Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff

Created on ‎10-05-2017 04:08 PM Edited on ‎07-08-2025 07:01 AM By Moderator

Article Id 197615

Technical Tip: Configure firewall policies for a VIP when Central NAT is enabled

Description


This article describes how to configure firewall policies for a VIP when Central NAT is enabled.

Scope


FortiGate.

Solution


When Central NAT is enabled, it is not necessary to add the VIP object into the firewall policy as the destination address.

This is normal behavior due to the fact that, in a Central NAT status, the DNAT is injected into the kernel since the object is created into the Policy & Objects -> DNAT & Virtual IPs. VIP matches for local-out traffic as well, if you want to restrict local-out traffic to not match the VIP, it is possible to use 'srcintf-filter'.

The only thing needed is to create the VIP as usual:
 VIP.gif

 
Example configuration in the CLI:
 
config firewall vip
    edit "RDP"
        set extip 192.168.17.162
        set mappedip "192.168.1.60"
        set extintf "any"
        set portforward enable
        set extport 3389
        set mappedport 3389
    next
end
 
Create the local IP address object and the firewall policy. In the destination field of the firewall policy, select the local IP configured into the VIP.
 
address-and-policy.gif
 
Example configuration in the CLI: 
 
config firewall address
    edit "192.168.1.60"
        set subnet 192.168.1.60 255.255.255.255
    next
end
config firewall policy
    edit 0
        set name "RDP"
        set srcintf "port1"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "192.168.1.60"
        set schedule "always"
        set service "ALL"
    next
end
 
Starting from v6.2, there is a new feature 'match-vip-only' to apply to a policy when Central NAT is enabled, CLI only (disabled by default).

config firewall policy
edit RDP
    set  match-vip-only enable
next
end
 
If it is disabled, traffic from SD-WAN to LAN with 192.168.1.60 (internal IP) or 192.168.157.162 (external IP) as the destination will be allowed.
 
If 'match-vip-only' is enabled, the policy will be matched only if a DNAT is applied before, so only traffic from SD-WAN to LAN with destination 192.168.157.162 (external IP) will match the policy. This behavior has changed starting from v6.4.3 where match-vip-only is not configurable and there are no options to change this config.
 
Related documents:
25012
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.