Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
chaithrar
Staff
Staff

Created on ‎05-14-2020 05:29 AM Edited on ‎08-03-2025 04:13 PM By Moderator

Article Id 198285

Technical Tip: Configure port forwarding using FortiGate Virtual IPs

Description


This article describes how to configure port forwarding using FortiGate Virtual IPs.

 

Scope

 

FortiGate.

Solution


Add Virtual IPs to enable port forwarding.

To forward TCP or UDP ports received by the FortiGate external interface to an internal server, follow these two steps.

 

  • Add a Virtual IP with Port Forwarding enabled.
  • Add a firewall policy with a virtual IP.

 

This example describes how to configure port forwarding to allow access to an internal Windows server PC with the Remote access protocol which uses the default port of 3389.

To add a virtual IP that forwards RDP packets.

 

  1. Go to Policy & Objects -> Virtual IPs.
  2. Select 'Create New'.
  3. Add a name for the Virtual IP.
  4. Select the External Interface. This will typically be the interface that connects the FortiGate to the Internet.
  5. Set the External IP Address using:
  • The FortiGate unit's public IP.
  • A cable or DSL connection with a dynamic IP, using 0.0.0.0
  • If the ISP provides a block of IPs that route to the FortiGate external interface, add one of these IPs here.
  1. Set the Mapped IP Address to the internal IP address of the Windows Server PC.
  2. Select 'Port Forwarding'.
  3. Set protocol to 'TCP'.
  4. Set 'External Service Port' and 'Map' to Port. For this example, the RDP service uses port 3389. Set both External Service Port and Map to Port to 3389.
  5. Select 'OK'.
                                                                                      

vippp.PNG

 

Example configuration in the CLI:

 

config firewall vip
    edit test
        set extip 67.22.22.22
        set mappedip 192.168.11.247
        set extintf port1
        set portforward enable
        set extport 3389
        set mappedport 3389
    next
end


Now all that’s left is to define a firewall policy that accepts RDP traffic from the Internet and forwards it to the internal Windows Server PC. 

To add a firewall policy with a virtual IP.

 

  1. Go to Policy & Objects -> Firewall Policy.
  2. Select 'Create New'.
  3. Set 'Source Interface' to the WAN/Internet interface.
  4. Set 'Source Address' to 'all'.
  5. Set 'Destination Interface' to 'internal'.
  6. Set 'Destination Address' to the name of the virtual IP.
  7. Usually, the remainder of the options in this firewall policy do not need to be changed. For example, service can remain 'ANY', because the virtual IP only forwards packets using port 3389. 
  8. Select 'OK'.

 

vippppp.PNG

 

Example configuration in the CLI: 

 

config firewall policy
    edit 0
        set name RDP
        set srcintf port1
        set dstintf port2
        set action accept
        set srcaddr all
        set dstaddr test
        set schedule always
        set service ALL
        set logtraffic all
    next
end


Note: There was a change made to the behavior of the IP Pool and VIP after upgrading FortiOS to v6.4, v7.0, v7.2, and v7.4. For more information, refer to Technical Tip: IP pool and virtual IP behavior changes in FortiOS 6.4, 7.0, 7.2, and 7.4.

 

Related article: 

Technical Tip: How to configure port forwarding wh... - Fortinet Community

12639
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.