Hot!Can't view IP DVR from WAN - Fortigate 60C

Author
vorak
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/05/21 12:33:38
  • Status: offline
2018/05/21 13:04:53 (permalink)
0

Can't view IP DVR from WAN - Fortigate 60C

Hi!
 
Today I'm facing a problem with a FortiGate 60C in transparent mode placed between a Cisco RV320 router and a Cisco SG200-26 L2 switch. I have an IP DVR connected to the switch and want to view live cameras from outside. Port forwarding is set at the router as well as DDNS.
 
When I set up the device in our cam viewer software using DDNS, it appears as connected and available but when I try to view live cameras, video isn't showing at all and get an "device is offline" error although the device appears as connected at the device list. If I try to view recorded video or remote config from the DVR I can do it. Seems that problem is only when trying to view live.
 
I've added the used port (8003) as a service under objects at the Policy & Objects config page an also I've set the IPv4 policy from internal to WAN to allow but still no luck.
 
If I connect IP DVR outside FortiGate but still under RV320, remote access/view is working fine.
 
Find attached a couple of screenshots with RV320 and FortiGate configuration.
 
Hope you can help. Regards.
#1
ericli_FTNT
Gold Member
  • Total Posts : 127
  • Scores: 4
  • Reward points: 0
  • Joined: 2018/02/08 11:12:27
  • Status: offline
Re: Can't view IP DVR from WAN - Fortigate 60C 2018/05/22 10:53:54 (permalink)
0
Hi vorak,
 
I didn't find any attachment here. Can you double check it?
#2
vorak
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/05/21 12:33:38
  • Status: offline
Re: Can't view IP DVR from WAN - Fortigate 60C 2018/05/22 13:48:25 (permalink)
0
sorry, now i've uploaded them :)
 
Fortinet Policies below:

 
Cisco open port:

 
Regards.
#3
ericli_FTNT
Gold Member
  • Total Posts : 127
  • Scores: 4
  • Reward points: 0
  • Joined: 2018/02/08 11:12:27
  • Status: offline
Re: Can't view IP DVR from WAN - Fortigate 60C 2018/05/23 09:46:27 (permalink)
0
vorak
sorry, now i've uploaded them :)
 
Fortinet Policies below:

 
Cisco open port:

 
Regards.




can you view your attachment correctly?
#4
vorak
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/05/21 12:33:38
  • Status: offline
Re: Can't view IP DVR from WAN - Fortigate 60C 2018/05/23 09:58:54 (permalink)
0
Yes I can, actually is not a full screenshot, I did cut just the section of the configuration.
post edited by vorak - 2018/05/23 10:00:23
#5
rwpatterson
Expert Member
  • Total Posts : 8282
  • Scores: 181
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Can't view IP DVR from WAN - Fortigate 60C 2018/05/23 10:16:16 (permalink)
0
The 'DVR 1' object needs to be a Virtual IP not an address object. I cannot tell from what's posted what you have there. It should in addition be a port forwarded VIP using whatever you want on the outside to the correct IP port on the inside.
 
Could you give us the definition of that object if it is a Virtual IP object?
 
Lastly, the direction is incorrect. It should be outside-any -> to -> inside-Virtual IP object with the correct service for the inside port.
 
The policy in position two will never get used since policies are encountered from the top down and the first policy is a global any-any so all traffic will use it. IF the second one worked, it would simply allow any INSIDE object out the firewall using the 'DVR 1' service group.
post edited by rwpatterson - 2018/05/23 10:21:44

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#6
vorak
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/05/21 12:33:38
  • Status: offline
Re: Can't view IP DVR from WAN - Fortigate 60C 2018/05/23 10:38:50 (permalink)
0
rwpatterson
The 'DVR 1' object needs to be a Virtual IP not an address object. I cannot tell from what's posted what you have there. It should in addition be a port forwarded VIP using whatever you want on the outside to the correct IP port on the inside.
 
Could you give us the definition of that object if it is a Virtual IP object?
 
Lastly, the direction is incorrect. It should be outside-any -> to -> inside-Virtual IP object with the correct service for the inside port.
 
The policy in position two will never get used since policies are encountered from the top down and the first policy is a global any-any so all traffic will use it. IF the second one worked, it would simply allow any INSIDE object out the firewall using the 'DVR 1' service group.




It seems  I cannot add VIPs because of the Transparent mode, at least I can't see the option.
 

 
I've deleted the second rule as well.
#7
ericli_FTNT
Gold Member
  • Total Posts : 127
  • Scores: 4
  • Reward points: 0
  • Joined: 2018/02/08 11:12:27
  • Status: offline
Re: Can't view IP DVR from WAN - Fortigate 60C 2018/05/23 11:26:36 (permalink)
0
vorak
rwpatterson
The 'DVR 1' object needs to be a Virtual IP not an address object. I cannot tell from what's posted what you have there. It should in addition be a port forwarded VIP using whatever you want on the outside to the correct IP port on the inside.
 
Could you give us the definition of that object if it is a Virtual IP object?
 
Lastly, the direction is incorrect. It should be outside-any -> to -> inside-Virtual IP object with the correct service for the inside port.
 
The policy in position two will never get used since policies are encountered from the top down and the first policy is a global any-any so all traffic will use it. IF the second one worked, it would simply allow any INSIDE object out the firewall using the 'DVR 1' service group.




It seems  I cannot add VIPs because of the Transparent mode, at least I can't see the option.
 

 
I've deleted the second rule as well.




Right, vorak, you can't configure VIP in a TP firewall because VIP actually is a NAT.
#8
vorak
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/05/21 12:33:38
  • Status: offline
Re: Can't view IP DVR from WAN - Fortigate 60C 2018/05/23 11:31:20 (permalink)
0
ericli
vorak
rwpatterson
The 'DVR 1' object needs to be a Virtual IP not an address object. I cannot tell from what's posted what you have there. It should in addition be a port forwarded VIP using whatever you want on the outside to the correct IP port on the inside.
 
Could you give us the definition of that object if it is a Virtual IP object?
 
Lastly, the direction is incorrect. It should be outside-any -> to -> inside-Virtual IP object with the correct service for the inside port.
 
The policy in position two will never get used since policies are encountered from the top down and the first policy is a global any-any so all traffic will use it. IF the second one worked, it would simply allow any INSIDE object out the firewall using the 'DVR 1' service group.




It seems  I cannot add VIPs because of the Transparent mode, at least I can't see the option.
 

 
I've deleted the second rule as well.




Right, vorak, you can't configure VIP in a TP firewall because VIP actually is a NAT.




So... am I not going to be able to view my DVR remotely? Unless I change from Transparent Mode to NAT and have the VIPs set up? Is there a solution under my current configuration?
 
I want to keep my network clean from NAT.
#9
rwpatterson
Expert Member
  • Total Posts : 8282
  • Scores: 181
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Can't view IP DVR from WAN - Fortigate 60C 2018/05/23 11:56:21 (permalink)
0
I stand corrected. I missed the transparent piece.

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#10
vorak
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/05/21 12:33:38
  • Status: offline
Re: Can't view IP DVR from WAN - Fortigate 60C 2018/05/23 12:05:10 (permalink)
0
rwpatterson
I stand corrected. I missed the transparent piece.




Alright, I think that transparent mode exists to avoid messing with ports and network config, so why is DVR remote traffic passing partially? Is the 8003 port being blocked? Is something that Im missing?
#11
ericli_FTNT
Gold Member
  • Total Posts : 127
  • Scores: 4
  • Reward points: 0
  • Joined: 2018/02/08 11:12:27
  • Status: offline
Re: Can't view IP DVR from WAN - Fortigate 60C 2018/05/23 14:57:40 (permalink)
0
If you want to avoid NAT in your network, how about PAT?
 
A TP firewall is a layer-2 device. You can't configure NAT (layer-3) or PAT (layer-4) on it.
post edited by ericli_FTNT - 2018/05/23 15:14:00
#12
vorak
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/05/21 12:33:38
  • Status: offline
Re: Can't view IP DVR from WAN - Fortigate 60C 2018/05/23 17:16:21 (permalink)
0
ericli
If you want to avoid NAT in your network, how about PAT?
 
A TP firewall is a layer-2 device. You can't configure NAT (layer-3) or PAT (layer-4) on it.




Port Address Translation is a configuration set up under NAT, so I'm going to discard it as an option.
 
Why is FortiGate blocking only the live view? I tried disabling av, web filter, application control from policy with no luck, I think I'm not going anywhere to solve this.
#13
ericli_FTNT
Gold Member
  • Total Posts : 127
  • Scores: 4
  • Reward points: 0
  • Joined: 2018/02/08 11:12:27
  • Status: offline
Re: Can't view IP DVR from WAN - Fortigate 60C 2018/05/23 17:21:20 (permalink)
0
Hi,
Can you figure out "source ip, source port, destination ip, destination port" of the video traffic? If so, we could try to get debug information.
#14
vorak
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/05/21 12:33:38
  • Status: offline
Re: Can't view IP DVR from WAN - Fortigate 60C 2018/05/24 11:22:54 (permalink)
0
ericli
Hi,
Can you figure out "source ip, source port, destination ip, destination port" of the video traffic? If so, we could try to get debug information.


Thanks ericli, here is the info you requested:
 
Source IP: Any
Source Port: 8003
Destination IP: 192.168.2.3 (public is dynamic resolved by DDNS)
Destination Port: 8003
 
Hope this can come in handy.
 
Now I've set up a VPN tunnel on my RV320, when connecting, either PPTP and IPSec (cisco group auth) allows me to watch live cameras, thought this info can be useful too.
 
Regards.
post edited by vorak - 2018/05/24 11:25:44
#15
ericli_FTNT
Gold Member
  • Total Posts : 127
  • Scores: 4
  • Reward points: 0
  • Joined: 2018/02/08 11:12:27
  • Status: offline
Re: Can't view IP DVR from WAN - Fortigate 60C 2018/05/24 14:57:57 (permalink)
0
please try these 3 commands and paste the output here, thanks!
 
diagnose debug enable
diagnose debug flow filter dport 8003
diagnose debug flow trace start 3

 
 
#16
zhunissov4
Gold Member
  • Total Posts : 229
  • Scores: 18
  • Reward points: 0
  • Joined: 2015/10/12 04:00:01
  • Status: offline
Re: Can't view IP DVR from WAN - Fortigate 60C 2018/05/24 20:19:06 (permalink)
0
Hello @vorak,
 
If you everything OK with you port forwarding and DDNS on Router, please try this for testing: 
1) delete all current policies 
2) set policy from any to any with all services. 
 
FG in transparent mode should work as L2 device and allow traffic which was allowed by Router.
 
 
 
#17
Jump to:
© 2018 APG vNext Commercial Version 5.5