Home

How to Configure Port Access on FortiGate Firewalls: A Comprehensive Guide

.

FortiGate firewalls are powerful security devices, but configuring them for specific services can be challenging. This guide synthesizes expert knowledge from official documentation and community forums to demystify the process.

Understanding the Core Concept: Firewall Policies and NAT

Opening a port on a FortiGate involves two primary components: creating a firewall policy to permit the traffic, and often configuring Network Address Translation (NAT) to direct the traffic to an internal server. This is commonly known as port forwarding.

Phase 1: Creating a Virtual IP (VIP) for Port Forwarding

The most common method to allow external access to an internal service is using a VIP. This tells the FortiGate, "When traffic arrives at my public IP on a specific port, send it to this internal server."

Steps (via Web GUI):

  1. Navigate to Policy & Objects > Virtual IPs.
  2. Click Create New.
  3. Enter a descriptive name (e.g., Web-Server-Port-80).
  4. Set External Interface to your WAN interface (e.g., wan1).
  5. Under External IP Address/Range, enter 0.0.0.0 or your specific public IP.
  6. Map External Service Port (the public port, e.g., 80 for HTTP) to the Internal Service Port (the server's port, e.g., 80).
  7. In the Mapped IP Address/Range field, enter the internal IP of your server (e.g., 192.168.1.100).

Phase 2: Crafting the Firewall Policy

A VIP alone does not allow traffic. You must create a security policy that permits it.

Steps:

  1. Go to Policy & Objects > Firewall Policy.
  2. Click Create New Policy.
  3. Set Incoming Interface to your WAN interface.
  4. Set Outgoing Interface to your internal/LAN interface.
  5. Set Source to all or a more restricted address range.
  6. Set Destination to the Virtual IP you created in Phase 1.
  7. Set Schedule to always.
  8. Set Service to the specific port/service (e.g., HTTP, HTTPS, or a custom service).
  9. Set Action to ACCEPT.
  10. Enable necessary security profiles (like NGFW Mode) according to your security requirements. Caution: Avoid disabling all security profiles for convenience, as this creates risk.

Phase 3: Advanced Scenarios & CLI Commands

For complex setups or CLI enthusiasts, configurations can be done via the command line. The equivalent CLI commands for a basic port forward are:

config firewall vip
    edit "Web-Server-Port-80"
        set extintf "wan1"
        set portforward enable
        set mappedip "192.168.1.100"
        set extport 80
        set mappedport 80
    next
end

config firewall policy
    edit 0
        set name "Allow-WAN-to-Web"
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "Web-Server-Port-80"
        set action accept
        set schedule "always"
        set service "HTTP"
    next
end

Critical Considerations and Security Best Practices

  1. Check for ISP Blocking: Many residential ISPs block common ports like 80, 443, and 25. Verify with your ISP if external access fails.
  2. Local Testing: Use a client on a different internal subnet to test. Testing from the same subnet as the server requires Hairpin NAT (enabled by default in many newer versions via set nat enable in the firewall policy).
  3. Implicit Deny: Remember the foundational rule: FortiGate denies all traffic by default. Your policy must explicitly permit it.
  4. Order of Rules: Firewall policies are processed top-down. Ensure your new rule is placed above any broad DENY rules.
  5. Troubleshooting: Use the built-in FortiView and Log & Report features to see if traffic is hitting the firewall and whether it is being allowed or blocked.

Frequently Asked Questions (FAQ)

Q: I created the VIP and policy, but the port is still closed. What's wrong? A: Common culprits include: the server's local firewall blocking the port, the service not running on the server, the firewall policy being placed below a deny rule, or a lack of a proper route back to the internet.

Q: What is "Hairpin NAT" and why do I need it? A: Hairpin NAT allows internal clients to access your internal server using the public IP address from inside the network. If you get "connection timed out" internally but it works externally, check your policy's NAT settings (set nat enable).

Q: Should I disable security profiles to make it work? A: No. This is a major security risk. Instead, initially set the profile to Monitor mode or create a more permissive profile for that specific service. Diagnose the logs to see which security feature is blocking legitimate traffic and adjust it accordingly.

Q: Can I open a range of ports? A: Yes. In the VIP configuration, you can specify a port range (e.g., 5000-5010). You must also create a matching Firewall Service object with the same port range.

Q: What's the difference between a VIP and just creating a firewall policy? A: A VIP handles the destination NAT (changing the destination IP from public to private). The firewall policy then evaluates whether that translated traffic is permitted to pass. You need both for inbound access to a specific internal host.

Q: How do I allow outbound traffic on a specific port? A: This is simpler. Create a firewall policy where the source is your internal network, the destination is all or a specific IP, and the service is the desired port. No VIP is needed for outbound-only traffic.

By following this structured approach—combining a VIP for address translation with a corresponding security policy—administrators can securely manage access to services through their FortiGate firewall. Always remember to align configurations with the principle of least privilege to maintain a robust security posture.