Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
m84_2019
New Contributor

HTTPS Forwarding not working correctly

Hi all,

 

Running v6.2 firmware and not able to perform a simple port forward to an HTTPS server internally, something odd in the Fortinet logic or is it a known issue?

 

Trying to access an internal HTTPS server from outside, I've setup a NAT (Virtual IP) for the external IP, internal IP of the web server and using port 445 on the outside and 443 inside.  Added the corresponding IPv4 policy to allow HTTPS traffic through.

 

When browsing the external IP on https://x.x.x.x:445 i'm receiving the Fortigate login page rather than the expected internal web server. The NAT doesn't appear to be working as it should, what's wrong with the above config?

20 REPLIES 20
Dave_Hall
Honored Contributor

By default Fortigate management uses port 443 - if you want to use this port in a VIP or port forward, you need to change the HTTPS port for accessing the Fortiate's GUI.  e.g.

 

config system global set admin-sport 8443 end Your VIP or port forward for 443 should work after this change.  Just remember after this change, you need to use xx.xx.xx.xx:8443 (as an example) to access the Fortigate directly.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
m84_2019

Yeah I get that I can change the port on the management/SSLVPN or internal server but I am surprised that it cannot NAT to anything on the same external IP with internal TCP port of 443, even if the external port and internal IP are different.

 

This would appear to be a bug/limitation of the Fortigate.

hubertzw
Contributor III

It isn't limitation. You can't have two services running on the same IP & port.

m84_2019

There's nothing running on port 445.

Dave_Hall
Honored Contributor

Then there shouldn't been anything stopping you from changing the sport port to 445.

 

 

m84_2019 wrote:

There's nothing running on port 445.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Grave_Rose
New Contributor III

Hi m84_2019,

 

You say that when you access hxxp://y.y.y.y:445 that you're given a FortiGate login page. Can you let us know which login page you're seeing:

[ol]
  • Administrative login
  • SSL VPN login[/ol]

    Try logging in as your 'admin' account and if you're given the actual FortiGate system, then it's number one. If you don't get anything or if you log in as an SSL VPN user and get the SSL VPN portal, then it's number two.

     

    That being said, what hubertzw mentioned is true in that you can't have two services on the same port on the same IP. Since you're getting an actual login page, there is a service running on that port. Now, it could be that you've bound your SSL VPN to TCP/445 or your administrative page to TCP/445 but it's also possible that the VIP you have configured is set to an internal/DMZ IP address on the FortiGate instead of the webserver or you've done some sort of funky NAT by accident which is forcing the traffic to land on the FortiGate instead of your webserver.

     

    Can you post the configuration of your VIP object, the firewall rule it should be using, the SSL VPN settings you have configured as well as the administrative settings? This will help everyone check the above mentioned items. Feel free to sanitize with fake IP addresses but make sure the Layer-4 information isn't sanitized so we can see what's actually happening there.

     

    Cheers,

     

    Sean (Gr@ve_Rose)

  • Site: https://tcpdump101.com Twitter: https://twitter.com/Grave_Rose Reddit: https://reddit.com/r/tcpdump101 Discord: https://discordapp.com/invite/2MZCqn6
    m84_2019

    "That being said, what hubertzw mentioned is true in that you can't have two services on the same port on the same IP. "

     

    SSL VPN/admin page are not bound to 445. I'm fully aware that two services cannot be run on the same port and same IP and never stated that anything was on the same IP/Port in my posts.

     

    If i set up a NAT for my external IP on 445 to an internal IP (not the fortigate!) on 443, the Fortigate responds with the login page because it does not NAT properly to the internal IP, it is clearly responding itself. I can indeed change the port to something else internally but the point is that the Fortigate should not respond with its login page.

    Grave_Rose
    New Contributor III

    I know that your admin and SSL VPN pages aren't bound to TCP/445 and I never said they were. Other people have said that and seem to be trying to help you with that but I know what you're trying to do. You've got an HTTPS server on the inside that you're trying to create either a Static NAT or Static PAT on TCP/445 on the outside to point to TCP/443 on the inside. Easy-peasy.

     

    But I (and others) can't help you if you don't provide some more detail. Is there any way you can provide the information I asked about above? With that, it'll be much easier to figure out what's actually happening and causing the issue you're seeing and we can offer suggestions on how to fix it. :)

     

    Cheers,

     

    Sean (Gr@ve_Rose)

    Site: https://tcpdump101.com Twitter: https://twitter.com/Grave_Rose Reddit: https://reddit.com/r/tcpdump101 Discord: https://discordapp.com/invite/2MZCqn6
    m84_2019

    I understand that but as it's a simple NAT there isn't any need to post the config, I wanted to ask around to see if it's a known issue. It doesn't seem like it is so i'll push this to Fortinet support team.

    Labels
    Top Kudoed Authors