Hi,
I have a Vlan configured which is only allowed to use http/https en dns to for internet. There is a webserver on the lan they need to contact and is also reachable from the outside. When they try to connect to this website they get the out-site address from the DNS and in the firewall we get a not allowed. I created a security policy, but no effect.
The web server is available with a VIP from outside to lan port 80 and 443 interface set to any.
Any idea how to solve this?
Lan is 10.0.0.0/24
Vlan 192.168.5.0/24
try to goto www.mydomain.nl
on the lan is this 10.0.0.2
on the ouside this is 200.200.200.20 (example)
DNS on the vlan gets 200.200.200.20 and in the logging we see deny policy violation implicit deny
Fortigate 51E with 5.4.0 tonight I am update it to the latest IOS
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Do you have a VLAN to internal policy to allow that traffic. It might be doing some hair-pinning and wanting the policy to allow it even though the outside policy is there.
Mike Pruett
Hi Mike,
Thank you for the quick reply.
Yes there is a policy for VLAN to Lan (nat disabled)
How to hair-pin this?
Regards,
Jan
Try enabling NAT
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
You could try using a VIP for the external address that forwards to the internal address. I have had to do this before in environments setup the way yours is.
Mike Pruett
Setting to NAT made no difference.
I was already using a VIP from external to lan.
Problem is that the vlan needs to goto the lan but is getting the external ip
Yes I can ping from vlan to lan.
The VLAN is using the fortigate DNS which is set to the providers DNS servers.
I already find that this was the problem, but I do not know how to solve this.
I tried to create a DNS Database and pointed the VLAN to this server and created an A record for the internal server but I still got the external ip-address?
I cannot find how setup the DNS Database in the fortigate which I think is the solution.
I am now using the internal DNS servers and this solved the problem.
Thanks to all of you helping me out.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1546 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.