Hot!HTTPS Forwarding not working correctly

Page: 12 > Showing page 1 of 2
Author
m84_2019
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/07/01 23:25:57
  • Status: offline
2019/07/01 23:32:41 (permalink)
0

HTTPS Forwarding not working correctly

Hi all,
 
Running v6.2 firmware and not able to perform a simple port forward to an HTTPS server internally, something odd in the Fortinet logic or is it a known issue?
 
Trying to access an internal HTTPS server from outside, I've setup a NAT (Virtual IP) for the external IP, internal IP of the web server and using port 445 on the outside and 443 inside.  Added the corresponding IPv4 policy to allow HTTPS traffic through.
 
When browsing the external IP on https://x.x.x.x:445 i'm receiving the Fortigate login page rather than the expected internal web server. The NAT doesn't appear to be working as it should, what's wrong with the above config?
#1

20 Replies Related Threads

    Dave Hall
    Expert Member
    • Total Posts : 1458
    • Scores: 160
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/02 07:07:48 (permalink)
    0
    By default Fortigate management uses port 443 - if you want to use this port in a VIP or port forward, you need to change the HTTPS port for accessing the Fortiate's GUI.  e.g.
     
    config system global
    set admin-sport 8443
    end

    Your VIP or port forward for 443 should work after this change.  Just remember after this change, you need to use xx.xx.xx.xx:8443 (as an example) to access the Fortigate directly.

    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #2
    m84_2019
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/01 23:25:57
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/02 21:21:08 (permalink)
    0
    Yeah I get that I can change the port on the management/SSLVPN or internal server but I am surprised that it cannot NAT to anything on the same external IP with internal TCP port of 443, even if the external port and internal IP are different.
     
    This would appear to be a bug/limitation of the Fortigate.
    #3
    hubertzw
    Gold Member
    • Total Posts : 192
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/03 16:23:24 (permalink)
    0
    It isn't limitation. You can't have two services running on the same IP & port.
    #4
    m84_2019
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/01 23:25:57
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/03 21:36:22 (permalink)
    0
    There's nothing running on port 445.
    #5
    Dave Hall
    Expert Member
    • Total Posts : 1458
    • Scores: 160
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/04 07:10:15 (permalink)
    0
    Then there shouldn't been anything stopping you from changing the sport port to 445.
     

     
    m84_2019
    There's nothing running on port 445.



    Attached Image(s)


    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #6
    Grave_Rose
    Bronze Member
    • Total Posts : 25
    • Scores: 4
    • Reward points: 0
    • Joined: 2017/08/11 10:54:59
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/05 06:55:34 (permalink)
    0
    Hi m84_2019,
     
    You say that when you access hxxp://y.y.y.y:445 that you're given a FortiGate login page. Can you let us know which login page you're seeing:
    1. Administrative login
    2. SSL VPN login
    Try logging in as your 'admin' account and if you're given the actual FortiGate system, then it's number one. If you don't get anything or if you log in as an SSL VPN user and get the SSL VPN portal, then it's number two.
     
    That being said, what hubertzw mentioned is true in that you can't have two services on the same port on the same IP. Since you're getting an actual login page, there is a service running on that port. Now, it could be that you've bound your SSL VPN to TCP/445 or your administrative page to TCP/445 but it's also possible that the VIP you have configured is set to an internal/DMZ IP address on the FortiGate instead of the webserver or you've done some sort of funky NAT by accident which is forcing the traffic to land on the FortiGate instead of your webserver.
     
    Can you post the configuration of your VIP object, the firewall rule it should be using, the SSL VPN settings you have configured as well as the administrative settings? This will help everyone check the above mentioned items. Feel free to sanitize with fake IP addresses but make sure the Layer-4 information isn't sanitized so we can see what's actually happening there.
     
    Cheers,
     
    Sean (Gr@ve_Rose)
    #7
    m84_2019
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/01 23:25:57
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/06 21:54:12 (permalink)
    0
    "That being said, what hubertzw mentioned is true in that you can't have two services on the same port on the same IP. "
     
    SSL VPN/admin page are not bound to 445. I'm fully aware that two services cannot be run on the same port and same IP and never stated that anything was on the same IP/Port in my posts.
     
    If i set up a NAT for my external IP on 445 to an internal IP (not the fortigate!) on 443, the Fortigate responds with the login page because it does not NAT properly to the internal IP, it is clearly responding itself. I can indeed change the port to something else internally but the point is that the Fortigate should not respond with its login page.
    #8
    Grave_Rose
    Bronze Member
    • Total Posts : 25
    • Scores: 4
    • Reward points: 0
    • Joined: 2017/08/11 10:54:59
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/06 22:25:48 (permalink)
    0
    I know that your admin and SSL VPN pages aren't bound to TCP/445 and I never said they were. Other people have said that and seem to be trying to help you with that but I know what you're trying to do. You've got an HTTPS server on the inside that you're trying to create either a Static NAT or Static PAT on TCP/445 on the outside to point to TCP/443 on the inside. Easy-peasy.
     
    But I (and others) can't help you if you don't provide some more detail. Is there any way you can provide the information I asked about above? With that, it'll be much easier to figure out what's actually happening and causing the issue you're seeing and we can offer suggestions on how to fix it. :)
     
    Cheers,
     
    Sean (Gr@ve_Rose)
    #9
    m84_2019
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/01 23:25:57
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/06 22:28:49 (permalink)
    0
    I understand that but as it's a simple NAT there isn't any need to post the config, I wanted to ask around to see if it's a known issue. It doesn't seem like it is so i'll push this to Fortinet support team.
    #10
    emnoc
    Expert Member
    • Total Posts : 5209
    • Scores: 339
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: HTTPS Forwarding not working correctly 2019/07/07 00:29:42 (permalink)
    0
    Trying to access an internal HTTPS server from outside, I've setup a NAT (Virtual IP) for the external IP, internal IP of the web server and using port 445 on the outside and 443 inside.  Added the corresponding IPv4 policy to allow HTTPS traffic through.

     
    and
     
    When browsing the external IP on https://x.x.x.x:445 

     
    We would have to see your DNAT VIP and FWpolicy, Every thing else mention and about service ports should not be applicable here not anything else stated unless you change the admin.port of  the firewall to 445
     
    Fwiw; tcp.port 445 is NOT an admin-port for any Fortigate. You can quickly determine this by looking at your config sys global and check if you have SET tcp.port 445 for admin. if you have than Dave and others already gave you the reason and the fix.
     
    Ken Felix
     
     
     
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #11
    m84_2019
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/01 23:25:57
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/07 00:33:23 (permalink)
    0
    I'm well aware that 445 is not used by Fortigate hence the reason to select it. It is however used internally on 443 and I suspect it's not able to NAT correctly internally to a different IP when using 443.
     
    David provided a workaround, this is not a fix.
    #12
    emnoc
    Expert Member
    • Total Posts : 5209
    • Scores: 339
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: HTTPS Forwarding not working correctly 2019/07/07 08:35:13 (permalink)
    0
    No your still confused, Dave provide you the fix & not a work around. You are not listening to the wise information given to you.
     
    You need to show you config and determine if you admin port is 445. It seems like it is. As far as NAT the DNAT vip does that automatically so no need for nat  in the fwpolicy.
     
    Ken Felix
    post edited by emnoc - 2019/07/07 08:38:59

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #13
    Grave_Rose
    Bronze Member
    • Total Posts : 25
    • Scores: 4
    • Reward points: 0
    • Joined: 2017/08/11 10:54:59
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/07 09:03:57 (permalink)
    0
    Hey m84_2019

    Just had a thought... Do you have any NAT applied in the firewall rule for you inbound traffic? If so, disable NAT and it should work.

    Sean (Gr@ve_Rose)
    #14
    m84_2019
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/01 23:25:57
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/07 09:05:12 (permalink)
    0
    Let me spell out the difference for you.
     
    Workaround: Changing internal web server port to allow access remotely OR changing SSLVPN/Admin port on Fortigate
     
    Fix: Fortigate allows port 445 (any free external port) externally on it's own IP to an internal web server IP on 443 (HTTPS).
     
    Rather than become obnoxious, read the facts in my post. Admin port is not running on 445.
    #15
    m84_2019
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/01 23:25:57
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/07 09:08:43 (permalink)
    0
    @Grave_Rose.  Yes had already tried that for the rule related to that traffic.  
    #16
    Grave_Rose
    Bronze Member
    • Total Posts : 25
    • Scores: 4
    • Reward points: 0
    • Joined: 2017/08/11 10:54:59
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/07 10:26:13 (permalink)
    0
    Did you still get the login page when you disabled NAT? Is it still set to disabled? Make sure it is disabled for the next test. Run a PCap on the server interface: diag sniffer packet port1 'host 10.20.30.40 and port 443' 6 10

    Replace 10.20.30.40 with the internal IP of your webserver and port1 with the proper interface. Do you see the SYN packet go to your webserver? If so, do you see the SYN/ACK reply? Is the destination port 443 and the protocol 6? If you can post the PCap output, we can look at it as well.

    Sean (Gr@ve_Rose)
    #17
    Grave_Rose
    Bronze Member
    • Total Posts : 25
    • Scores: 4
    • Reward points: 0
    • Joined: 2017/08/11 10:54:59
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/07 16:22:15 (permalink)
    0
    Oh, one other thing to check... When you set up the VIP, did you specify that it was PAT and not NAT? On mobile right now so I can't check but I believe the option is just called "Port Forwarding" in the VIP object.
     
    *Edit
    So I'm back in front of a box and the clue to this was when you said "it's own IP" which meant that you're doing Static PAT and not Static NAT as I (as well as others probably) assumed. This is why it seemed so strange, at least to me. :) I've got the same thing configured at home with my 'Gate but for remote syslog. I was going to attach both screenshots but apparently I can only attach one file so I've added a screenshot of my VIP object. Just use this object in your policy (make sure NAT is disabled) and you should be good to go. Set the "External Services Port" to 445 and the "Map to Port" as 443. Bingo-bango-bongo you're all set. Hope this helps.
     

     
     

    Sean (Gr@ve_Rose)
    post edited by Grave_Rose - 2019/07/08 08:26:00

    Attached Image(s)

    #18
    m84_2019
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/01 23:25:57
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/09 02:47:20 (permalink)
    0
    Yes this was already done in the original post.
    #19
    Grave_Rose
    Bronze Member
    • Total Posts : 25
    • Scores: 4
    • Reward points: 0
    • Joined: 2017/08/11 10:54:59
    • Status: offline
    Re: HTTPS Forwarding not working correctly 2019/07/09 06:19:52 (permalink)
    0
    Hrm... Okay. Without your config, I've got one last idea. Run the following commands. Replace 1.2.3.4 with an external host that you can test with which you will only use for this test - We don't want to capture any traffic which isn't destined for your public IP address on TCP/445. Make sure you have your SSH session logging output or have a large enough scroll-back buffer since this will generate a lot of information:
     
    diagnose debug disable
    diagnose debug flow trace stop
    diagnose debug flow filter clear
    diagnose debug reset
    diagnose debug flow show function-name enable
    diagnose debug flow show iprope enable
    diagnose debug flow filter addr 1.2.3.4
    diagnose debug flow trace start 5
    diagnose debug enable
     
    With this running, connect to hxxps://y.y.y.y:445 from 1.2.3.4 and it should load up the login page as it has been already. You should have a lot of information in the deubgs on your SSH session. Stop the debug with:
     
    diagnose debug disable
     
    If you can, post the output of that to the thread and we can see what's happening on the firewall from an internal processing view.
     
    Sean (Gr@ve_Rose)
    #20
    Page: 12 > Showing page 1 of 2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5