Server hosting problem with Fortigate60

First of all, what is that? Is it in NAT/Route mode, or transparent mode? In 3.0 you can put some Virtual Domains in NAT/Route and some in tranparent, but in 2.8 or 2.5 you have to choose one or the other.

Ok, so clearly you're in NAT/Route mode, don't use the term "transparent" with regards to it then. :-)

You probably created a policy from untrust to dmz from any to 10.1.10.x. That's incorrect. You need to specify the policy from untrust to dmz from any to VIP, where VIP is the name of the port forwarding object you created when you went to the Virtual Server configuration area and forwarded the port.

The reason that the mistake policy doesn't work is that NAT is not being done on return traffic for sessions initiated from outside the firewall; that's provided by the VIP construct. But, your folks in the Internal zone are fine with that, because they can understand 10.x traffic, they just send it back to their default gateway, the Fortinet, who knows where it goes. So that's why they are working ok. But without the VIP specified on the policy, the return traffic is put out the public inteface as 10.x and the next hop router throws it away.

In fact you don't even need to have an address object created for your dmz server to make policies for them, simply creating a VIP object will do the job, that's what you'll use in the policy.

-Russ.

Hi, Here are my Fortigate60's policies and I would like you to check and give comment whether these are ok.

----------------------------------------------------------- a) Internal to Wan1

Source Destination Service Action NAT Internal (All) Wan1 (All) Any Accept Enable

b) Internal to DMZ

Source Destination Service Action NAT Internal (All) DMZ (WebServer) Any Accept Not Enable

c) Wan1 to DMZ

Source Destination Service Action NAT Wan1 (All) DMZ (WebServer) Any Accept Enable

-------------------------------------------------------------------------

Virtual IP

Name WebServer Ext. Interface Wan1 Type Port Forwarding External IP Ext. Service Port HTTP Map to IP 10.10.10.1 Map to Port 80 Protocol TCP

-------------------------------------------------------------------------

Our Fortigate60 is using the latest version FortiOS 2.80 MR10 and there's no such version 3.0 available for this yet. I'm using Transparent Mode.

Thanks for your help.

Regards.

Sorry... Correction, I'm using NAT/Route mode NOT Transparent Mode.

Uh, yeah, see my previous post. I figured that out for ya. :-)

-Russ.

Fine.

If it's not enabled, why do you have it? If you do this, you can't hit your dmz server from Internal using it's 10.x address, which you may decide is ok.

That looks sorta ok, assuming policy c) has your vip as the destination as it looks like from what you wrote. Your external port is 80 though, not HTTP right? Your policy c) should specify HTTP however, not Any.

But anyway MR10 is fine even though MR11 is out.

There are still a few ways to mess this up -- putting other policies above c) that do the wrong thing, enabling http management on the External, enabling an IPS signature that triggers on your type of traffic.

What is the IP of the DMZ interface on the firewall?

-Russ.

These are the IPs on each interface.

DMZ = 10.10.10.254/24 LAN = 192.168.1.254/24 Wan1 = 202.xxx.xxx.xxx/28

The external port is HTTP. I guess I should disable the IPS and antivirus signature first before configuring the policies and test it.