- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortinet VPN/DMZ - local website accessible from o...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortinet VPN/DMZ - local website accessible from outside of network
Hello,
Im unsure how to properly word my question so bare with me.
We're currently running Fortigate as our firewall and vpn to which we connect from outside of our network to work remotely when needed. We're also in process of implementing an employee web panel, which needs to be accessible from outside of our network.
Im new to fortinet and unsure how to properly set it up. We have a public ip that we use for vpn connections, and I'd like to use that ip address to redirect web traffic from specific port to local ip
Example:
local web panel address: 10.1.2.63 (running default on port 8080 (this will be changed at later date - lets use this as example though)
public vpn ip address (not actual, just random for example purposes): 83.0.109.50.
Now, what do i need to do to be able to use 83.0.109.50:8080 outside of my network to access that web panel (83.0.109.50:8080 will point to 10.1.2.63 locally)
Please feel free to ask any questions for information i might've missed.
Many thanks for your assistance!
Labels:
- Labels:
-
FortiClient
-
FortiGate
-
FortiWAN
25 REPLIES 25
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Everstay ,
You can use VIP (dnat) for your request. You can review these links for how to create VIP object on Fortigate.
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey! Many thanks for your reply. Im getting an error unfortunately
"
- The extip is overlapped with the gateway of static route.
- Object check operator error, -5, discard the setting."
I've gathered its because of the external ip address - i dont have any virtual ips defined - this will be the first one, and the external ip im using is also used for vpn connections - is that a problem?
Created on 03-12-2024 02:22 AM Edited on 03-12-2024 02:23 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Everstay ,
If you use a different than ssl-vpn port for your web server, there will be no problem.
For example, if you use 443 for ssl-vpn. You can use 8080 or 8443 for a web server.
But the interesting thing is this "The extip is overlapped with the gateway of static route.". Which IP address did you try to configure VIP? Your public IP address or your gateway address?
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Created on 03-12-2024 02:38 AM Edited on 03-12-2024 02:40 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes that was the issue with this error, i've changed it to the actual wan ip now and it saved properly, also applied the firewall policy, but it seems like the port is reporting as closed from outside the network and doesnt allow any incoming traffic. ip is pinging of course as its the primary vpn ip but www doesnt seem to work
Also the VIP is reporting hits, dont know if thats good?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Everstay ,
Could you share your VIP and policy configuration with us?
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've attached some images from the vip page, firewall policies and wan settings
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Everstay ,
Your configuration seems correct. Could you change interface settings "any" to "wan" in the VIP configuration?
Also, could you try to execute telnet to your web server with this command?
"execute telnet 10.1.2.63 8080" . With this command, we can test connectivity between Fortigate and the web server and web service up or down.
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have changed the interface to wan. Below are logs from telnet
"ID420 # execute telnet 10.1.2.63 8080
Trying 10.1.2.63...
Failed to connect to specified unit.
ID420 # execute telnet 10.1.2.63
Trying 10.1.2.63...
Failed to connect to specified unit.
ID420 #"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Everstay ,
Apparently, your web server does not listen 8080 port or your FortiGate can not access the web server.
Firstly, you need to check your web server. On this server,
-Service UP/Down
-Service run on 8080 port?
-Is there any firewall or antivirus installed on this server?
After the check, you need to control connectivity between FortiGate and the Web server.
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Related Posts
- VXLAN, Virtual Switch and MTU 83 Views
- Multiple phase 2 selectors needed for... 184 Views
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 272 Views
- New FortiGate 60F- Assigns me IP... 255 Views
- Connecting Two SIP Trunks with Different... 274 Views
Labels
-
FortiGate
6,533 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.