NAT Port Forwarding Enhancement Request

Question

Adding support for Firewall address and service objects for Virtual IP

Fortigate Firewalls have great functionality to limit the firewall rule mess that many other firewalls have. You can create named services and service groups instead of filling in ports all the time, you can create names addresses, address-ranges and group these, and even add colors to the various objects to make the firewall rules transparent and easy to understand.

Unfortunately Virtual IPs for Port Forwarding feel like they were forgotten. As here you will need to fill in IP addresses and Ports manually instead of being able to choose from the named and colored firewall objects.

The worst part is that to forward a port you will need to add the address and port/service as a firewall object to create the Policy rule but you need to add them manually in the Virtual IP. So as a firewall admin you have to do everything twice. If You want to change a port of address you have to do it twice too.

Another disadvantage is that with the virtual IPs you can only add one port or port range, instead of selecting multiple services.

I believe this limitation could be fixed very easily by updating the Virtual IP interface too support the already existing firewall objects. This would greatly help in decreasing the work when there are many ports forwarded and would make it much clearer.

As a second step I would propose to get rid of those Virtual IPs altogether as even with the above changes I would still do many things twice, for instance selecting the service/ports in both Virtual IP and Firewall Policy. It would be great if we could just create the policy and tick a box to enable port forwarding. This however requires probably more work and if you could just add the firewall objects support for Virtual IPs I would be very happy.

ede_pfau · Accepted Answer

You are absolutely right. VIPs are quite simple but the usage model is antique.

Would you care to post your request (in short form) here: http://fortinet.uservoice.com/forums/23797-fortipartner-feature-requests ? This will reach the Fortinet SE team much more directly. Requests can be voted upwards, and there will be some kind of feedback.

gschmitt · Answer

Yes, this has gone on my nerves since day 1.

Sadly if you create a port forwarding (i.e. 66.77.88.99 > 192.168.1.1) and do not specify the ports

Create a policy which only allows port 25 with the VIP as destination it will simply try to port forward all ports to it and drop all connections which are not port 25

This results in SSL VPN/IPSec not working since it forwards those ports aswell

I can't count the hours I spend entering all possible port ranges TWICE (once for the VIP, once for the service)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded