And if you put the sever in the DMZ? It should bypass the firewall then. Does that work?
//
Allowing Outbound Traffic
By default, the NetScreen-25 device does not allow inbound or outbound traffic, nor does it allow traffic to or from the DMZ. You need to create access policies to permit specified kinds of traffic in the directions you want. (You can also create access policies to deny and tunnel traffic.)
The following access policy permits all kinds of outbound traffic from any point on the Trust network to any point on the Untrust network.
set policy outgoing “inside any” “outside any” any permit save
You can also use the Outgoing Policy Wizard in the WebUI management application to create access policies for outbound traffic. See “Accessing the Device With the WebUI” on page 18 for information on accessing the WebUI application.
//
I am not really sure to get what exactly is your question (since i cannot find any ?) in your post, but from my understanding, i will suggest some clues.
To check bandwidth usage per protocol you may want to consider the NetFlow protocol.
This protocol is able to deeply analyse network traffic and report usage up to application layer.
As NetFlow is a Cisco protocol and we are talking about Fortinet, you can use an alternative to NetFlow called sFlow.
Since FortiOS 4.0MR2 Fortinet supports the sFlow protocol. It can be enabled on all interfaces or only unitary ones.
The problem with sFlow, in opposition to NetFlow, is that sFlow requires a polling interval so you may miss some traffic.
Here's a (very short) blog to illustrate what i am saying.
Also, as you are talking about a specific product (ManageEngine), here's a link that could be interesting.
Just a word about bandwidth usage only :
I have not enabled sFlow on my Fortigate units, but i have implemented bandwidth usage monitoring on each of my Fortigate interfaces, using SNMP and Cacti, following this document.
I have to say that results i get in my graphs are relevant. I don't have unreliable statistics you talk about.
I use OID : 1.3.6.1.2.1.2.2.1 (iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry) to get statistics :
- ifInOctets = 1.3.6.1.2.1.2.2.1.10
- ifOutOctets = 1.3.6.1.2.1.2.2.1.16
Assuming an interface with index number 57 :
- ifInOctets.57 = 1.3.6.1.2.1.2.2.1.10.57
- ifOutOctets.57 = 1.3.6.1.2.1.2.2.1.16.57
Good luck !
Best Answer
You say that you have assigned
TCP 1194on the internal IP to the external one, but then you assign an additionalUDP 1194in your Policy.This UDP port should also be handled by the External interface.
I don't have a 80C but a 3140B, should be the same. Here is how i would setup things (assuming that your OpenVPN port and protocol are correct).
For the sample, let's say that :
200.200.200.200is the public IP (WAN_External)192.168.0.10is the private IP of the OpenVPN Server (LAN_Internal)First you should create two "Virtual IP" with Port Forwarding, like this :
Second, create the Policy :