Using security policies and firewall objects to control traffic : Configuring port forwarding to open ports on a FortiGate unit
  
Configuring port forwarding to open ports on a FortiGate unit
Problem
You want to allow incoming connections from the Internet to a PC on the internal network so that the PC can access an Internet service that requires open ports. The service requires opening TCP ports in the range 7882 to 7999, as well as opening UDP ports 2119 and 2995.
Solution
This DNAT example describes how to configure firewall VIPs to map the following sessions to the PC on the internal network:
TCP sessions to the wan1 IP address with destination port in the range 7882 to 7999.
UDP sessions to the wan1 IP address with destination port 2119 or 2995.
The solution involves creating multiple VIPs that map sessions from the wan1 IP address to the PC IP address and adding the VIPs to a VIP group and adding that VIP group to a wan1 to internal security policy.
1 Go to Firewall Objects > Virtual IP > Virtual IP and select Create New to add a virtual IP that maps connections to the wan1 interface on ports 7882 to 7999 to the server.
Name
Port Range VIP
External Interface
wan1
Type
Static NAT
External IP Address/Range
172.20.120.14-172.20.120.14
Mapped IP Address/Range
192.168.1.110-192.168.1.110
2 Select Port Forwarding and configure the following port forwarding settings:
Protocol
TCP
External Service Port
7882 - 7999
Map to Port
7882 - 7999
3 Select OK to save the VIP.
4 Select Create New to add a virtual IP that maps connections to the wan1 interface on UDP port 2119 to the server.
Name
First UDP Port VIP
External Interface
wan1
Type
Static NAT
External IP Address/Range
172.20.120.14-172.20.120.14
Mapped IP Address/Range
192.168.1.110-192.168.1.110
5 Select Port Forwarding and configure the following port forwarding settings:
Protocol
UDP
External Service Port
2119
Map to Port
2119
6 Select OK to save the VIP.
7 Select Create New to add a virtual IP that maps connections to the wan1 interface on UDP port 2995 to the server.
Name
Second UDP Port VIP
External Interface
wan1
Type
Static NAT
External IP Address/Range
172.20.120.14-172.20.120.14
Mapped IP Address/Range
192.168.1.110-192.168.1.110
8 Select Port Forwarding and configure the following port forwarding settings:
Protocol
UDP
External Service Port
2995
Map to Port
2995
9 Select OK to save the VIP.
10 Go to Firewall Objects > Virtual IP > VIP Group and select Create New to add a VIP Group that includes all three VIPs.
Group Name
Server VIP Group
Interface
wan1
11 Add Server Port Range, First UDP Port VIP, and Second UDP Port VIP to the Members list.
12 Go to Policy > Policy > Policy and select Create New to add a policy that accepts includes the VIP Group.
Source Interface/Zone
wan1
Source Address
all
Destination Interface/Zone
internal
Destination Address
Server VIP Group
Schedule
always
Service
ANY
Action
ACCEPT
13 Select OK to save the security policy.
 
If you select NAT, the source address is changed to the internal interface address. Normally, you would not want to perform source NAT since this has the affect of hiding the actual source address of the sessions.
Results
All packets accepted by this security policy have to have a destination port defined in the VIPs. The VIPs also translate the destination IP address 172.20.120.14 to 192.168.1.110 before being forwarded to the Internal network where they are received by the server. The destination ports, source IP address and source port are not changed.
Test the configuration by operating the service and using the packet sniffer to see the results. For example, you could try the following command:
diagnose sniffer packet any 'port 7882' 4
interfaces=[any]
filters=[port 7882]
4.150689 wan1 in 172.20.120.12.56825 -> 172.20.120.14.7882: syn 2904689044
4.150936 internal out 172.20.120.12.56825 -> 192.168.1.110.7882: syn 2904689044
4.151102 internal in 192.168.1.110.7882 -> 172.20.120.12.56825: syn 1081214414 ack 2904689045
4.151258 wan1 out 172.20.120.14.7882 -> 172.20.120.12.56825: syn 1081214414 ack 2904689045
Other commands could include:
diagnose sniffer packet any 'port 7882 or port 7883' 4
diagnose sniffer packet any 'udp and port 2119 or port 2995' 4
Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic.
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active session for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph form the policy to view the top sessions by source address, destination address, or destination port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage.