Configure port forwarding

Last update: November 12 2024

Configure port forwarding

You can configure port forwarding (port forwarding) to access servers behind the firewall. This allows access to a server without knowing the server's internal IP address. Users can also connect using only the ports that have been selected.

Configuring access to the server via SSH:

1. Creating a virtual IP address.
2. Creating a group of virtual IP addresses.
3. Configuring the security policy.

Create a virtual IP address⁠

Graphical interface

To create a virtual IP address (VIP):

1. Go to the section Policy & Objects → Virtual IPs and create a new virtual IP address.
2. Specify the IP address of your firewall as the External IP Address/Range and the internal address of the server as the Mapped IP Address/Range.
3. Enable Port Forwarding. For Protocol set the value to TCP, for External Service Port set any free port, for Map to Port set the port on which your server's SSH service is running. The default port is 22.

Console interface

To change via the CLI, enter:

    config firewall vip
        edit "Server SSH"
            set comment "connection to server via ssh"
            set extip <External IP>
            set extintf "wan1"
            set portforward enable
            set mappedip <Internal IP>
            set extport <External port>
            set mappedport <Internal port>
        next
    end

Create a group of virtual IP addresses⁠

Graphical interface

To add virtual IP addresses to a virtual IP group:

1. Go to the section Policy & Objects → Virtual IPs and create a new group.
2. Set new virtual IP addresses in the Members.

Console interface

To change via the CLI, enter:

    config firewall vipgrp
        edit "Server services"
            set interface <External Interface>
            set member <VIP1> <VIP2>
        next
    end

Customize the security policy⁠

Graphical interface

To allow access to the server from the Internet:

1. Go to the section Policy & Objects → IPv4 Policy and create a new policy.
2. Select the external interface as the Incoming Interface and the internal interface as the Outgoing Interface.
3. Select as Destination Address virtual IP address or group.

For this policy, NAT is disabled so that the server sees the source addresses of the sources it receives. This is the preferred setting.

Console interface

To change via the CLI, enter:

    config firewall policy
        edit 2
            set name "Server Access"
            set srcintf <External Interface>
            set dstintf <Internal Interface>
            set srcaddr all
            set dstaddr <VIP>
            set action accept
            set schedule always
            set service ALL
        next
    end