Dear all,
A quick question. FortiGate E series.
I have utilized the HTTPS Virtual Server/SSL Protecting Server option with the full encryption option on a server in our DMZ.
This particular web server needs to be accessible by a select group of internet based IP ranges and the internal network.
I have done this:
IP on WAN interface range -> HTTPS Virtual server on 443 with cert (Full mode) -> Internal server on DMZ network listening on 443
I have then created a firewall rule which references the "From" as the WAN zone with the Internet based IP ranges as the "Source Address", "To" as the DMZ zone referencing the virtual server object as the "Destination".
This is working.
I then decided to utilise the same approach (Allowing the FortiGate to decrypt/inspect the HTTPS traffic) with the traffic sourced from the internal network.
To do this I changed the internal DNS such that the web hostname now resolves to the external WAN interface virtual server IP address, and then I had to add the internal network range to the above firewall rule.
This also works - however I am confused how the firewall is allowing this as the traffic did not come from WAN zone as such for the source - it came from the internal interface?
Hi TTFN
I guess you are probably using hairpin NAT without knowing: outgoing traffic is NATted and then DNATted before reaching the internal server, and your listening interface is "any".
That would explain your case.
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.