Fortinet: Port Forwarding(Virtual IP) with FortiGate firewall

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we will be configuring a port forwarding rule on a fortigate firewall and the idea is that it's going to look something like this we have a remote client that's trying to communicate with an internal web server that resides behind the fortigate firewall and we want to access this over the public internet so take a quick screenshot here of the topology that we're going to have and let's get into the config all right so let's just take a look at the server resource we're trying to access so this is me accessing this machine internally this server resource internally but now we want to access it externally so let's just configure it now on the firewall okay so we will go to policy and objects virtual ips create new and then let's just configure a you know http web server virtual ip we want to bind it to the interface that the traffic would be coming in on which would be wan one in this case and we can see that the wan one ip address is 166.166.1.2 so we're going to put in the ip range here 166.166.1.2 that's the ip that we want to hit from the outside and then we're going to map that to one two 192.168.112.1 two now one interesting note here is let's say that we did actually configure some other ip what if we had more ip addresses that were given from our isp such as 166 166 1.3 for example well as we can see that ip is not actually the ip address that's configured to our wan one interface that is not going to be a problem the fact that we are going to be configuring this ip address and associating it with wan one is pretty much the exact same thing as configuring this ip address as a primary or secondary ip address on wan1 itself so just a quick side note there but let's go back to configuring it as 166 166 1.2 which is the same ip as wan one now if we didn't add any further configurations at this point such as this port forwarding option here what we would be doing is creating a one-to-one nat between this external ip address and this internal ip this could absolutely be what we are trying to achieve but in this case we want to be able to access various external services that the firewall will be hosting so in this case and probably most cases what you're going to want to do is create a port forwarding rule and you know what i want to do is just have the public facing ip address just for this test or sorry the public facing port be 8080 and then we'll map to port 80 which is the actual port that 192.168.112.2 is listening to on its web server and then 8080 and this public ip is where we're going to what we're gonna actually type into our browser when we're accessing it from the outside okay let's submit our changes and then let's go to firewall policy and create a new policy here so the direction is going to be in the direction from wan one and our outgoing interface is going to be our internal interface 192.168.112.2 is the ip we are trying to reach the end server ip so let's just type this as vip http again vip stands for virtual ip in this case we are going to just specify the service as being all which is any ip address in the world you could um specify this to be maybe a specific source public ip or maybe a geographic range but in this case we're just going to keep it simple and make it all and then the destination in this case that's going to be the vip object that we just created http web server as we can see there's the configuration we just specified a moment ago and let's select the service as all now it's no problem to select the service as all because even though we are saying all here the port defined in the virtual ip 8080 on the external service port that is going to be the only port that you're going to be allowed to use to match this firewall policy even though the service is set to all here now what we'll do is we'll disable nat this is so that the end server can actually see the public ip address that's reaching the server you can absolutely enable this but then that would mean that the server is going to see the ip address of the fortigate which in this case is 192.168.112.1 so let's disable that so we see the source public ide and let's hit ok all right now let's give it a test so again here we have we're going to hit 166.166.1.2 with port 8080 and then we want that traffic to map to 192.168.112.2 port 80. let's try it out there we have it it works now just a couple troubleshooting tips here uh one to start here would be looking at the byte counter so we want to make sure that traffic is actually matching this firewall policy in this case firewall policy id is number five so if we see that the byte counter right now is 10 about 10 kilobytes let's refresh this page and then we can click the firewall policy here okay we saw that that value increased right we can be semi-confident here that we're hitting the right policy now if you don't see that bike counter incrementing it could mean that maybe the implicit deny policy is being hit which is at the very bottom which means that the traffic is being denied because this policy is not configured correctly or potentially in a larger environment maybe you have a firewall policy above this that is in the direction of wan one to internal that would be getting matched in which case you could just take this policy and try and drag it to the top and test it out again again just just try and do this maybe during a maintenance period so that you don't affect any existing production services another item that we can do as always is going to be to run a packet capture so if we were to you know look at our wan one interface and we're gonna be filtering for let's just go port 8080 for simplicity here you can further define it if you'd like but in this environment it should work out let's start that out run that test okay there we go we can see that packet on that interface we can also do the equivalent by creating a new filter and then looking on the internal side if we want to see the internals perspective but in this case let's just look at the wan perspective we can see bi-directional communication and finally another item that we can do is if we have traffic set to allow all sessions then we save our configuration there and again yeah that's on the firewall policy and we run a couple more tests and we can go back to our fortigate go to our log and report section we could filter further for the specifics but in this case let's see if we find any type of match we know what the policy we're looking for which is policy five so that's all policy one traffic there which is not the correct policy so let's just go policy id and type in five here there we go okay so we do actually see that policy match and we see information on the right side there about what's happening with that traffic we could further specify a source destination and and that kind of thing there all right and that covers things so um you know stay tuned for the hairpin nat tutorial as well as um ssl offloading tutorials which i'll link right in this section once they're available and aside from that thanks for joining and we'll see you in the next video

Info

Channel: ToThePoint Fortinet

Views: 19,753

Rating: undefined out of 5

Keywords: Fortinet how to, fortigate how to, virtual ip, virtual server, port forwarding, vip, FortiGate tutorial, fortigate vip, SNAT, DNAT, FortiGate NAT

Id: p8MV3da9D8o

Channel Id: undefined

Length: 7min 46sec (466 seconds)

Published: Sat Feb 19 2022