FortiOS 6.0 Getting Started: Port forwarding

Source: Internet
Author: User
Keywords FortiOS 6.0 Port forwarding
Tags port forwarding getting started forticloud fortios fortios 6.0

In this recipe, you configure port forwarding to open specific ports and allow connections from the Internet to reach a server located behind the FortiGate. This allows Internet users to reach the server through the FortiGate without knowing the server’s internal IP address. Users can also connect using only the ports that you choose.

1. Creating three virtual IP addresses

In this example, you open TCP ports 8096 (HTTP), 21 (FTP), and 22 (SSH) for remote users to communicate with the server behind the firewall. The external IP address of the server is 172.25.176.60, which is mapped to the internal IP address 192.168.70.10.

To create a virtual IP (VIP) address for port 8096, go to Policy & Objects > Virtual IPs and create a new virtual IP address.

Set External IP Address/Range to 172.25.176.60 and set Mapped IP Address/Range to 192.168.65.10.

Enable Port Forwarding. Set Protocol to TCP, set External Service Port to 8096, and set Map to Port to 8096.

Create a second VIP address for port 21. Set both External Service Port and Map to Port to 21.

Create a third VIP address for port 22. Set both External Service Port and Map to Port to 22.

2. Adding the virtual IP addresses to a VIP group

To add the new virtual IP addresses to a virtual IP group, go to Policy & Objects > Virtual IPs and create a new group.

Set the new virtual IP addresses as Members of the group.

3. Creating a security policy

To allow Internet users to reach the server, go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to your Internet-facing interface, Outgoing Interface to the interface connected to the server, and Destination Address to the VIP group (webserver group).*

NAT is disabled for this policy so that the server sees the original source addresses of the packets it receives. This is the preferred setting for a number of reasons. For example, the server logs are more meaningful if they record the actual source addresses of your users.

4. Results

To ensure that TCP port 8096 is open, browse to http://172.25.176.60:8096.

Next, ensure that TCP port 21 is open by using an FTP client to connect to the FTP server from a remote connection on the other side of the firewall.

Finally, ensure that TCP port 22 is open by connecting to the SSH server from a remote connection on the other side of the firewall.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.