Port Forwarding on Fortigate

Introduction

In this post we will configure port forwarding on a Fortigate firewall running FortiOS 5.4.

What is Port Forwarding?

Port forwarding is a feature on the routers/firewalls that allows devices behind the NAT to be accessed by external devices. In other words, if you want anyone on the Internet to access a service (e.g. web server or FTP server) on your home/office computer, you need to configure port forwarding on your home/office router or firewall.

The reason for this is that all devices in your location (home or office) share the one IP address given to you by your ISP provider. That global IP address is the only thing external users can connect to, because they don’t know anything about your internal network and devices. After external users connect to your global IP address which is configured on your edge device (firewall/router), your edge device has to know where it should forward that traffic(for example, web page request). Port forwarding is the configuration which instructs your router/firewall to which internal devices it should forward such specific requests from the Internet.

Example scenario.

I will run a web server on a local virtual machine and configure port forwarding so that requests to port 80 of my global IP address are forwarded to port 80 of my virtual machine.

Step 1: Create Virtual IP address

The first thing we need to do is create Virtual IP address.

• Go to Policy and Objects -> Virtual IPs. Click Create New and select Virtual IP .
• Enter name for this Virtual IP.
• Select the Interface which is facing your ISP
• Then enter External IP Address/Range, which should be set to the public IP address, to which external users will connect.
• Enter Mapped IP Address/Range, which should be set to the IP address of your internal device(for example, web server or FTP server). In my case it is set to the IP address of my virtual machine.
• Enable Port Forwarding and select protocol (usually TCP or UDP). In my case it is TCP.
• Enter External Service Port. I use only port 80.
• Enter Map to Port. I use port 80.
• Click OK.

Step 2: Create Virtual IP Group

The next thing we need to do is create Virtual IP Group.

• Go to Policy and Objects -> Virtual IPs. Click Create New and select Virtual IP Group .
• Enter Name for this Virtual IP Group.
• Select the Interface which is facing your ISP.
• Click on a button next to Members and add the Virtual IP you have previously created.
• Click OK.

Step 3: Create IPv4 Policy

The last step is to create an IPv4 Policy.

• Go to Policy and Objects -> IPv4 Policy. Click Create New.
• Enter Name for this policy.
• Set Incoming Interface to the ISP facing interface.
• Outgoing Interface should be set to the interface connected to the LAN where resides your server/laptop.
• Source should be set to ALL.
• Set Destination Address to the Virtual IP Group that you have created.
• Set Service to ALL, or choose a specific type of traffic. Choosing specific protocol is always more secure.
• Disable NAT for this policy.
• Click OK.

Conclusion

Now you should be able to access the service running on you local machine from the outside using global IP address.