Configure port forwarding
Configure port forwarding
You can configure port forwarding (port forwarding) to access servers behind the firewall. This allows you to access the server without knowing the server's internal IP address. Users can also connect using only the ports that have been selected.
Configuring access to the server via SSH:
Create a virtual IP address
- UI
- Console
To create a virtual IP address (VIP):
- Go to Policy & Objects → Virtual IPs and create a new virtual IP address.
- Specify the IP address of your firewall as the External IP Address/Range and the internal address of the server as the Mapped IP Address/Range.
- Enable Port Forwarding. For Protocol set the value to TCP, for External Service Port set any free port, for Map to Port set the port on which your server's SSH service is running. By default, this is port
22
.
To change via the CLI, enter:
config firewall vip
edit "Server SSH"
set comment "connection to server via ssh"
set extip <External IP>
set extintf "wan1"
set portforward enable
set mappedip <Internal IP>
set extport <External port>
set mappedport <Internal port>
next
end
Create a group of virtual IP addresses
- UI
- Console
To add virtual IP addresses to a virtual IP group:
- Go to Policy & Objects → Virtual IPs and create a new group.
- Set new virtual IP addresses in Members.
To change via the CLI, enter:
config firewall vipgrp
edit "Server services"
set interface <External Interface>
set member <VIP1> <VIP2>
next
end
Customize security policy
- UI
- Console
To allow access to the server from the Internet:
- Go to Policy & Objects → IPv4 Policy and create a new policy.
- Select the external interface as the Incoming Interface and the internal interface as the Outgoing Interface.
- Select a virtual IP address or group as the Destination Address.
For this policy, NAT is disabled so that the server sees the source addresses of the sources it receives. This is the preferred parameter.
To change via the CLI, enter:
config firewall policy
edit 2
set name "Server Access"
set srcintf <External Interface>
set dstintf <Internal Interface>
set srcaddr all
set dstaddr <VIP>
set action accept
set schedule always
set service ALL
next
end