Hot!Fortigate Reverse Proxy not working when gateway deleted

Author
nbctcp
Silver Member
  • Total Posts : 94
  • Scores: 4
  • Reward points: 0
  • Joined: 2015/03/05 04:48:26
  • Location: Indonesia
  • Status: offline
2020/02/14 01:47:49 (permalink) 6.2
0

Fortigate Reverse Proxy not working when gateway deleted

SW INFO:
-Fortigate 6.2.3 kvm eval license
 
PROBLEMS:
when I WWW1 and WWW2 has gateway ip, I can access both of them from WAN
but when I delete the gateway, I can't access them anymore from WAN
my friend said in FortiWeb with WWW server without gateway no problem
 
QUESTIONS:
1. is Fortigate not 100% Reverse Proxy
What is wrong with my config
Do you think WWW server without gateway is possible?
tq 
 
CONFIGS:
config system global
set admin-sport 8443
set admin-ssh-port 8022
set alias "FortiGate-VM64-KVM"
set gui-ipv6 enable
set hostname "FGT1"
set timezone 53
end
config system interface
edit "port1"
set vdom "root"
set ip 10.0.1.11 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
next
edit "port2"
set vdom "root"
set type physical
next
edit "port3"
set vdom "root"
set ip 10.0.3.1 255.255.255.0
set allowaccess ping https ssh fgfm
set type physical
next
edit "port4"
set vdom "root"
set type physical
next
end
config router static
edit 1
set gateway 10.0.1.2
set device "port1"
next
end
config firewall address
edit "WWW-VIP"
set type iprange
set associated-interface "port3"
set start-ip 10.0.1.11
set end-ip 10.0.1.12
next
end
config firewall vip
edit "www.ngtrain.com"
set type server-load-balance
set extip 10.0.1.11
set extintf "port1"
set server-type http
set monitor "1"
set ldb-method least-session
set extport 8000
config realservers
edit 1
set ip 10.0.3.11
set port 80
next
edit 2
set ip 10.0.3.12
set port 80
next
end
next
end
config firewall policy
edit 1
set name "DMZtoWAN"
set srcintf "port3"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set name "www.ngtrain.com"
set srcintf "port1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "www.ngtrain.com"
set action accept
set schedule "always"
set service "HTTP"
set inspection-mode proxy
next
end

Attached Image(s)

#1
rdumitrescu
Bronze Member
  • Total Posts : 37
  • Scores: 11
  • Reward points: 0
  • Joined: 2014/12/02 08:06:13
  • Status: online
Re: Fortigate Reverse Proxy not working when gateway deleted 2020/02/14 02:19:44 (permalink)
0
you have to apply a source NAT using outgoing interface for the policy from port 1 to port 3, otherwise the real server cannot reply.
#2
nbctcp
Silver Member
  • Total Posts : 94
  • Scores: 4
  • Reward points: 0
  • Joined: 2015/03/05 04:48:26
  • Location: Indonesia
  • Status: offline
Re: Fortigate Reverse Proxy not working when gateway deleted 2020/02/14 04:10:29 (permalink)
0
at last WORKING after I modified a bit. I don't know my method correct or not
I am following this
https://kb.fortinet.com/k....do?externalId=FD31893
 
config system global
set admin-sport 8443
set admin-ssh-port 8022
set alias "FortiGate-VM64-KVM"
set gui-ipv6 enable
set hostname "FGT1"
set timezone 53
end
config system interface
edit "port1"
set vdom "root"
set ip 10.0.1.11 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
next
edit "port2"
set vdom "root"
set type physical
next
edit "port3"
set vdom "root"
set ip 10.0.3.1 255.255.255.0
set allowaccess ping https ssh fgfm
set type physical
next
edit "port4"
set vdom "root"
set type physical
next
end
config router static
edit 1
set gateway 10.0.1.2
set device "port1"
next
end
config firewall address
edit "WWW-VIP"
set type iprange
set associated-interface "port3"
set start-ip 10.0.1.11
set end-ip 10.0.1.12
next
end
config firewall vip
edit "www.ngtrain.com"
set type server-load-balance
set extip 10.0.1.11
set extintf "port1"
set server-type http
set nat-source-vip enable
set srcintf-filter "port3"
set ldb-method least-session
set extport 8000
config realservers
edit 1
set ip 10.0.3.11
set port 80
next
edit 2
set ip 10.0.3.12
set port 80
next
end
next
end
config firewall policy
edit 1
set name "DMZtoWAN"
set srcintf "port3"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy
set nat enable
next
edit 2
set name "www.ngtrain.com"
set srcintf "port1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "www.ngtrain.com"
set action accept
set schedule "always"
set service "HTTP"
set inspection-mode proxy
set logtraffic disable
set nat enable
next
end
#3
Jump to:
© 2020 APG vNext Commercial Version 5.5