When we moved from the Palo Alto firewall to the Fortigate firewall, all of the polices and rules were migrated via Fortinet's migration tool. Unfortunately, it did not migrate the NAT policies correctly. The key issue is that it reverses the way NATting is set up (IE: you would say, what IP is it going to and what port -- then say OK, I got it, I'll send it here. But Fortinet switches some of that up on the screen.
We went through and edited the ones we knew we were using, but we assuredly missed some. If someone puts in a ticket about an external resource that accesses something internally, here is where you look and how you fix it.
Instructions to check and fix Fortigate NATting
- Navigate to https://firewall.cedarcrest.edu and log in.
- Click on Policy & Objects -> DNAT & Virtual IPs
- Find the Virtual IP configuration for the service you need. If the Interface says "port1" -- it is wrong.
- Open the service and change the following:
Interface to ANY
Turn OFF Source Interface Filter
Make sure SERVICES lists the correct Service
If Ports need to be forwarded, turn ON Port Forwarding, select One-to-One and enter the port in question in External Service Port and Map to IPv4 port
- Note: if you have more than one port that is not in a range, please check for another VIP and repeat the process.
- Next, click on Firewall Policy
- Find the policy that exists for the service in question.
- Make sure the settings are:
Source should be all
Incoming: Untrust L3
Outgoing: Trust L3
Destination: IP address of target internal resource
Schedule: always
Service: All associated services should be listed here
- That should do it. If you need a reference, open an existing, working example and use that as a template.