In this recipe, you configure port forwarding to open specific ports and allow connections from the Internet to reach a server located behind the FortiGate. This allows Internet users to reach the server through the FortiGate without knowing the server’s internal IP address. Users can also connect using only the ports that you choose.
1. Creating three virtual IP addresses
In this example, you open TCP ports 8096 (HTTP), 21 (FTP), and 22 (SSH) for remote users to communicate with the server behind the firewall. The external IP address of the server is 172.25.176.60, which is mapped to the internal IP address 192.168.70.10.
To create a virtual IP (VIP) address for port 8096, go to Policy & Objects > Virtual IPs and create a new virtual IP address.
Set External IP Address/Range to 172.25.176.60 and set Mapped IP Address/Range to 192.168.65.10.
Enable Port Forwarding. Set Protocol to TCP, set External Service Port to 8096, and set Map to Port to 8096.
Create a second VIP address for port 21. Set both External Service Port and Map to Port to 21.
Create a third VIP address for port 22. Set both External Service Port and Map to Port to 22.
2. Adding the virtual IP addresses to a VIP group
To add the new virtual IP addresses to a virtual IP group, go to Policy & Objects > Virtual IPs and create a new group.
Set the new virtual IP addresses as Members of the group.
3. Creating a security policy
To allow Internet users to reach the server, go to Policy & Objects > IPv4 Policy and create a new policy.
Set Incoming Interface to your Internet-facing interface, Outgoing Interface to the interface connected to the server, and Destination Address to the VIP group (webserver group).*
NAT is disabled for this policy so that the server sees the original source addresses of the packets it receives. This is the preferred setting for a number of reasons. For example, the server logs are more meaningful if they record the actual source addresses of your users.
4. Results
To ensure that TCP port 8096 is open, browse to http://172.25.176.60:8096.
Next, ensure that TCP port 21 is open by using an FTP client to connect to the FTP server from a remote connection on the other side of the firewall.
Finally, ensure that TCP port 22 is open by connecting to the SSH server from a remote connection on the other side of the firewall.