FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FortiGate units running FortiOS 4.00 MR3 and 5.0.x
Details
You can configure the FortiGate unit to provide an external Virtual IP (VIP) with port forwarding functionality. This can be used to connect to a non-standard HTTP port and internally forward it to the web server on TCP port 80.
Be aware that this type of port mapping can cause problems with applications running on a Web server.
Example and explanation
An internal web server is running on standard TCP port 80, and is accessible via the Internet on TCP port 4200. The example url to access this server is “http://www.mywebserver.com:4200”
The HTTP protocol includes a field called "HOST" which identifies which server and which port the web client is attempting to connect to. The FortiGate unit port forwards the HTTP requests from TCP port 4200 to TCP 80, but the server still receives the HTTP HOST field stating that the request was done to port 4200. This is inconsistent with the actual session connection which was established on port 80. The communication eventual may fail, hang or return an error message.
The FortiGate unit does not have a feature to convert this data within the HTTP protocol during the port forwarding. Essentially this would require a HTTP helper application running on the FortiGate unit.
Solution
Run the internal web server on port 4200 ( this can be done simultaneously with port 80 if necessary), and modify the VIP to map from 4200 to 4200. This will ensure that the web client requests are consistent with what the server will see at an application layer.
