How to Configure Port Forwarding on Fortigate Firewall

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi guys this is the Igor attack today I will show you how to configure port forwarding on fortigate firewall also known as destination Nat or dnat port forwarding sets up Public Services on your network such as web servers FTP servers email servers or other specialized internet applications when users send this type of request to your network via the Internet the 40 gate firewall will forward these requests to the appropriate computer or device [Music] thank you let's begin we have two methods the first method is using the default port number the second method is using a different port number this is applicable if you have multiple servers for which you want to open the same port number or if you don't want to use the default port number for security purposes in the previous video I also showed you how to configure this Dynamic DNS which we can also use later after we configure the port forwarding I'll show you first the first method which is using the default port number go to policy and objects virtual IPS first is we will create a virtual IP then later on I will show you also how to create a virtual IP group click on create new give a name based on your preference for this demo we will configure port forwarding for my server using RDP or remote desktop protocol so we will give a name of server RDP for our reference comments is optional you can change the icon color if you prefer for the interface we have few options if you have a fixed public IP address then you can choose any on the interface then input your public IP address you can also use the range if you have multiple fixed public IP addresses like in my case I'm holding the IP address of 1.100.1.2 until 1.100.1.5 but what if you are using Dynamic Wan IP address well we will choose the WAN interface in my case it's the WAN one I usually use this method specially if the costumer has Dynamic IP address now for the external IP address range we will change to 0.0.0.0 this means anyip address received by the WAN interface again this method is very useful if you have a dynamic IP address even though your IP address constantly change it doesn't matter since we input 0.0.0.0 and since we configure the Dynamic DNS then we can always use the domain regardless of what IP address the WAN interface received for the ipv4 address enter the server or device IP address in my case is the server IP address 192.168.1.1 we can open a CLI console and test to Ping the device if it's reachable which we can you can also enable the optional filters if you want to specify the source IP address and services since I want to access from anywhere using any IP address then I will leave this option disabled enable the port forwarding this is where we specify the port for the protocol you can choose either TCP UDP sctp and icmp since RDP listens on TCP 3389 and also UDP Port 3389 then we can choose either TCP or UDP for the external service port again 3389 is the default RDP port however we can change to different port if we prefer like in some cases if you have multiple servers or devices which you want to open the same port then we need to use different external service port I will show you the method later on for now we will use the default Port which is 3389 now for the ipv4 port this cannot be changed unless you modified the port from the server or device settings we will use the default RDP port for this demo click ok to apply the changes you can now see the newly created virtual IP the name the interface which is the internet-facing interface or the when map from any IP through port 3389 to the internal server IP address 192.168.1.1 through port 3389 hit count is still zero and references zero as well since we haven't created yet any policy using this virtual IP yet let's now create a firewall policy for this virtual IP go to firewall policy click create new let's give a name of went to server for our reference incoming interface would be the internet-facing interface or the Wan outgoing interface will be the Lan or internal this is where the server is connected for the source we will choose all means the internet or any public IP address can access the server for the destination choose the virtual IP we just created schedule to always this is if you want the server to be available anytime for the service we can choose all or we can specify the service in my case it's RDP so I can choose RDP action should be accept Nat should be disabled since this is incoming traffic you can enable the security profiles based on your preference for the log allowed traffic we can choose all session for troubleshooting purposes comments is optional make sure the policy is enabled then click ok to apply the changes you can now see the newly created firewall policy now let's open the remote desktop again we're going to use the Dynamic DNS which we configured on the previous video followed by a colon if we go back to the virtual IP configuration we can see that the external Service Port is 3389 we will add the port number on the remote desktop the sequence would be the public IP address or the Dynamic DNS followed by a colon followed by the port number let's now try to connect success I'm going to enter my server's username and password you can see that the port forwarding we configured was successful you can also see that we are currently using the Dynamic DNS let's go back to the fortigate notice the hit count is zero now we're going to refresh the page you can see that we have now a hit count this is because we access the server we can also check on the firewall policy notice the hit count is also zero refresh the page you can see that we have now traffic running on this policy but what if you have multiple servers or devices and you want to open the same port or maybe for security reasons you don't want to use the default port this would be our second method for this demo we are going to create new virtual IP we will configure also RDP port 3389 for my laptop assuming it's a server again we cannot configure the same port for a different device with a single public IP address but we have some alternatives we can simply clone and modify this current virtual IP we will give a name of server 2 assuming it's also for a server change the color if you prefer everything would be the same except for the ipv4 address and external server port for the ipv4 address enter the local IP address of the other server or device and for the external server Port you can change to a different port you prefer but do not use the registered ports as you might encounter some issues I will use port 53389 for this demo we don't need to change the ipv4 port click ok to apply the changes you can see that we have now two virtual IPS with the same port we can simply add this virtual IP on the firewall policy we configured earlier but for better management it's better to put it on one group click on Virtual IP groups create new we will give a name of server group for our reference change the color if you prefer for the interface remember that we selected the WAN interface when we created the virtual IP so we need to select that interface as well or else we don't have the option to choose the virtual IPS we created we have linked the two virtual IPS to the when one so we must choose that interface if we check on member we now have the two virtual IPS we're going to add both virtual IPS click ok to save the changes we have now a virtual IP group now we will use this virtual IP group to configure a firewall policy go to firewall policy we will just modify the firewall policy we created earlier we will only change the destination address to the server virtual IP group we created you can also see the members from here which are the server and server 2. click on it to add now we need to remove the server RDP because it's already a member of this group for the service if you configure different services and you have added on the virtual IP group then you need to change the service to all but in my case although I have two virtual IP but both are using RDP Port 3389 so we can still use the RDP however we can also set to all if we prefer the rest would be the same click ok to apply the changes you can now see the destination as the server group now let's test to access both of the server let's open a remote desktop again this is the first server we configured which is using the default RDP port let's try to connect success now let's open another remote desktop again for us to test the other server again we can use the Dynamic DNS followed by a colon followed by the port which in my case is 53389 let's now try to connect I will log in using my account success we have successfully configured different device with the same port number and can be accessed simultaneously notice the external service port at the top of the page left is the default port and the right is the modified port well I hope by now you know how to configure port forwarding or dnat on 40 gate firewall that's all for today's demonstration and I really hope you like this video if you are new to my channel please don't forget to like share subscribe and click on the notification Bell for more amazing tutorials thank you and see you on the next video

Info

Channel: IgoroTech Official

Views: 11,712

Rating: undefined out of 5

Keywords: How to Configure Port Forwarding on Fortigate Firewall - google.com, How to Configure Port Forwarding on Fortigate Firewall - youtube.com, port forwarding, virtual ip, fortigate, fortinet, configurate port forwarding, port forwarding configuration, dnat, dnat policy, nat policy, fortigate poilcy, fortigate virtual ip, fortios, version 7, how to configure, tutorial, guide, basic configuration, fortigate tutorials, fortigate training, fortigate for beginners, fortinet firewall, beginner

Id: HmHU-zQ2D2E

Channel Id: undefined

Length: 11min 34sec (694 seconds)

Published: Mon Apr 10 2023