Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: publish web server
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 07-12-2011 08:39 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
publish web server
Hi all. my name is guido.
I' m trying to configure a FTG 100a on a network.
this network have two private subnet assumed like DMZ and 1 internal.
also there is a wan connection with a DSL (32 public addresses).
now I' m trying to publish a web server placed onto a DMZ1 (192.168.0.a) in a specific public ip address.
eg: 192.168.0.a -> 80.10.10.a
I' ve added several Wan IP address on the wan1 interface.
I' ve created a Virtual ip with static nat from specific external ip to a specific internal ip
I' ve created a policy (without checking the NAT box) with source the specific IP address (80.10.10.a) and destination the Virtual IP created.
unfortunately it not work...
please, help....
many thanks in advance
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello guido and welcome,
I' ve added several Wan IP address on the wan1 interface.you don' t need to do that; Define your wan by choosing one from your public ips You can use another IP for your webserver (or the same one if you wish) This article can help you: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=11765&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=21326709&stateId=0%200%2021328487 Also check: webserver' s default gateway, does it points to DMZ IP ? good luck
regards
/ Abel
regards
/ Abel
Not applicable
Created on 07-13-2011 03:40 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi Abel, many thanks for your quick reply.
I' ve temporary resolved in this way:
1) I' ve created a VIP
-static nat
-source ip: one public ip
- dest ip: ip address of the internal server
2) I' ve created a Policy
Source Wan1
all
destination VirtualIp (that I' ve created)
it works now but I know that I' ve only workrounded the problem. In fact I use one public ip for every service (it is not right)
in fact the final configuration I want to reach is simple, but i don' t know if it is possible with FGT. I' ve worked 10 years with Microsoft system, I am a MCSE and now ... with this appliance I feel like a rookie :)
in a few words:
I have 5 servers and 1 Blade Server (with 5 virtualized servers)
each server hosts several services (web, mail, app, and so on)
each server have an unique IP address (internal and private (192.168.x.x))
our dsl have 32 ip address.
the questions are summarized with this two scenario:
a) is possible to nat ONE public ip address (configured onto the WAN1 interface) to many private IP?
b) even if one server host several web site of different customers, is possible to reach these web site using only one public IP?
example:
a) i have 3 domain registered onto my dns server:
domain-1.com
domain-2.com
domain-3.com
the DNS server map each domain on one and same public ip (WAN1): 2.10.10.100
the websites of the 3 domains are on different webserver with a unique ip (DMZ1): 192.168.0.200/201/202
the FTG will be able to catch the request (www.domain-X.com) and redirect it to the right IP
b) i have 2 domain registered onto my dns server:
domain-1.com
domain-2.com
the websites of these two domain are on the same server with IP (DMZ1): 192.168.0.99
the DNS server map each domain on one and same public ip (WAN1): 2.10.10.100
the FTG will be able to catch the request (www.domain-X.com) and redirect it to the server passing the domain request
obviously every network card of the servers are configured with the correct GW.
many many thanks
guido
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you need to do here is in the VIP configuration section, click the " port forwarding" box. This will allow you to use a single public IP for many different services. (One port forwarded VIP per service)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a) is possible to nat ONE public ip address (configured onto the WAN1 interface) to many private IP?yes, and you could also balance traffic between internal servers hosting same websites. (if you use exactly the same IP configured in wan interface - i dunno why if you have 30 ip numbers available-, you' ll have to take care about firewall administrative ports)
b) even if one server host several web site of different customers, is possible to reach these web site using only one public IP?yes; virtualhosting is a DNS / webserver topic. but your below example is more complex than that:
example: a) i have 3 domain registered onto my dns server: domain-1.com domain-2.com domain-3.com the DNS server map each domain on one and same public ip (WAN1): 2.10.10.100 the websites of the 3 domains are on different webserver with a unique ip (DMZ1): 192.168.0.200/201/202 the FTG will be able to catch the request (www.domain-X.com) and redirect it to the right IPhummm, no; not yet; i guess you' re thinking in msisa server in this point. you can define a VIP 2.10.10.100:80 -> 192.168.0.200:80 and host on 192.168.0.200:80 as many virtualdomains as you wish. but you cannot send also the same port80 to another webserver hosting another website; you' ll need use another ports, ie: 2.10.10.100:81 -> 192.168.0.201:80
b) i have 2 domain registered onto my dns server: domain-1.com domain-2.com the websites of these two domain are on the same server with IP (DMZ1): 192.168.0.99 the DNS server map each domain on one and same public ip (WAN1): 2.10.10.100 the FTG will be able to catch the request (www.domain-X.com) and redirect it to the server passing the domain requestthat' s the usual virtual hosting; no problem with that; strictly speaking, the FGT doesn' t catch the request www.domainX.com, it merely forward the packet by IP to the internal webserver; DNS and Apache/IIS do the rest. regards
regards
/ Abel
regards
/ Abel
Not applicable
Created on 07-25-2011 09:39 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all.
thanks for your replies, but unfortunately something is went wrong.
I' ve tried to follow your suggestion using only one public ip. but I can' t reach the services inside the private lan.
in a few word I' ve tried to:
scenario.
a) public address 2.10.10.100
b) one server with IIS and mail server (two ip configured (192.168.0.55 / 56)
c) IIS hosts 2 site and are published on one ip (192.168.0.55)
d) pop3 and smtp are published on the same ip 192.168.0.56
tryin to create 2 vips with the same external ip source FTG give me an error of duplicate name.
so I' ve crate 1 vip configuring on it a range (192.168.0.55 - 192.168.0.56) called " test"
after I' ve created 2 policy
1st:
-source Int: Wan1
-source Add: all
-Dest Int: internal
-Dest. Add: VIP " test"
-sched: always
-service http
-NAT anc FIXED PORT DEselected
2nd
-source Int: Wan1
-source Add: all
-Dest Int: internal
-Dest. Add: VIP " test"
-sched: always
-service Multiple (SMTP - POP3)
-NAT selected anc FIXED PORT DEselected
....it not work.
where is my error?
thanks.
Guido
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Once you create an entry without fixed port, no other VIP definitions can terminate on that IP. It' s one IP with all ports (one to one), or many with one port each (port forward). You cannot mix and match them.
Corrected NAT to port forward....
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, a VIP always does NAT - it exchanges the destination address of packets. Whether you enable NAT on the policy or not doesn' t matter in reaching an internal server from outside. Checking NAT in the policy where you use the VIP would translate the source IP of traffic across the policy as well; which sometimes is desireable and sometimes isn' t.
For port forwarding VIPs only (as in ' contrary to non-forwarding VIPs' ), you need to check NAT for traffic from the private server to the internet. Otherwise, their private IP wouldn' t be routed anywhere. This is different for non-forwarding VIPs.
Define multiple VIPs with the same external and internal IPs BUT check ' Port Forwarding' in each. SMTP is TCP/25, web is TCP/80 etc. Use these port specific VIPs in one or more policies - if you have one policy per service you can configure your UTM measures specifically.
Please read the VIP chapter in the FortiOS Handbook for your FortiOS version, available for download from http://docs.fortinet.com . This will give you a reference for the options and some examples.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable
Created on 08-11-2011 04:27 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, thanks!!
Not applicable
Created on 08-11-2011 06:24 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so, if I well understand, i can' t publish several web sites (that reside on one phisical server) with only one public IP address.
is it correct?
thx
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,717 -
FortiClient
1,767 -
5.2
801 -
FortiManager
731 -
5.4
639 -
FortiAnalyzer
559 -
FortiSwitch
475 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
319 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
83 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiGate-VM
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1714 | |
| 1093 | |
| 752 | |
| 447 | |
| 232 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.