Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syordanov
Staff
Staff

Created on ‎10-27-2025 03:49 AM

Article Id 416697

Techinical Tip: How to configure VIP with loopback on FortiOS v7.4.8

Description This article describes how to configure the proper VIP with loopback on FortiOS v7.4.8+
Scope FortiOS v7.4.8+.
Solution

There is a change in the behavior when VIP is configured on the loopback.

This article will describe how VIP with loopback should be configured on FortiOS v7.4.8+.

 

Topology :

 

KB_loopback_diagram.JPG

 

VIP configuration:

 

config firewall vip
    edit "VIP_DNAT"
        set uuid b4d25542-19d2-51ee-aa4d-842ac4cf1420
        set service "SSH"
        set extip 10.10.99.1
        set mappedip "192.168.1.70"
        set extintf "any"
    next
end

 

Loopback configuration:

 

config system interface
    edit "loopback_1"
        set vdom "root"
        set ip 10.10.99.1 255.255.255.255
        set allowaccess ping https ssh http
        set type loopback
        set role lan
        set snmp-index 21
    next
end

 

Firewall configuration:

 

config firewall policy
    edit 3
        set name "WAN_to_Loopback"
        set uuid 767d2dfe-b11e-51f0-57cd-821bed033515
        set srcintf "wan1"
        set dstintf "loopback_1"
        set action accept
        set srcaddr "all"
        set dstaddr "h-10.10.99.1"
        set schedule "always"
        set service "ALL"
    next
    edit 4

        set name "Loopback_to_real_server"
        set uuid e3fe33e8-b176-51f0-7d63-a6ee1b81fb58
        set srcintf "loopback_1"
        set dstintf "lan"
        set action accept
        set srcaddr "all"
        set dstaddr "VIP_DNAT"
        set schedule "always"
        set service "SSH"
    next
end

 

Output from debug flow :

 

id=65308 trace_id=904 func=print_pkt_detail line=5945 msg="vd-root:0 received a packet(proto=6, 192.168.0.222:47228->10.10.99.1:22) tun_id=0.0.0.0 from wan1. flag [S], seq 1932703686, ack 0, win 64240"
id=65308 trace_id=904 func=init_ip_session_common line=6138 msg="allocate a new session-00061ed2"
id=65308 trace_id=904 func=iprope_dnat_check line=5480 msg="in-[wan1], out-[]"
id=65308 trace_id=904 func=iprope_dnat_tree_check line=834 msg="len=1"
id=65308 trace_id=904 func=__iprope_check_one_dnat_policy line=5342 msg="checking gnum-100000 policy-693"
id=65308 trace_id=904 func=get_new_addr line=1274 msg="find DNAT: IP-192.168.1.70, port-0(fixed port)"
id=65308 trace_id=904 func=__iprope_check_one_dnat_policy line=5436 msg="matched policy-693, act=accept, vip=693, flag=104, sflag=2000000"
id=65308 trace_id=904 func=iprope_dnat_check line=5506 msg="result: skb_flags-02000000, vid-693, ret-matched, act-accept, flag-00000104"
id=65308 trace_id=904 func=__iprope_fwd_check line=809 msg="in-[wan1], out-[loopback_1], skb_flags-02000000, vid-693, app_id: 0, url_cat_id: 0"
id=65308 trace_id=904 func=__iprope_tree_check line=529 msg="gnum-100004, use int hash, slot=84, len=2"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2138 msg="checked gnum-100004 policy-3, ret-matched, act-accept" <-----
id=65308 trace_id=904 func=__iprope_user_identity_check line=1899 msg="ret-matched"
id=65308 trace_id=904 func=__iprope_check line=2400 msg="gnum-4e20, check-5f02a790"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2138 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2138 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2138 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=904 func=__iprope_check line=2419 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2371 msg="policy-3 is matched, act-accept"
id=65308 trace_id=904 func=__iprope_fwd_check line=846 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-3"
id=65308 trace_id=904 func=iprope_fwd_auth_check line=875 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-3"
id=65308 trace_id=904 func=fw_pre_route_handler line=190 msg="VIP-192.168.1.70:22, outdev-unknown"
id=65308 trace_id=904 func=__ip_session_run_tuple line=3486 msg="DNAT 10.10.99.1:22->192.168.1.70:22"
id=65308 trace_id=904 func=vf_ip_route_input_common line=2613 msg="find a route: flag=04000000 gw-192.168.1.70 via lan"
id=65308 trace_id=904 func=__iprope_fwd_check line=809 msg="in-[loopback_1], out-[lan], skb_flags-020000c0, vid-693, app_id: 0, url_cat_id: 0"
id=65308 trace_id=904 func=__iprope_tree_check line=529 msg="gnum-100004, use int hash, slot=63, len=2"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2138 msg="checked gnum-100004 policy-4, ret-matched, act-accept" <-------
id=65308 trace_id=904 func=__iprope_user_identity_check line=1899 msg="ret-matched"
id=65308 trace_id=904 func=__iprope_check line=2400 msg="gnum-4e20, check-5f02a790"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2138 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2138 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2138 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=904 func=__iprope_check line=2419 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2371 msg="policy-4 is matched, act-accept"
id=65308 trace_id=904 func=__iprope_fwd_check line=846 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-4"
id=65308 trace_id=904 func=iprope_fwd_auth_check line=875 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-4"
id=65308 trace_id=904 func=fw_forward_handler line=996 msg="Allowed by Policy-4:"
id=65308 trace_id=904 func=__if_queue_push_xmit line=397 msg="send out via dev-internal, dst-mac-00:0c:29:9e:79:83"

 

Session list :

 

session info: proto=6 proto_state=01 duration=45 expire=3587 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=3498/20/1 reply=4292/19/1 tuples=2
tx speed(Bps/kbps): 76/0 rx speed(Bps/kbps): 93/0
orgin->sink: org pre->post, reply pre->post dev=6->31/31->6 gwy=192.168.1.70/192.168.0.222
hook=pre dir=org act=dnat 192.168.0.222:47228->10.10.99.1:22(192.168.1.70:22)
hook=post dir=reply act=snat 192.168.1.70:22->192.168.0.222:47228(10.10.99.1:22)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4 pol_uuid_idx=917 auth_info=0 chk_client_info=0 vd=0
serial=00061ed2 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x040108
no_ofld_reason: non-npu-intf
total session: 1

 

It is expected behavior that only one session for the firewall policy ID 4 is visible in the session list.

 

Related document:

Release notes FortiOS 7.4.8 
96
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.