Howto: Fortinet Port Forwarding

**This is a legacy article which does not meet some of our quality standards. While it may contain useful information, is retained here for legacy reasons only.

There are different ways to set up Fortinet port forwarding, (using a DMZ for example), this article covers off the most basic example and can be applied to a DMZ setup later.

  1. Create a VIP first
  2. Go to firewall objects tab, virtual IP / Virtual IP
  3. Click create new
  4. Name: <Name of server you’re forwarding to>
  5. External Interface <Your external interface (in my case Chorus UFB)
  6. Type Static NAT
  7. External IP / Address Range: The IP address of your WAN supplied by your ISP (In both boxes if you only have one IP)
  8. Mapped IP / Address Range: The internal address of the server you’re forwarding to in the first box (the second box should auto populate).
  9. Port Forwarding: Leave unticked
  10. Second create a policy in your firewall
  11. On the policy tab, choose policy / policy
  12. Click Create New
  13. Source Interface / Zone (Your WAN connection) in my case Chorus UFB
  14. Source Address All
  15. Destination Address: <The Name you just gave your VIP connection>
  16. Schedule Always
  17. Service: Any single or multiple service that you wish to be forwarded to this IP address internally.
  18. You must enable NAT (although fortinet says you shouldn’t but I can’t get it to work otherwise).
  19. Do enable any logs, utm, shaping etc as you wish. (suggest a specific UTM profile for the specific ports that are opened in order to improve performance i.e. protect web, protect ssh etc.s

From the fortinet support page:

Test destination NAT by browsing to http://172.20.120.14 from the Internet. The session passes through the FortiGate unit to the web server which sends a response. Use the following packet sniffer command to see the results.

diagnose sniffer packet any ‘port 80’ 4 4

interfaces=[any]

filters=[port 80]

6.150356 wan1 in 172.20.120.12.51439 -> 172.20.120.14.80: syn 15893888

6.150637 internal out 172.20.120.12.51439 -> 192.168.1.110.80: syn 15893888

6.150803 internal in 192.168.1.110.80 -> 172.20.120.12.51439: syn 553485227 ack 15893889

6.150974 wan1 out 172.20.120.14.80 -> 172.20.120.12.51439: syn 553485227 ack 15893889

The first output line shows a packet from a client device with IP address 172.20.120.12 was received by the wan1 interface with destination address 172.20.120.14 and destination port 80.

The second output line shows that when the packet exits the internal interface the destination address is changed to 192.168.1.110 and the destination port is still 80.

The third output line shows the response from the web server.

The fourth output line shows the response from the web server being returned to the client device. The source address has been changed back to 172.20.120.14.

In this example, the source port is not changed.

Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic.

Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active sessions for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for the policy to view the top sessions by source address, destination address, or destination port/service.

The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage.

Popular Articles

Raspberry Pi 3

Raspberry Pi Disk Images – Definitive List

2
This page attempts to list all the Raspberry Pi disk images known to currently exist from around the web, providing direct links to download...
Port Scan Test

How to check port forwarding is working

1
Problem-Outcome Summary This guide applies to:Any router or firewall you may have such as:DLink, Asus, TP Link, Linksys, Synology, Apple, Belkin, Buffalo, Cisco,...
Raspberry Pi Audio Hardware

Raspberry Pi audio HAT’s (Hardware Attached on Top) – Definitive List

0
Summary Back in July 2014, Raspberry Pi announced the then new, Raspberry Pi 2 followed soon after by the announcement of HaTs (Hardware Attached on...
How to set Plex permissions on Linux / NAS devices

How to set Plex permissions on linux or NAS devices

9
Problem / Outcome SummaryThis how to guide will show you how to properly set up Linux file permissions for Plex Media Server Please...
How To Install Logitech Media Server on Ubuntu Linux

How to install Logitech Media Server on Ubuntu Linux

0
Problem / Outcome SummaryThis how to guide will enable you to install Logitech Media Server on Ubuntu Linux For how to install Logitech...
spot_img

Related Stories

Stay on op - Ge the daily news in your inbox