Dnat vip

Forum|Forum|6 months ago
November 29, 2025
1 reply
230 views

Hi,

Looking for clarity in DNAT vip in fortigate. I have vip vip_123.1.1.10 [ external ip 123.1.1.10 & mapped ip 10.1.1.100]. And below is my rule,

Src 174.1.1.1
Dst 123.1.1.10
Port https

Note, I haven't used vip, but used an actual ip. And I belive it will not work, but can any one explain how fortigate process this traffic. Did fortigate still do vip lookup as I used external ip in my policy?

Thanks in advance

FortiGate

esalija

Staff

Hi @kvsivasakthi

In FortiGate, VIP (Virtual IP) lookup is performed before policy lookup.

Here's how FortiGate processes the traffic in your scenario:

1. FortiGate will first check if there is a VIP configured for the destination IP address in the incoming traffic.

In your case, the VIP vip_123.1.1.10 is configured with the external IP 123.1.1.10.

2. If a VIP is found, FortiGate will use the mapped IP (10.1.1.100) for policy lookup. However, since your policy uses the actual external IP (123.1.1.10) instead of the VIP object, the policy will not match the traffic.

3. As a result, the traffic will not be processed as expected because the policy does not reference the VIP object.

The traffic will be dropped if no matching policy is found.

4. To ensure the traffic is processed correctly, you should use the VIP object (vip_123.1.1.10) in the destination field of your firewall policy instead of the actual external IP.

This allows FortiGate to correctly map the external IP to the internal IP and apply the appropriate policy.

Thanks, Erlin

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded