Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Zenhusen
New Contributor

Created on ‎11-25-2025 12:32 PM Edited on ‎11-25-2025 01:10 PM

fortigate virtual ip cant access from outside

I have replaced the current firewall an old 50E with a new 60F
Sadly we could not use the config file from the old one.

 

1. I have setup VirtualsIP for our meters(we have meters that collects info for our building)
2. And then i did a virtual IP Group, with all the meters
3. Then i setup Firewall policy

The issue i have is that i cannot access the meters when i am on another network(over internet).

Here is how i have setup the firewall, have i forgotten something. Must say i am not used to work with firewalls at all.

virtualIP-ploicy2.pngvirtualIP-ploicy.pngvirtualIp-Group.pngvirtualIP.png

227
0 Kudos
15 REPLIES 15
ede_pfau
SuperUser
SuperUser

Created on ‎11-26-2025 01:57 AM

IMHO the policy does not allow this traffic.

It needs to allow HTTP (port 80) and your custom service (tcp/10020). Please give it a try.

 

If unsuccessful, run a 'diag debug flow' to see what happens. Post it here for interpretation.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
87
0 Kudos
funkylicious
SuperUser
SuperUser
In response to ede_pfau

Created on ‎11-26-2025 02:03 AM Edited on ‎11-26-2025 02:03 AM

like @ede_pfau mentioned, if in the VIP you are using custom port forwarding then in the firewall rule I would set in the services option either ALL ( since you are using PubPort>PrivPort, 1:1 ) or those specific ports ( PubPort ) from the VIP in the services.

"jack of all trades, master of none"
"jack of all trades, master of none"
84
0 Kudos
Zenhusen
New Contributor
In response to funkylicious

Created on ‎11-27-2025 12:44 AM

Chnaged the service option to all and no chnage cant access from intenet

3
0 Kudos
GauravPandya
New Contributor III

Created on ‎11-26-2025 02:22 AM

In the policy, disable NAT and put VIP object e.g "Elvaco Nr 1"in the destination field. Try to access from internet.

39
0 Kudos
yderek
Staff
Staff

Created on ‎11-26-2025 01:16 PM

@Zenhusen  Try to run the flow debug while you connecting from outsite 

 

CLI1 : 

==================================================

diagnose sniffer packet any "host x.x.x.x && host y.y.y.y && port zzz" 4 0 l

Replcae x.x.x.x with your external computer public IP , y.y.y.y will be your FG WAN IP configured in VIP, zzz will be the port number of service 

attempt to access the VIP from Internet and let debug run 

To stop this debug using ctrl+c 

==================================================

CLI2:

diagnose debug reset

diagnose debug flow filter saddr <your external source IP from computer trying to access>

diagnose debug flow filter daddr < your vip external IP configure on FG>

diagnose debug flow show function-name enable

diagnose debug flow trace start 2000

diagnose debug enable

==================================================

attempt to access the VIP from Internet and let debug run , try to access from internet couple of time 

==================================================

To stop the debug using 

==================================================

dia de dis 

dia de reset 

==================================================

Upload CLI 1 and 2 in this topic after

25
0 Kudos
Zenhusen
New Contributor
In response to yderek

Created on ‎11-27-2025 12:41 AM

I tried the above but got nothing from cli afte i did the above

 

5
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.