Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

Created on ‎10-28-2022 02:39 AM

VIP - Optinal filter

Hi team,


I am unable to solve below issue can you please help me. let me tell what I am doing -

 

WAN IP 192.168.99.2

Internal Server IP - 10.1.1.1

Remote user's public IP - 99.99.99.2 which is trying to access my internal server via port 8080

which is mapped on fortigate Firewall

external IP - 192.168.99.2

Internal IP - 10.1.1.1

with port no - 8080,8081,8082

please find the snapshots for more clarifications -

VIP1.jpgVIP2.JPGVIP.JPG

Labels:
775
0 Kudos
1 Solution
gfleming
Staff
Staff

Created on ‎10-31-2022 10:21 AM Edited on ‎10-31-2022 10:22 AM

Your TCP_8080 service shows that you are defining TCP port 80, not 8080. Please change destination port to 8080.

 

And as others have mentioned please ensure TCP packets are hitting your WAN interface. If this is a lab likely it's working OK. But if this is truly coming from the internet you'll need to ensure there is a downstream device doing DNAT to your private IP.

 

Cheers,
Graham

View solution in original post

740
6 REPLIES 6
Anthony_E
Community Manager
Community Manager

Created on ‎10-30-2022 11:17 PM

Hello Umesh,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Regards,

Anthony-Fortinet Community Team.
761
0 Kudos
parteeksharma
Staff
Staff

Created on ‎10-31-2022 12:40 AM

 

Dear Umesh,

As I could see the fortigate wan IP is a a private IP address (192.168.99.2), if the fortigate have private IP address range on wan interface most probably the traffic from internet might not even reach to fortigate, as private IP addresses are not routable on internet. To check and confirm if fortigate is receiving traffic or not, kindly use sniffers and debugs to troubleshoot.

Please check below link to apply sniffers and debug and troubleshoot:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-VIP-port-forwarding/ta-p/1...



Regards,
Parteek

758
alif
Staff
Staff

Created on ‎10-31-2022 02:25 AM

Hi @Umesh,

 

Looking at the network topology, I'm guessing that you have setup a lab environment. Please run debugs/sniffer to investigate further.

 

diagnose debug reset
diagnose debug flow filter addr 192.168.99.2
diagnose debug flow filter port <number>
diagnose debug console timestamp enable
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 1000
diagnose debug enable

 

Now initiate traffic and see if traffic arrives on Fortigate.

Regards,
SFA
751
0 Kudos
gfleming
Staff
Staff

Created on ‎10-31-2022 10:21 AM Edited on ‎10-31-2022 10:22 AM

Your TCP_8080 service shows that you are defining TCP port 80, not 8080. Please change destination port to 8080.

 

And as others have mentioned please ensure TCP packets are hitting your WAN interface. If this is a lab likely it's working OK. But if this is truly coming from the internet you'll need to ensure there is a downstream device doing DNAT to your private IP.

 

Cheers,
Graham
741
pepsibehavior
New Contributor

Created on ‎10-31-2022 07:50 PM

I've been searching for relevant blog posts to your writing. After a lengthy search, I discovered your post. I have outstanding information on study the backrooms simplification. 

735
0 Kudos
Umesh
Contributor

Created on ‎10-31-2022 10:32 PM

Hi Graham,

After changing destination port 8080 policy is working fine.

 thank you

730
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.