FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

This article describes, how to allocate multiple public IP addresses, to your Fortigate VM deployed in Azure cloud, and use these Public IP addresses to access hosted services behind FortiGate VM.

Scope FortiOS

Fortigate VM, has one or more network interfaces(NIC), attached to it. Any NIC can have one or more static or dynamic public and private IP addresses assigned to it.

To add private and public IP addresses to Fortigate VM interface, you will need to complete the below steps:


-In the Fortigate VM pane, Navigate to Networking Tab. Click Network interface on the page. As shown in the picture below:



-In the Network interface pane, click the IP configurations. Click Add, complete the steps, by giving the Name of the address (e.g. “Test_IP”), make the allocation static, click associate the public IP to create a new one or choose existing IP, The PIP should be Static assignment (Note: Public IP SKU should be the same for all NIC, in case the primary IP was ‘Basic’, Any new Public IP should also be ‘Basic’, The different basic SKU and Standard SKU load balancer or Public IP resources in availability set is not allowed)





-The new public IP should now, be added to Fortigate VM interface as shown in the following picture:



-After, the creation of the New public IP, you can now use this IP for Inbound/Outbound traffic, In our example below, The new Public IP started with 51.x.x.x will be used to access a web-hosted behind Fortigate VM on port 8080.


-For this example, We have created a VIP, with the inputs described in the picture. The external IP address should be the secondary private IP assigned to FGT NIC1, in our example, “Test_IP” Do not use public IP here.



-Then, create a new firewall policy for inbound traffic, and add the above VIP:

>Enable SNAT on the policy, in case the backend server inbound traffic(internet) is not routed and inspected via Fortigate port2. If defined (“Custom UDR”) a route with as the address prefix and a next hope type of Virtual appliance(Fortigate), then enabling SNAT is not required.



-The Hosted Website is now accessible from outside with new public IP (http://51.x.x.x:8080/)as shown below:



-In case the VM is deployed in the HA cluster, there will be a need to add all created public IP addresses, to SDN connector config. During the failover, these IPs will shift to the new primary VM, below is an example of the SDN connector where the new created public IP is added under SDN NIC config:


FGT-FGT-A # config system sdn-connector

edit "AzureHA"

        set status enable

        set type azure

        set use-metadata-iam enable

        set ha-status enable

        set azure-region global

        config nic

            edit "FGT-FGT-A-Nic1"

                config ip

                    edit "ipconfig1"

                        set public-ip "FGTPublicIP"

                        set resource-group ''


                    edit "Test_IP" 

                        set public-ip "SecondaryPIP" 

                        set resource-group ''