Technical Tip: How FortiOS handles VIP lookup

FortiOS, by design will do VIP lookup before policy lookup. If in case multiple VIPs are using the same external IP and port, matching incoming traffic used in different policies, if the VIP used in the policy allowing traffic is not the one selected by FortiOS in VIP lookup, traffic will be dropped.

If having multiple VIPs mapping to the same external IP:

Without port-forwarding, only the first VIP will be matched, for any traffic destined to the external IP. This will cause traffic for policies with the other VIPs applied not to be matched.

With one or more VIPs with port-forwarding, make sure to place those above VIPs without port-forwarding enabled, otherwise, traffic will match the first VIP therefore the policies with the other VIPs will not be matched.

Note: The order in which FortiOS processes inbound traffic is the following: 

• Packet arrives on the ingress interface.
• Routing decision is performed (local-in traffic vs forward traffic).
• VIP lookup is evaluated (DNAT match if applicable).
• Firewall policy lookup occurs using the translated destination IP.
• Security profiles are applied (if configured in the matching policy).
• Session is created, and traffic is forwarded.

Related documents:

Destination NAT

Configuring VIPs