FortiGate - Port Forwarding and Destination NAT
Fortinet
A firewall is supposed to protect your company network from attacks. Nevertheless, you are always forced to expose resources within your company to the internet. For example, web servers or email servers.
I would like to explain to you today how you can do this securely.
Most people are familiar with port forwarding or destination NAT. At Fortinet, however, a completely different term comes to the fore, VIP or Virtual-IP.
Like so many things at Fortinet, the rule is put together in a modular system. This may be more work at first, but it allows for more flexibility and easier changes.
You can create the VIP or Virtual-IP under Policy&Objects.
You can create both IPv4 and IPv6 based objects. Please note that IPv6 must first be activated under System Feature Visibility before you can create VIP objects with IPv6.
First, enter a meaningful name by which you can recognise the object and its purpose. Optionally, you can also add a comment.
For Interface, you can either select a special interface, in which case the object is only available for rules that contain the interface, or leave it at Any. Then you can use the object in all firewall rules.
In External IP, enter the address on which the FortiGate unit listens for incoming network traffic.
For Mapped-IP-Address, enter the internal address of the resource that should be accessible from outside.
Under the optional filters, you can enter addresses that are authorised to call up this resource. This allows you to restrict who is allowed to access it. This is very useful if certain services are only to be accessible by certain persons or companies.
With the help of the services, you can then automatically release protocols and ports, for example HTTPS or SMTPS. Of course, you can also create your own services if the predefined objects do not fit.
Port forwarding then makes it possible to redirect the ports to other ports on the internal resource. For example, you may want to forward port 443 to a web server listening on port 10443.
This completes the creation of the virtual IP and can now be used as a target object in a firewall rule.
In the firewall rule, you can then also set up the corresponding security profiles, such as antivirus or IPS, to secure access to the resource accordingly.
If you are interested in a Fortinet FortiGate security solution, we would be happy to advise you. Contact us for a free initial consultation via our telephone number, email address or our contact form.