Best Practice: Configuration of port forwarding
Last adaptation to the version: 12.6.0
New:
- Updated to Redesign of the webinterface
Purpose of use
Objective: To make an internal server accessible from the Internet.
Port forwarding
Most companies do not have a subnet with external IPs available. All computers are in a private network and hide behind the IP of the router.
Port forwarding is used to redirect requests on certain ports directed to the public IP of the router to the internal server on another port, so that it can be reached from the Internet.In this example, a web server with the internal IP 192.168.175.111 is to be accessible from the public network.
Public IP is 192.0.2.192/32
Configuration of the appliance
Create network object
For port forwarding, the server must first be created as a network object.
- Menu Button
- The input mask "Add network object" appears.
| Caption | Value | Description | UTMuser@firewall.name.fqdnFirewallNetwork objects  Create network object
|
|---|---|---|---|
| Name: | Server | Name for the network object | |
| Type: | The packages are nattened to the destination | ||
| Address: | The IP address to which the forwarding should be made (in our example: of the web server). | ||
| Zone: | Select "internal" as zone | ||
| Group: | Assign to a network group (can be left blank). | ||
| Save and close | Saves the network object and closes the dialog | ||
Create service
If the port used to access the external IP from the outside, and which is forwarded internally to the server on another port, has not yet been configured as a service, it must now be created.
- Menu Button
The input mask "Add service" appears.
| Caption | Value | Description | UTMuser@firewall.name.fqdnFirewallServices  Create service
|
|---|---|---|---|
| Name: | extern-https | Enter a name for the service | |
| Protocol: | Choose protocol | ||
| Protocol type: | Not required for "tcp" protocol | ||
| Target port type: | Select single port or port range | ||
| Target port: | 4443 |
Port or port range on the target computer | |
| Source port type: | Specifying the source port is only useful in cases where the source port can be predicted (e.g. ftp). | ||
| Save and close | Saves the service object and closes the dialog | ||
Create firewall rules
| A firewall rule with "Destination NAT" must be created so that external users can now also access the server. Rule can be created under Button . Based on the example, the rule should look like this: General
|
UTMuser@firewall.name.fqdnFirewallPacketfilter  Port forwarding
| ||
| Source |  internet |
Access from the internet | |
| Target |  Server |
Network object for the target server | |
| Service |  https |
Service with which the port is to be addressed on the target computer | |
| Action | Accept the data packages | ||
[-] Nat
| |||
| Type | The packages are nattened to the destination | ||
| Network object |  external-interface |
Network object for the interface that is to perform the NAT | |
| Service | extern-https |
Service with which the port is accessed from the Internet (externally) | |
| Save and close | After new creation (like in this example) | ||
Speichern Save |
After change | ||
| For the changes to take effect | |||
The packetfilter rule will look like below.
After the last configuration step is completed, the port forwarding is active.
| # | Source | Target | Service | NAT | Action | Active | |||
 |
4 | internet |
server |
https |
DN | Accept | On |