Configuring Port Forwarding
You can configure port forwarding to access servers located behind the firewall. This allows users to reach the server without knowing the server’s internal IP address. Users can also connect using only the ports that have been chosen. For example, let’s configure SSH access to the server.
Creating Virtual IP Addresses
Graphical Interface
To add a virtual IP address (VIP):
- Go to the Policy & Objects → Virtual IPs section and create a new virtual IP address.
- Set the IP address of your firewall as the External IP Address/Range and the internal address of the server as the Mapped IP Address/Range.
- Enable Port Forwarding. Set Protocol to TCP, set External Service Port to any free port, and set Map to Port to the port on which your server’s SSH service is running.
Console Interface
To change through the CLI, enter the following:
config firewall vip
edit "Server SSH"
set comment "connection to server via ssh"
set extip <External IP>
set extintf "wan1"
set portforward enable
set mappedip <Internal IP>
set extport <External port>
set mappedport <Internal port>
next
end
Creating a Virtual IP Group
Graphical Interface
To add the new virtual IP addresses to a virtual IP group:
- Go to the Policy & Objects → Virtual IPs section and create a new group.
- Set the new virtual IP addresses as Members of the group.
Console Interface
To change through the CLI, enter the following:
config firewall vipgrp
edit "Server services"
set interface <External Interface>
set member <VIP1> <VIP2>
next
end
Configuring Security Policies
Graphical Interface
To allow Internet users to reach the server:
- Go to the Policy & Objects → IPv4 Policy section and create a new policy.
- Select the internal interface as the Incoming Interface and the external interface as the Outgoing Interface.
- Select a virtual IP address or VIP group as the Destination Address.
NAT is disabled for this policy so that the server sees the original source addresses of the packets it receives. This is the preferred setting.
Console Interface
To change through the CLI, enter the following:
config firewall policy
edit 2
set name "Server Access"
set srcintf <External Interface>
set dstintf <Internal Interface>
set srcaddr all
set dstaddr <VIP>
set action accept
set schedule always
set service ALL
next
end