Port forwarding

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This example illustrates how to use virtual IPs to configure port forwarding on a FortiGate unit. In this example, TCP ports 80 (HTTP), 21 (FTP), and 22 (SSH) are opened, allowing remote connections to communicate with a server behind the firewall.

1. Creating three virtual IPs

Go to Policy & Objects > Objects > Virtual IPs > Create New > Virtual IP.

Enable Port Forwarding and add a virtual IP for TCP port 80. Label this VIP webserver-80.

Create a second virtual IP for TCP port 22. Label this VIP webserver-ssh.

Create a third a virtual IP for TCP port 21. Label this VIP webserver-ftp.

2. Adding virtual IPs to a VIP group

Go to Policy & Objects > Objects > Virtual IPs > Create New > Virtual IP Group.

Create a VIP group. Under Members, include all three virtual IPs previously created.

3. Creating a security policy

Go to Policy & Objects > Policy > IPv4 and create a security policy allowing access to a server behind the firewall.

Set Incoming Interface to your Internet-facing interface, Outgoing Interface to the interface connected to the server, and Destination Address to the VIP group. Set Service to allow HTTP, FTP, and SSH traffic.

Use the appropriate Security Profiles to protect the servers.

4. Results

To ensure that TCP port 80 is open, connect to the web server on the other side of the firewall.

To ensure that TCP port 22 is open, connect to the SSH server on the other side of the firewall.

To ensure that TCP port 21 is open, use an FTP client to connect to the FTP server on the other side of the firewall.

For further reading, check out Virtual IPs in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
While this example maps port 80 to port 80, any valid External Service port can be mapped to any listening port on the destination computer.
  • manik .s

    Hi, i have one doubt about the port forwarding . i have 2 isp and i want to allow a 30 port’s with two isp’s for my voip process . two isp are in loadbalance mode kindly revert me if any easy way to forward all the 30 ports to my two isp’s

    Thanks,

    Manicaraj S

  • Miroslav Vuković

    Hi, how to forward other protocol than TCP or UDP, for example if I want to forward GRE (protocol 47) or ESP (protocol 50) to internal VPN server ?

    Thanks
    mIRO

    • Kerrie Newton

      Hello Miro,

      On the policy that uses the Virtual IP to forward traffic to the internal VPN server you will have to select the services GRE and ESP instead of ALL.

      Regards,
      Kerrie

      • Miroslav Vuković

        Thanks for reply Kerrie. So, in virtual IP settings I just need to set External and Mapped IP address and not to use Port Forward option?
        But, I’m confused a little bit now. In this tutorial on the virtual IP setting there is a Port Forward option checked and ports are selected, then again in the policy there is a service type selected which are correspond to these ports. Do I need to select ports in Virtual IP Port Forwarding options at all, or it’s enough to set the allowed services on the policy?

        Thanks

        • Kerrie Newton

          In Step 1 of the above recipe you unset Port Forwarding, then in Step 3 you will select the services.
          Note the VIP will now allow all ports however the Policy would control what services are allowed.

          • Miroslav Vuković

            OK, thanks for clarification 😉

  • jbada

    Hi, i have a fortigate 40c.
    Currently i made all the configurations but when i connect to the server by ssh only stays 1 minute or less and the connection unexpected closed.

    This is by nat, in the local network ssh works fine.

    Sorry for bad english.

    Regards.

  • Roberto Varela

    how can I create a Virtual ip in fortigate 90D 5.4.3??

    • Victoria Martin

      Hi Roberto,

      In FortiOS 5.4, the path was changed to Policy & Objects > Virtual IPs.

  • DC

    Hi everyone,
    I’m having some trouble configuring one port used by one app on several pdas. The issue is, the PDA app only works on 3g/4g, if I point external address to my public IP, it only works on Wifi.
    Do I have to create two virtual IPs instead?

    Thanks

  • Kerrie Newton

    Hello Arman,

    Yes, using two Public IPs would allow you to port forward 443 for each IP to a different LAN address.

    Kerrie

    • Arman Kadoian

      Hello Kerrie,

      Thank you for confirming that issue for me. Would you please answer the other questions, please?

      Specially with the internal mail server 🙂

      2. I have read that the public ip used for the incoming mail must also be used for outbound mail: (The SMTP server, when initiating traffic towards the Internet , must use the same the same source IP address).
      http://kb.fortinet.com/kb/viewContent.do?externalId=FD31240

      Then what should I do? use policy routes or ip pool? How should I configure it?

      • Kerrie Newton

        Hello Arman,

        o have outgoing mail traffic use the same IP address you can create IP pool and select that on the outgoing mail Policy.
        For further assistance with creating IP Pools and troubleshooting your mail issue I would suggest contacting Fortinet Support.

        How to work with Fortinet Support
        http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

        Regards,
        Kerrie

  • Arman Kadoian

    Hi everybody,
    I would like your help in configuring Fortigate 100D.

    My initial configuration was like this.
    I put the one public ip address (I have more ip addresses) on my fortigate 100D wan1. Created VIPs with port forwarding.

    Server-1: running Exchange server 2013 with virtual directories (HTTPS), so I will need ports 25 and 443 to be used on it. The email works so as OWA when accessed externally.
    Server-2: will be running web server: so port 80 and port 443 also will be used.
    But I tried to create VIP for 443 again it FAILED, it said you already created one, which is for the mail server.

    So I thought since I have another wan port, wan2. I can use the other public ip for wan2. So my current configuration is like this:

    Wan1 will be used only for incoming mail traffic (ports 24 and 443)
    Wan2 will be used only for incoming web traffic (ports 80 and 443)

    x.x.x.x – public ip
    y.y.y.y – private ip

    Wan1: x.x.x.84
    Wan2: x.x.x.83

    created 2 VIPs for mail and 2 VIPs for web
    mail:
    x.x.x.84 –> y.y.y.11 port: 25 (mail server)
    x.x.x.84 –> y.y.y.11 port:443 (mail server)

    web:
    x.x.x.83 –> y.y.y.12 port: 80 (web server)
    x.x.x.83 –> y.y.y.12 port:443 (web server)

    I put these in 2 different VIPs groups: Mail traffic and web traffic

    Created 2 policy:
    Mail:
    incoming interface : wan1
    source address: all
    outgoing interface: LAN
    destination address: Mail traffic (VIP)
    Schedule: always
    services: Https, Smtp
    Action: accept
    NAT NOT ENABLED

    Web:
    incoming interface : wan2
    source address: all
    outgoing interface: LAN
    destination address: web traffic (VIP)
    Schedule: always
    services: Https, http
    Action: accept
    NAT NOT ENABLED

    There is another policy for internal users to surf the internet:

    internet:
    incoming interface : LAN
    source address: all
    outgoing interface: wan1
    destination address: all
    Schedule: always
    services: all
    Action: accept
    NAT ENABLED: Use Outgoing Interface Address

    And finally static route: 0.0.0.0/0.0.0.0, wan1, gateway x.x.x.x

    My questions are:

    1. Does this configuration work when someone surf to the company’s website or sends mail to us? I mean using our website ti they get x.x.x.83 –> y.y.y.12 and the same goes for the mail x.x.x.84 –> y.y.y.11? Do i need to do something else?

    2. I have read that the public ip used for the incoming mail must also be used for outbound mail: (The SMTP server, when initiating traffic towards the Internet , must use the same the same source IP address).
    http://kb.fortinet.com/kb/viewContent.do?externalId=FD31240

    Then what should I do? use policy routes or ip pool? How should I configure it?

    3. For me doesn’t matter if LAN users use wan1 or wan2 to surf the internet. but does it matter which port should be used?

    I appreciate any help. Please advice. 🙂

    Thank you.

  • Bruce Davis

    The issue that you have to be aware of when putting an email server behind a FortiGate where NATing is being employed is that the traffic from the email server going out to the Internet has to use a specific IP address. When other companies are checking the incoming mail one of the things that the do to prevent SPAM is a reverse DNS look up. If the mail is from example.com and the source IP address of the packet is from x.x.x.x they check the MX record for example.com to make sure that it is x.x.x.x.
    In situations where there is only one external IP address on the FortiGate there is no need to worry. It’s when there are multiple IP addresses that can be assigned to outgoing traffic that precautions need to be taken. These precautions involve using an IP pool of the IP address mentioned in the MX record at the DNS server. Just use the IP pool to make sure that any outgoing traffic from the mail server is using that specific IP address

    • Arman Kadoian

      Hi Bruce,
      Thanks for the reply.

      My initial configuration was like this.

      I put the one public ip address (I have more ips) on my fortigate 100D. Created VIPs with port forwarding.

      I have 2 internal servers:

      Server-1: running Exchange server 2013 with virtual directories (HTTPS), so I will need ports 25 and 443 to be used on it. The email works so as OWA when accessed externally.

      Server-2: will be running web server: so port 80 and port 443 also will be needing. try to create VIP for 443 again but it FAILED it said you already created one, which is for the mail server.

      So I think I have 2 options for web server configurtion of HTTPS:

      Nr1: create an external port for HTTPS like 8443 to map to port 443 on server-2.

      or

      Nr2: Create ip pool to use another public address JUST for the web server.

      So one public ip for for mail server with port for 25 and 443
      And another public ip for web server for ports 80 and 443.

      I would like to use the second option, because than users wont’s have to put specific external ports when surfing the out website.

      My Q is how will I create and configure the pool?
      And how will it work with the mail server? I don’t want any conflict with the mail server.

      THank you.

      • Bruce Davis

        Arman,
        IP pools are more commonly used for outgoing traffic, while in this case you are setting up an IP for incoming traffic. A better approach, if you have multiple IP addresses from your ISP would be to assign a secondary IP address to the interface. Not sure which firmware version you are using but in most, you would go to Network > Interfaces and towards the bottom of the Interface edit window there is a option to create a Secondary IP Address. Just enable the feature and Create a New address. Once this is done, you can create a VIP using this address.

        • Arman Kadoian

          Hi Bruce,

          Thanks for the reply. I’m using 5.2 firmware and i didn’t know that one could add a second IP address to the same interface, thanks for telling me :).

          But how about the outbound traffic for the mail? I still be using IP pool?
          I mean if a mail comes to public IP address x.x.x.83, that will be configured with VIP, then how about the outbound traffic will know which IP address will choose?

          I hope I explained the situation clearly.

          • Bruce Davis

            If an incoming session starts by using a VIP, then all the traffic associated with that session should go out the appropriate IP address, but email servers will sometime start the sessions themselves. An example would be an email generated from inside the network. So while having just the VIP set up properly will correctly handle a lot of the traffic, it is worth setting up an IP pool to handle the outgoing traffic of the email server. This way your email domain wont get put on a SPAM list because too many emails came from the wrong IP address.

  • Arman Kadoian

    I want to build a new network for the company. We will host the web server and the mail server in the private network. THE web server configuration is clear, but the mail server I’m doubtful. Because of this knowledge base that I read on Fortinet:

    When setting up a Virtual IP on the FortiGate for a mail server, there can be issues with mail being sent outbound through the firewall when NAT is configured. See the Fortinet Knowledge Base related article How to NAT an internal mail server to the Internet for additional configuration information

    http://kb.fortinet.com/kb/view

    http://kb.fortinet.com/kb/docu

    Please give me your input and direct me on how should I configure the Firtigate for the mail server.

    Thank you.

  • Arman Kadoian

    I want to build a new network for the company. We will host the web server and the mail server in the private network. THE web server configuration is clear, but the mail server I’m doubtful. Because of this knowledge base that I read on Fortinet:

    When setting up a Virtual IP on the FortiGate for a mail server, there can be issues with mail being sent outbound through the firewall when NAT is configured. See the Fortinet Knowledge Base related article How to NAT an internal mail server to the Internet for additional configuration information

    http://kb.fortinet.com/kb/view

    http://kb.fortinet.com/kb/docu

    Please give me your input and direct me on how should I configure the Firtigate for the mail server.

    Thank you.

  • Arman Kadoian

    Can i use the above configuration (port forwarding) for mail server inside the private network on port 25?

    • bdickie

      Yes this is a common use of port forwarding.

      • Arman Kadoian

        Thank you for the replay.

        I want to build a new network for the company. We will host the web server and the mail server in the private network. THE web server configuration is clear, but the mail server I’m doubtful. Because of this knowledge base that I read on Fortinet:

        When setting up a Virtual IP on the FortiGate for a mail server, there can be issues with mail being sent outbound through the firewall when NAT is configured. See the Fortinet Knowledge Base related article How to NAT an internal mail server to the Internet for additional configuration information

        http://kb.fortinet.com/kb/viewContent.do?externalId=11765

        http://kb.fortinet.com/kb/documentLink.do?externalID=11969

        Please give me your input and direct me on how should I configure the Firtigate for the mail server.

        Thank you.

      • Arman Kadoian

        Thank you for the replay.

        I want to build a new network for the company. We will host the web server and the mail server in the private network. THE web server configuration is clear, but the mail server I’m doubtful. Because of this knowledge base that I read on Fortinet:

        When setting up a Virtual IP on the FortiGate for a mail server, there can be issues with mail being sent outbound through the firewall when NAT is configured. See the Fortinet Knowledge Base related article How to NAT an internal mail server to the Internet for additional configuration information

        http://kb.fortinet.com/kb/viewContent.do?externalId=11765

        http://kb.fortinet.com/kb/documentLink.do?externalID=11969

        Please give me your input and direct me on how should I configure the Firtigate for the mail server.

        Thank you.

    • Bruce Davis

      Just remember that port 25 is for SMTP only. If you want to pick up mail, you will also have to add the port for POP3 and/or IMAP, depending on which your mail client uses. For specifics on email port numbers – https://www.siteground.com/tutorials/email/pop3-imap-smtp-ports.htm#imap

  • Daniel Felipe Fajardo M.

    on 5.2.4 fortigate 800c there’s no Virtual Ip menu inside Objects.. what can I do?

    • Victoria Martin

      Hi Daniel,

      Is your FortiGate in Transparent mode? Virtual IPs are only available in NAT/Route mode.

  • Santosh Sharma

    ssl with port forward mode . please share cookbook document for this.

    and also share document on inter-vdom routing. (Only cookbook document.)

    ========================
    Creating IPSEC /SSL on vdom.

    and also BGP use in VDOM.

    • Victoria Martin

      Hi Santosh, thank you for all your suggested topics. They have been added to our to-do list, so keep an eye out for them to appear on the Cookbook in the future.