.324466 lan out 10.1.99.30.53942 -> 10.1.2.63.8443: syn 952748999
2024-03-25 08:24:07.325096 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53941: rst 0 ack 1209223165
2024-03-25 08:24:07.325097 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53942: rst 0 ack 952749000
2024-03-25 08:24:07.325118 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53941: rst 0 ack 1209223165
2024-03-25 08:24:07.325120 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53942: rst 0 ack 952749000
2024-03-25 08:24:07.556505 wan in PUBLIC_IP.114.53943 -> PUBLIC_IP.110.8443: syn 2818390585
2024-03-25 08:24:07.556616 vlan99 out 10.1.99.30.53943 -> 10.1.2.63.8443: syn 2818390585
2024-03-25 08:24:07.556621 lan out 10.1.99.30.53943 -> 10.1.2.63.8443: syn 2818390585
2024-03-25 08:24:07.557155 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53943: rst 0 ack 2818390586
2024-03-25 08:24:07.557179 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53943: rst 0 ack 2818390586
2024-03-25 08:24:07.844267 wan in PUBLIC_IP.114.53941 -> PUBLIC_IP.110.8443: syn 1209223164
2024-03-25 08:24:07.844333 wan in PUBLIC_IP.114.53942 -> PUBLIC_IP.110.8443: syn 952748999
2024-03-25 08:24:07.844367 vlan99 out 10.1.99.30.53941 -> 10.1.2.63.8443: syn 1209223164
2024-03-25 08:24:07.844372 lan out 10.1.99.30.53941 -> 10.1.2.63.8443: syn 1209223164
2024-03-25 08:24:07.844380 vlan99 out 10.1.99.30.53942 -> 10.1.2.63.8443: syn 952748999
2024-03-25 08:24:07.844386 lan out 10.1.99.30.53942 -> 10.1.2.63.8443: syn 952748999
2024-03-25 08:24:07.845065 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53941: rst 0 ack 1209223165
2024-03-25 08:24:07.845065 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53942: rst 0 ack 952749000
2024-03-25 08:24:07.845090 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53941: rst 0 ack 1209223165
2024-03-25 08:24:07.845091 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53942: rst 0 ack 952749000
2024-03-25 08:24:08.074011 wan in PUBLIC_IP.114.53943 -> PUBLIC_IP.110.8443: syn 2818390585
2024-03-25 08:24:08.074063 vlan99 out 10.1.99.30.53943 -> 10.1.2.63.8443: syn 2818390585
2024-03-25 08:24:08.074068 lan out 10.1.99.30.53943 -> 10.1.2.63.8443: syn 2818390585
2024-03-25 08:24:08.074753 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53943: rst 0 ack 2818390586
2024-03-25 08:24:08.074775 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53943: rst 0 ack 2818390586

Im also attaching a screenshot of interfaces in use

interfaces.png

 

edit: Might be of some use: i found that if i run the sniffer test against ports 80, 8080 and 8443 the results are all the same. Keep in mind port 80 and 8080 (non-ssl) work fine and display the page normally; port 8443 gives unable to connect error. So to my understanding, if all results within the sniffer for port 80 8080 and 8443 are the same, this shouldnt be fortinet blocking something, correct? Can this be due to network policies and firewall on the windows server itself?

2324
0 Kudos
pminarik
Staff
Staff
In response to Everstay

Created on ‎03-25-2024 04:17 AM Edited on ‎03-25-2024 04:19 AM

Look at this single flow (which repeats throughout the capture):

 

2024-03-25 08:23:57.044783 wan in PUBLIC_IP.114.53929 -> PUBLIC_IP.110.8443: syn 800780839
2024-03-25 08:23:57.044848 vlan99 out 10.1.99.30.53929 -> 10.1.2.63.8443: syn 800780839
2024-03-25 08:23:57.044853 lan out 10.1.99.30.53929 -> 10.1.2.63.8443: syn 800780839
2024-03-25 08:23:57.045227 vlan99 in 10.1.2.63.8443 -> 10.1.99.30.53929: rst 0 ack 800780840
2024-03-25 08:23:57.045249 wan out PUBLIC_IP.110.8443 -> PUBLIC_IP.114.53929: rst 0 ack 800780840

 

Or in short:

-> SYN

<- RST

 

This is very much an explicit rejection of the attempt to communicate by 10.1.2.63 (or whoever else may be acting on its behalf, such as another firewall, on the path, on the server, etc.).

 

From the FortiGate's point of view, the important thing to notice is that the SYN packet goes through, i.e. the packet/session was allowed to pass.

[ corrections always welcome ]
2287
0 Kudos
Everstay
New Contributor II
In response to pminarik

Created on ‎03-25-2024 04:31 AM

Okay, so in my understanding FortiGate allows the connection to go through but then it gets rejected by its next hop, some other instance like the windows server where the packet is destined to go?(for example www -> fortigate(allowed) -> windows server(rejected)

2280
0 Kudos
pminarik
Staff
Staff
In response to Everstay

Created on ‎03-25-2024 05:39 AM

Correct. Something behind the FortiGate is rejecting the connection. It may or may not be the destination server itself, depending on what else is on the path in-between, if anything.

[ corrections always welcome ]
2264
0 Kudos
Everstay
New Contributor II
In response to pminarik

Created on ‎03-25-2024 05:57 AM Edited on ‎03-25-2024 05:57 AM

Yes, you are correct. The destination server (windows server) needed inbound/outbound rules added for those ports. Everything is working smoothly now.  Many thanks for your assistance in this matter!

2258
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.