Port Forwarding Fortigate 7.0

0 views
Skip to first unread message

Sofía Goldthwait

unread,
Aug 3, 2024, 5:43:54 PM8/3/24
to cokonfhidcell

This topic shows how to use virtual IPs to configure port forwarding on a FortiGate unit. This example has one public external IP address. We map TCP ports 8080, 8081, and 8082 to different internal WebServers' TCP port 80. This allows remote connections to communicate with a server behind the firewall.

I am not going to lie to you. Port forwarding on V7 is pretty much the same as V6 and if I remember rightly that was the same as V5 but the internet is a hungry beast crying out for content. We need to feed the best lest we feel is wrath.

Now in the next section, we want 'NAT' on as we are nat'ing this traffic, but you can leave the rest as the default. Here you can also apply some of the advance features of the fortigate such as AV and IPS. I am not going to cover that in this guide.

that will show you some useful information about what traffic has passed on that rule. If you have tried to test it and this has a hit count of zero, the chances are the firewall configuration is incorrect.

First off, I'm sure I've done something wrong, fully willing to admit it. I very recently upgraded to a Fortigate 60C from a 60B (Boss gave it to me for training purposes) and I had no issues with port forwarding on the older unit. Worked like a charm.

I'm trying to do a port forward for a game server on my internal network. I've configured the server as a reserved DHCP so it will always have the same IP. I've created a Virtual IP for the port that needs to be forwarded (picture), then created a VIP Group and put the VIP into it. Then, I've created a IPv4 policy to forward traffic from my WAN port to the VIP Group, allowing all services, enabling the NAT and logging traffic (picture). To clarify, the 'Outside_Telus' address group looks like this: (picture)

As far as I know, that's all that is needed to get a port forward to work. When I do a specific NMap scan of the port, it says 'openfiltered', but the game server is not available in the games browser. I've tried to force the game to connect to the server directly, but so far no luck.

Ok, so I've verified that if I open a port using this method for TCP, no issues at all. Opened up a port for a FTP server on port TCP 9400, no issues at all. NMap reports it as open as does a few other port checker sites.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

your right eric, i need to do a VIP for every port i want forwarded. if i use our externa IP and dont check port forwarding, it assumes that i want everything going to one location and this precludes using that external IP for anything else.

How is it possible to setup port forwarding ? I spent already days on this and start to believe that it is not possible with static IP => Router => Fortigate => devices as tried all examples from Fortigate cookbook and number of google results

Not sure what you mean by not many ethernet ISPs in the UK, all incoming connections have to terminate at some form of router, be that fibre, coax or ethernet - the termination depends on the ISP and your paid for service, broadband, dedicated line, MPLS etc.

If your Netgear DM200 is not in modem only mode you are double NATting and would need to also open ports on the Netgear DM200. Personally if you want something else to deal with the routing and firewall, including NAT, your Netgear DM200 should be configured to modem only mode.

Have also TP-Link V600, but it failed too with it. Unfortunately there is lack of examples showing how to configure fortigate with a router (only useless stuff like get ISP that terminates with ethernet LOL).

If this is a home setup, dont get too deep in to this it will be a nightmare to manage, if this is a business, get something more suitable to fulfil your needs and not a consumer router or residential broadband

This fortigate is used to manage network & traffic for servers hosted in the house, in addition to those there is like 20 other machines, but they all are hosted through Hetzner, Azure, Vultr (VPS), etc.

I just bought and put a Fortigate 60e in place with the most current firmware (6.2.2, build 1010GA). I am getting stuck trying to get a port forward solution working for external access to a plex server inside the Fortigate which is only leading me to banging my head against the desk. While I have been doing plenty of google searching and looking at the Fortinet cookbooks online which are great resources. I am wondering if anyone is willing to assist with breaking it down in layman's terms on how to set up the port forwarding.

And while you do that, you notice why you might need port forwarding. SSL-VPN or IPsec VPN towards your FGT will send traffic to your WAN address as well - which will be forwarded completely to your internal server if you don't port-forward.

Correct me if I'm wrong but I remember reading somewhere that by filtering out unneeded packets at the VIP level (or IPv4 Access Control List) rather than relying solely on the IPv4 Policy's service filter that the switch controller's packet filter is saving the FortiGate from wasting unnecessary CPU cycles filtering it out during policy inspection.

ello every one,

My first post on the forum and I am pretty new to networking.

I have a scenario where we have Meraki MX64 which already has IPSEC client VPN configured on it.

We bought fortigate 60E and now we want to configure SSL VPN port forwarding from meraki to this fortigate appliance.

We only have one Public IP address and its on meraki.

At the moment this is what I have done.

Created a different vlan on meraki for Meraki port 2 as I was not able to assign it the same IP address as I have assigned to the LAN ports of fortigate.

Connected WAN1 of Fortigate to Meraki port 2 and assigned it an IP address from new VLAN

Connected LAN1 of Fortigate to the local switch and assigned it an IP address from local subnet.

I can ping Fortigate WAN1 interface from Meraki.

Customize the SSL port on fortigate to 4443 and Created a port forward rule on meraki to WAN1 of fortigate on 4443.

It does not work, any thing which I am missing here.


Any other setting configurations I need to do to make it work.

Any help and assistance will be highly appreciated and looking forward to hear from the experts.

Thanks a lot..

Requirements were : Public IP address with Hostname in DNS and it's ok
ACME interface without VIPS or port forwarding in 80 and 443, that's why I choose my second WAN link where there is nothing about that.

This should not happen under normal circumstances. Probably you are trying to access your website using a name which has not been configured on your website, or your DNS record is not pointing to the right server.

I have a problem that I need help with. I am using a Fortigate 30e firewall and a log server on a virtual machine with ELK stack and Logstash installed. The goal is to send logs from the Fortigate 30e to the log server's Logstash, and from there to Elasticsearch and then visualize them in Kibana.

I have configured the port 5144/udp and the log server's IP (Logstash's IP) from the Fortigate management panel. On the Ubuntu side, traffic has been allowed through the firewall. The port has been checked and is free to use.

The problem is that no logs are coming through to the log server or appearing in the log files /var/log/logstash-plain.log or /var/log/syslog. I have connected the WAN network from the internet cable > to the firewall > from the firewall to the switch > from the switch to a laptop that contains VMware and the log server virtual machine.

This seems like a network issue, if Logstash is listening on the correct port and IP and you still do not get any logs, you need to check if everything is ok in the network, there is not much else to do in Logstash side.

You will need to enable port forwarding via the network editor (I think that's what it's called) otherwise the NAT translation will not forward the incoming packets to the VM. NAT allows many devices to share the same egress IP and so the port forwarding rule helps the NAT determine which inside host should receive the traffic.

1- Set Source Interface to WAN1.
2- Set Source Address to all.
3- Set Destination Interface to internal.
4- Set Destination Address to the name of the virtual IP.
Usually, the remainder of the options in this firewall policy does not need to be changed. For example, Service can remain ANY, because the virtual IP only forwards packets using port 5555.

If you are doing it from the GUI, there is an option under port forwarding either for external service port or map to port you can choose a start and end port range 21-25. As for the CLI you can also do a range. What version of the OS are you using, or what errors are you getting while you are trying to do the port range?

Thank you for visiting my blog, as it relates to your question have you tried what I have suggested in the post?
I am only forwarding one IP there but you can easily add more than one. The question I have is are you forwarding both ports to the same internal IP? if so just do:

I have configured port forwarding for one of our applications hosted in our datacentre and same is working fine. My issue is after enabling port forwarding the customers are unable to get the management access like SSH or telnet from their static ip address.

I have created another virtual ip rule with external service port 22 and mapped port 22.Other details are same as previous rule. Also i have created a new policy allowing ssh access to virtual ip for the static ip addresses.

c80f0f1006
Reply all
Reply to author
Forward
0 new messages