- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Unable to telnet/ping from Fortigate
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to telnet/ping from Fortigate
Hello, i have a Fortigate 90D that is working pretty well. I'm having a problem in configuring a VIP to let an external application access a badge reader in my local LAN via telnet on port 9999, there is an issue (I believe) in the local segment of my network. Telnet (as well as ping) command is working fine from my PC to the badge reader: i can access the device via telnet and interact with the console. The weird thing is that the Fortigate cannot telnet into the badge reader: if I issue "execute telnet x.x.x.x 9999" the connection goes in timeout. FGT can telnet to other machines on the LAN. The problem seems to exist only between the FGT and the badge reader. All the machines (PC, servers) are on the same local subnet: they all go through a single switch that is connected to a Lan port on FGT. Anyone have some clue?
27 REPLIES 27
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
build ipppol of the vip public address and call that in a policy with telnet
config firewall policy
edit 0
set srcint <xxxx>
set dstint <yyyy>
set action accept
set srcaddr <insert inside host obj>
set dstaddr <insetr dst host obj>
set nat enable
set natpool enable /* check the command */
set poolname <insert the earlier firewall ippool name >
set schedule always
set service telnet ping
end
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried but it still doesn't work... this is my configuration:
config firewall policy edit 23 set srcintf "wan1" set dstintf "internal" set srcaddr "all" set dstaddr "Badge Reader VIP" set action accept set schedule "always" set service "PING" "tcp_9999" "TELNET" set logtraffic all set nat enable set fixedport enable set ippool enable set poolname "VIP public" next end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chances are it is simply a misconstructed custom service. Source port range is 1024(or 0)-65535 and the destination port range would be 9999-9999. I'll bet you have 9999 in the source as well. That would definitely make the WAN access fail. I can't say anything toward the Fortigate's access to the device. Also in the policy you posted above, disable NAT and remove the IPPool settings (unset them). IP Pools are source NAT settings. You don't wish to change the incoming IP addresses to that of your Fortigate, do you? NAT should only need to be enabled on outward (WAN) facing policies to mask private IP addresses from reaching the Internet. ISPs won't let them out anyway, but that's another story...
You could probably toss the 'fixedport enable' as well.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That policy look very bad, 1st are you trying to ACCESS the VIP from wan1 or is the mapped address behind the vip trying to access something over the internet and port 9999?
Your not clear in what your doing but you need to clarify is this internet <outward> or <inward> from the internet to the mapped inside host?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok perhaps I've misunderstood your suggestion and the policies were messed up.
This is my first version of the VIP/Policy, before opening this thread:
config firewall vip edit "Badge Reader VIP" set extip x.x.x.x set extintf "any" set portforward enable set mappedip "192.168.168.210" set extport 9999 set mappedport 9999 next end config firewall policy edit 23 set name "Telnet 9999" set srcintf "wan1" set dstintf "internal" set srcaddr "all" set dstaddr "Badge Reader VIP" set action accept set schedule "always" set service "ALL" set logtraffic all next end
I have configured several services on the Fortigate to be accessible from the internet and all of them have an almost identical configuration. I'm having problems just with this badge reader. Maybe it's this custom device that is, in someway, corrupted?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have never set up a Virtual IP with the source interface of 'any'. I feel it's poor programming, especially if you know that all of your connections are coming from a single interface. Did you try setting that to 'wan1' instead?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're right, I was supposed to set wan1 as source interface, I just tried but unfortunately nothing changed, i still cannot telnet to the device from public ip nor from the firewall.
Tomorrow i'll try with connecting the other end of the cable straight into one of the FGT port and let's see if this solves.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FWIW
Any in the vip is okay, now is the mapped ip address correct? Is the inside interface correct?
Did you run diag debug flow cmds to ensure it 1st hitting your outside vip and being DNAT'd ?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay the diag trace shows your denied. It's a strange trace btw. Let's go over your setup since your presented mainly items and maybe confusion in all of it ;)
Can you ping the device from the fortigate ? but telnet fails ? Correct? nothing from the internet upstream blocks 9999
Your VIP is facing the internet and the internal host is { 192.168.168.210 }
config firewall address
edit host_192.168.168.210
set subnet 192.168.168.210/32
end
( example )
config firewall vip edit "VIP9999" set uuid cc4a02ce-2f25-51e5-06f9-f0b57d8d1eca set extip x.x.x.x ( address that presented to the customer ) set extintf "WAN" set mappedip 192.168.168.210 set portforward enable set protocol tcp set extport 9999 set mapped port 9999end
config firewall service custom
edit TCP9999
set tcp-portrange 9999
end
config firewall policy
edit 0
set srcintf wan1
set dstintf lan1
set srcaddr all
set dstaddr VIP9999
set action accept
set schedule always
set service TCP9999 PING
end
!!!!! DO NOT ENABLE NAT ON THAT POLICY !!!!!!
Does your firewall policy look any thing like that ? and has NO nat enable ?
if not can you make it so and retest
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My configuration looks almost identical, except that i don't have setup custom address nor service:
config firewall vip
edit "badge reader"
set extip x.x.x.x
set extintf "wan1"
set portforward enable
set mappedip "192.168.168.210"
set extport 9999
set mappedport 9999
next
end
config firewall policy
edit 23
set name "Telnet 9999"
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "badge reader"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Nothing changed, i'm still not able to telnet into the device from internet. Just to recap: my laptop (192.168.168.32) is able to ping and telnet to the device. The Fortigate (192.168.168.1) is not able to ping nor telnet.
Related Posts
- Deep inspection with streaming media 38 Views
- NO internet connection when using static... 153 Views
- Understanding sslvpn logs 121 Views
- free vpn client certificate problems 160 Views
- SSL VPN on LTE Disconnecting Frequently 114 Views
Labels
-
FortiGate
6,534 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.