Hello,
Im a new user of fortigate devices and need your help.
Im trying to configure external access to the web service and unfortunately Im not successful.
My configuration:
Web server(Apache) - 10.0.8.88/24 (site is available locally by https)
Interface - 10.0.8.1/24
Virtual IP:
-External IP (my public ip)
-Map to Web server (10.0.8.88)
-Port forwarding 8000> 443
When trying to connect MyPublicIP:8000 I get message "This site is unreachable".
From the logs I get the information that it cannot find the right policy, which is incomprehensible to me because I have this one.
Incoming interface(WAN1(public ip)) > Outgoing Interface (10.0.8.1/24).
Please help,
Lukas
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 12-21-2022 01:46 PM
Hello
I guess from debugs you are matching policy zero as default
I would advise to check routing for internal subnet 10.0.8.1/24
I guess is internaly connected , but can you try policy route simulator to check the traffic path
In order to have an uderstanding how the Fortigate does handle the traffic, please run debug flow and packet sniffer as below:
Once done, attach the outputs to the thread
Created on 12-21-2022 01:46 PM
Hello
I guess from debugs you are matching policy zero as default
I would advise to check routing for internal subnet 10.0.8.1/24
I guess is internaly connected , but can you try policy route simulator to check the traffic path
In order to have an uderstanding how the Fortigate does handle the traffic, please run debug flow and packet sniffer as below:
Once done, attach the outputs to the thread
Thank you, I sent the log in a private message.
Hi,
you are saying "Incoming interface(WAN1(public ip)) > Outgoing Interface (10.0.8.1/24)."
But looking at the screenshot of that firewall policy it says "virtual-wan-link" as incomming interface. Change that to wan1 and try again.
It is wan 1 (SD-WAN Zone)
Make sure that in the routing table you have a route for the source through the wan1 interface since this is the interface from which you expect the traffic. The return traffic will follow the default routing table from "get router info routing-table all", so if this traffic leaves from other interface, this traffic will be dropped.
Also, an idea would be to : set preserve-session-route enable , under each wan interface in the sdwan zone, if not already.
I see a message "The interface-subnet address assigned to this interface is currently in use and will not be detected".
Is there a conflict?
I managed to solve the problem.
Thank you for your help in particular ethomollari and anikolov thanks to them I retraced the entire path along with debugging and observed that there was a lack of communication between local policy and dmz(somehow I didn't think of that after all it's the first thing to check ) and from the outside there was also a lack of allowed ip in the source in my case I just had to add the appropriate ip addresses that can connect from the outside.
Thats great
Thanks for sharing the complete solution with our community
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1560 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.