Configuring Port Forwarding

You can configure port forwarding to access servers located behind the firewall. This allows users to reach the server without knowing the server’s internal IP address. Users can also connect using only the ports that have been chosen. For example, let’s configure SSH access to the server.

Creating Virtual IP Addresses

Graphical Interface

To add a virtual IP address (VIP):

  1. Go to the Policy & Objects → Virtual IPs section and create a new virtual IP address.
  2. Set the IP address of your firewall as the External IP Address/Range and the internal address of the server as the Mapped IP Address/Range.
  3. Enable Port Forwarding. Set Protocol to TCP, set External Service Port to any free port, and set Map to Port to the port on which your server’s SSH service is running.

Console Interface

To change through the CLI, enter the following:

config firewall vip
    edit "Server SSH"
        set comment "connection to server via ssh"
        set extip <External IP>
        set extintf "wan1"
        set portforward enable
        set mappedip <Internal IP>
        set extport <External port>
        set mappedport <Internal port>
    next
end

Creating a Virtual IP Group

Graphical Interface

To add the new virtual IP addresses to a virtual IP group:

  1. Go to the Policy & Objects → Virtual IPs section and create a new group.
  2. Set the new virtual IP addresses as Members of the group.

Console Interface

To change through the CLI, enter the following:

config firewall vipgrp
    edit "Server services"
        set interface <External Interface>
        set member <VIP1> <VIP2>
    next
end

Configuring Security Policies

Graphical Interface

To allow Internet users to reach the server:

  1. Go to the Policy & Objects → IPv4 Policy section and create a new policy.
  2. Select the internal interface as the Incoming Interface and the external interface as the Outgoing Interface.
  3. Select a virtual IP address or VIP group as the Destination Address.

NAT is disabled for this policy so that the server sees the original source addresses of the packets it receives. This is the preferred setting.

Console Interface

To change through the CLI, enter the following:

config firewall policy
       edit 2
        set name "Server Access"
        set srcintf <External Interface>
        set dstintf <Internal Interface>
        set srcaddr all
        set dstaddr <VIP>
        set action accept
        set schedule always
        set service ALL
    next
end