It is not possible to configure multiple real servers with the same IP address but different ports under a single real server list. Each real server entry must have a unique IP address. If an attempt is made to configure another real server with the same IP address, FortiGate displays an error message: ‘Duplicate entry found’.

Error in CLI:

(VIP_7006) # config realservers
(realservers) # edit 2
new entry '2' added
(2) # set ip 192.168.201.171
(2) # set port 906
(2) # end
Duplicate realserver ip found: ip-192.168.201.171
node_check_object fail! for ip 192.168.201.171
Attribute 'ip' value '192.168.201.171' checking fail -5
Command fail. Return code -5

Error in GUI:

To forward traffic to the same backend server on multiple ports, create separate Virtual IP (VIP) load-balance objects: one for each port.

GUI Configuration Example:

1. Go to Policy & Objects → Virtual IPs and select Create New → Virtual IP.
2. Configure the first VIP for port '7006'.

.

3. Repeat the same steps to create another VIP for port '906'.
4. Add both VIPs under the same or different IPv4 policies, depending on the requirement.

CLI Configuration Example:

config firewall vip
    edit "VIP_7006"
        set type server-load-balance
        set server-type http
        set extip 11.1.1.1
        set extintf "any"
        set monitor "Health_Monitor"
        set extport 7006
            config realservers
                edit 1
                    set ip 192.168.201.171
                    set port 7006
                next
            end
        next
            edit "VIP_906"
                set type server-load-balance
                set server-type http
                set extip 11.1.1.1
                set extintf "any"
                set monitor "Health_Monitor"
                set extport 906
                    config realservers
                edit 1
                    set ip 192.168.201.171
                    set port 906
                next
            end
        next
    end

Firewall Policy Configuration:

config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "VIP_7006" "VIP_906"
        set action accept

        set inspection-mode proxy
        set schedule "always"
        set service "ALL"
    next
end

Verification

Run the following commands to verify the configuration and list VIP firewall policies.

diagnose firewall iprope list 100000

policy index=763 uuid_idx=763 action=accept
flag (8000200): vip-redir pol_stats
schedule()
sockport=1010 cos_fwd=0 cos_rev=0
group=00100000 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 0 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
dest(1): 11.1.1.1-11.1.1.1, uuid_idx=763,
Advance VIP: 3
service(1):
[6:0x0:0/(0,65535)->(7006,7006)] flags:0 helper:auto

policy index=764 uuid_idx=764 action=accept
flag (8000200): vip-redir pol_stats
schedule()
sockport=1010 cos_fwd=0 cos_rev=0
group=00100000 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 0 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
dest(1): 11.1.1.1-11.1.1.1, uuid_idx=764,
Advance VIP: 4
service(1):
[6:0x0:0/(0,65535)->(906,906)] flags:0 helper:auto