Technical Tip: Using VIP range with static DNAT one-to-one mapping from external to internal

In this example, each internal server is mapped to a unique public IP using FortiGate Virtual IP (VIP) configured for static 1:1 DNAT.

External users can reach these servers by connecting to the corresponding addresses within the VIP range:

DNAT Configuration

Below is the session list

diagnose sys session list

session info: proto=1 proto_state=00 duration=5 expire=54 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00 f02
statistic(bytes/packets/allow_err): org=60/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 10/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=3->12/12->3 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 10.111.36.24:1->10.47.21.2:8(10.201.5.12:1)
hook=post dir=reply act=snat 10.201.5.12:1->10.111.36.24:0(10.47.21.2:1)
misc=0 policy_id=2 pol_uuid_idx=15859 auth_info=0 chk_client_info=0 vd=0
serial=00073541 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off

session info: proto=1 proto_state=00 duration=8 expire=51 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00 f02
statistic(bytes/packets/allow_err): org=60/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 7/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=3->12/12->3 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 10.111.36.24:1->10.47.21.1:8(10.201.5.11:1)
hook=post dir=reply act=snat 10.201.5.11:1->10.111.36.24:0(10.47.21.1:1)
misc=0 policy_id=2 pol_uuid_idx=15859 auth_info=0 chk_client_info=0 vd=0
serial=0007353c tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off

session info: proto=1 proto_state=00 duration=3 expire=56 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00 f02
statistic(bytes/packets/allow_err): org=60/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 18/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=3->12/12->3 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 10.111.36.24:1->10.47.21.3:8(10.201.5.13:1)
hook=post dir=reply act=snat 10.201.5.13:1->10.111.36.24:0(10.47.21.3:1)
misc=0 policy_id=2 pol_uuid_idx=15859 auth_info=0 chk_client_info=0 vd=0
serial=00073549 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off
total session: 3

Note:
In 1-to-1 mapping, the VIP range is deterministic. If the external range is 10.10.10.1-10.10.10.20 and the internal is 192.168.10.1-192.168.10.20, .1 maps to .1, .2 to .2, etc. The external and internal ranges will always have the same number of IPs.
In this case, 10.47.21.1 will map to 10.201.5.11 and so on as per the table information.