FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 197615


This article describes how to configure firewall policies for a VIP when Central NAT is enabled.




When Central NAT is enabled, it is not necessary to add the VIP object into the firewall policy as the destination address.

This is normal behavior due to the fact that, in a Central NAT status, the DNAT is injected into the kernel since the object is created into the Policy & Objects -> DNAT & Virtual IPs. VIP matches for local-out traffic as well, if you want to restrict local-out traffic to do not match the VIP, it is possible to use 'srcintf-filter' .

The only thing needed is to create the VIP as usual:

Then, create the firewall policy, and in the destination field, select the local IP configured into the VIP.
policy VIP.PNG

Starting from 6.2 there is a new feature 'match-vip-only' to apply to a policy when Central NAT is enabled, CLI only (disabled by default)

config firewall policy
edit RDP
    set  match-vip-only enable
If it is disabled, traffic from SD-WAN to LAN with (internal IP) or (external IP) as the destination will be allowed.
If 'match-vip-only' is enabled the policy will be matched only if a DNAT is applied before, so only traffic from SDWAN to LAN with destination (external ip) will match the policy.
This behavior has changed starting from FOS 6.4.3 where match-vip-only is not configurable and there are no options to change this config.