Port forwarding

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

In this recipe, you configure port forwarding to open specific ports and allow connections from the Internet to reach a server located behind the FortiGate. This allows Internet users to reach the server through the FortiGate without knowing the server’s internal IP address. Users can also connect using only the ports that you choose.

Find this recipe for other FortiOS versions:
5.2 | 5.4 | 6.0

1. Creating three virtual IP addresses

In this example, you open TCP ports 8096 (HTTP), 21 (FTP), and 22 (SSH) for remote users to communicate with the server behind the firewall. The external IP address of the server is 172.25.176.60, which is mapped to the internal IP address 192.168.70.10.

To create a virtual IP (VIP) address for port 8096, go to Policy & Objects > Virtual IPs and create a new virtual IP address.

Set External IP Address/Range to 172.25.176.60 and set Mapped IP Address/Rangto 192.168.70.10.

Enable Port Forwarding. Set Protocol to TCP, set External Service Port to 80, and set Map to Port to 80.

Create a second VIP address for port 21. Set both External Service Port and Map to Port to 21.

Create a third VIP address for port 22. Set both External Service Port and Map to Port to 22.

2. Adding the virtual IP addresses to a VIP group

To add the new virtual IP addresses to a virtual IP group, go to Policy & Objects > Virtual IPs and create a new group.

Set the new virtual IP addresses as Members of the group.

 

3. Creating a security policy

To allow Internet users to reach the server, go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to your Internet-facing interface, Outgoing Interface to the interface connected to the server, and Destination Address to the VIP group (webserver group).

NAT is disabled for this policy so that the server sees the original source addresses of the packets it receives. This is the preferred setting for a number of reasons. For example, the server logs are more meaningful if they record the actual source addresses of your users.

4. Results

To ensure that TCP port 8096 is open, browse to http://172.25.176.60:8096.

Next, ensure that TCP port 21 is open by using an FTP client to connect to the FTP server from a remote connection on the other side of the firewall.

Finally, ensure that TCP port 22 is open by connecting to the SSH server from a remote connection on the other side of the firewall.

For further reading, check out Virtual IPs in the FortiOS 6.0 Online Help.

Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
If the FortiGate has Central NAT enabled, the VIP objects won’t be available for selection in the policy editing window.