- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- How to open a different port for a single IP addre...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to open a different port for a single IP address
Hi !
I have a Fortigate 90d model, and i have to open ports like 6080, 1433 and 1434. I wish that those ports to be open only to a single internal IP address
What should I do for make this simple task ?
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Non-port forwarding VIPs and port-forwarding VIPs to the same destination address are mutually exclusive!
Think of a non-port forwarding VIP as forwarding ALL ports, including the single port you already have defined in a port-forwarding VIP. Imagine traffic arriving for that destination port - which VIP should then respond?
This is ambiguous and as such not allowed.
@George:
just define one VIP for each port you want to expose to the public interface (I'm assuming that is what you meant). To facilitate the policy, group those VIPs into a VIP group and use that as the destination address in the policy.
Pretty straight forward and easy.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create custom services using those ports
Create a new policy Lan -> Lan
Set Source and Destination as Node A and B
Allow Services -- custom services created for those ports in the new policies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to confirm, are you looking at these ports to be open for inbound traffic (ie internet hits those ports and it gets routed to single internal IP address) or outbound traffic (only single internal IP address is able to reach the internet on those ports)?
For inbound traffic you will need to create a VIP, custom services and link them both in a policy (http://video.fortinet.com/video/116/port-forwarding-5-2)
For outbound traffic follow nn's steps (policy needs to be LAN > WAN, Node A > Any)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to do the same thing for a FortiGate 30b. Every time I try to create a VIP, I get a "A duplicate entry already exists" error, but the only entry in the VIP list has no port forwarding.
Any ideas?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Non-port forwarding VIPs and port-forwarding VIPs to the same destination address are mutually exclusive!
Think of a non-port forwarding VIP as forwarding ALL ports, including the single port you already have defined in a port-forwarding VIP. Imagine traffic arriving for that destination port - which VIP should then respond?
This is ambiguous and as such not allowed.
@George:
just define one VIP for each port you want to expose to the public interface (I'm assuming that is what you meant). To facilitate the policy, group those VIPs into a VIP group and use that as the destination address in the policy.
Pretty straight forward and easy.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think he is looking for internal to internal from the post. He will also need to create address objects, and a deny I think.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Under Object use Virtual IPs
Related Posts
- NO internet connection when using static... 60 Views
- Log messages when forwarding traffic 130 Views
- FortiMail issue ip reputation 114 Views
- SSLVPN Settings Address Range vs SSLVPN... 154 Views
- Issues with activating proxy mode in... 81 Views
Labels
-
FortiGate
6,532 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.