FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dbabic
Staff
Staff
Article Id 192430
Description
This article describes how it is possible to connect to FortiGate-VMX Instances via SSH, HTTPS or other protocols. 





Solution
FortiGate VMX Instances (notes) can access to outside world only via “sync” interface.
In order to connect to the FortiGate VMX Instance via SSH, HTTPS or other protocols, it is require to configure port forwarding on FortiGate SVM in root vdom (management vdom) from mgmt interface to sync interface:


Network diagram:
FortiGate VMX-Instance [sync-10.10.10.2] >>>>  [sync-10.10.10.1] FortiGate SVM [mgmt- 10.5.81.21] >>>> OUTSIDE

#config firewall vip
edit "SSH_TO_VMX_INST"
set extip 10.5.81.21
set extintf "mgmt"
set portforward enable
set mappedip "10.10.10.2"  
set extport 2211
set mappedport 22
next
edit "HTTPS_TO_VMX_INST"
set extip 10.5.81.21
set extintf "mgmt"
set portforward enable
set mappedip "10.10.10.2"  
set extport 4443
set mappedport 443
next
end

#config firewall vipgrp
edit "VMX_INST"
set interface "mgmt"
set member "HTTPS_TO_VMX_INST" "SSH_TO_VMX_INST"
next
end


#config firewall policy
edit 1
set name "SSH_TO_VMX_INST"
set srcintf "mgmt"
set dstintf "sync"
set srcaddr "all"
set dstaddr "VMX_INST"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
end
Debug logs:

SVM (root) # diagnose  debug  flow  filter port 2211
SVM (root) # diagnose  debug  flow  filter addr 10.5.81.21
SVM (root) # diagnose  debug  flow  show  function-name  enable
SVM (root) # diagnose  debug  flow  show  iprope  enable
SVM (root) # diagnose  debug  flow  trace start
SVM (root) # diagnose  debug  flow  trace start 100
SVM (root) # diagnose  debug  enable

SVM (root) # id=20085 trace_id=1 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=6, 10.5.95.254:61670->10.5.81.21:2211) from mgmt. flag [S], seq 1344984955, ack 0, win 64240"
id=20085 trace_id=1 func=init_ip_session_common line=5654 msg="allocate a new session-000202a9"
id=20085 trace_id=1 func=iprope_dnat_check line=4942 msg="in-[mgmt], out-[]"
id=20085 trace_id=1 func=iprope_dnat_tree_check line=816 msg="len=1"
id=20085 trace_id=1 func=__iprope_check_one_dnat_policy line=4816 msg="checking gnum-100000 policy-1"
id=20085 trace_id=1 func=get_new_addr line=1140 msg="find DNAT: IP-10.10.10.2, port-22"
id=20085 trace_id=1 func=__iprope_check_one_dnat_policy line=4898 msg="matched policy-1, act=accept, vip=1, flag=100, sflag=2000000"
id=20085 trace_id=1 func=iprope_dnat_check line=4955 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000100"
id=20085 trace_id=1 func=fw_pre_route_handler line=182 msg="VIP-10.10.10.2:22, outdev-mgmt"
id=20085 trace_id=1 func=__ip_session_run_tuple line=3336 msg="DNAT 10.5.81.21:2211->10.10.10.2:22"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-10.10.10.2 via sync"
id=20085 trace_id=1 func=iprope_fwd_check line=726 msg="in-[mgmt], out-[sync], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0"
id=20085 trace_id=1 func=__iprope_tree_check line=548 msg="gnum-100004, use addr/intf hash, len=2"
id=20085 trace_id=1 func=__iprope_check_one_policy line=1996 msg="checked gnum-100004 policy-1, ret-matched, act-accept"


Contributors