Solved: How do I configure FortiGate Port Forwarding for RPD?

Problem: This article outlines the detailed steps for how to configure FortiGate port forwarding for RDP.

Solved: How do I configure FortiGate Port Forwarding for RPD?
Solved: How do I configure FortiGate Port Forwarding for RPD?

The Process is:

  • Setup a Virtual IP (with port forward enabled)
  • Create a Virtual IP Group
  • Allow traffic to the Virtual IP Group

Content Summary

FortiGate Port Forwarding: Create a Virtual IP
FortiGate Port Forwarding: Create a Virtual IP Group
FortiGate Port Forwarding: Fortigate Add an ‘Address’
FortiGate Port Forwarding: Allow Port Forwarded Traffic
FortiGate Port Forwarding: Troubleshooting Port Forwarding

FortiGate Port Forwarding: Create a Virtual IP

Step 1: Go to Policy and Objects >Virtual IPs > Create New > Virtual IP.

Go to Policy and Objects >Virtual IPs > Create New > Virtual IP.
Go to Policy and Objects >Virtual IPs > Create New > Virtual IP.

Step 2: Give it a name and configure the settings as below:

  • Set the Interface to the outside/WAN interface.
  • External IP set to the public IP address of the firewall.
  • Mapped IP address set to the internal IP address of the server you are forwarding to.
  • Enable Port Forwarding.
  • Select TCP or UDP.
  • Type in the port(s) you want to forward.
Settings to create new Virtual IP
Settings to create new Virtual IP

Step 3: Click on the OK button.

FortiGate Port Forwarding: Create a Virtual IP Group

Step 1: From the Virtual IP menu > Create New > Virtual IP Group.

From the Virtual IP menu > Create New > Virtual IP Group.
From the Virtual IP menu > Create New > Virtual IP Group.

Step 2: Give the group a name and configure the settings as below:

  • Set the Interface to the outside/WAN interface.
  • Add in the Virtual IP you created above.
Create a Virtual IP Group
Settings to create a Virtual IP Group

Step 3: Click on the OK button.

FortiGate Port Forwarding: Fortigate Add an ‘Address’

If you are port forwarding something like HTTP/HTTPS to a web server, or SMTP to a mail server you can skip this step. For most port forwarding scenarios you would set the source to ALL. Anyway for completeness here’s how to create an Address object.

Step 1: Go to Policy & Objects > Addresses > Create New > Address.

Go to Policy & Objects > Addresses > Create New > Address.
Go to Policy & Objects > Addresses > Create New > Address.

Step 2: Give it a name and configure the settings as below::

  • Set the Type to Subnet.
  • Type the IP into the IP Range box.
  • Set the Interface to outside/WAN.
Settings to add an Address.
Settings to add an Address.

Step 3: Click on the OK button.

FortiGate Port Forwarding: Allow Port Forwarded Traffic

Step 1: Go to Policy and Objects > IPv4 Policy or Firewall Policy > Create New.

Go to Policy and Objects > IPv4 Policy or Firewall Policy > Create New.
Go to Policy and Objects > IPv4 Policy or Firewall Policy > Create New.

Step 2: Give it a name and configure the settings as below:

  • Incoming Interface: Outside / WAN
  • Source: For RDP specify the single address you created above for all other port forwarding simply use ALL instead.
  • Destination: Your Virtual IP Group
  • Schedule: Always
  • Service: RDP (or the port you are forwarding if different)
  • Allow: Accept
Settings to Allow Port Forwarded Traffic
Settings to Allow Port Forwarded Traffic

Step 3: Click on the OK button.

FortiGate Port Forwarding: Troubleshooting Port Forwarding

You can see what’s going on by using the packet sniffer in the firewall.
diagnose sniffer packet {interface} 'host {External IP} and port {Port Number}' 4
e.g: diagnose sniffer packet wan 'host 234.234.234.234 and port 3389' 4

Troubleshooting FortiGate Port Forwarding
Troubleshooting FortiGate Port Forwarding