SD-WAN only determines the outgoing path; for incoming traffic, bind the VIP to the physical WAN(s) or use extintf any, not to the SD-WAN zone.

Option A: A single WAN (member of SD-WAN).

1. Policy & Objects → Virtual IPs → Create New.

• External IP/Range: the public IP.
• Mapped IP: internal server IP.
• Port Forwarding (if applicable): extport ↔ mappedport.
• Interface: select the physical WAN that receives the traffic (not the SD-WAN zone).
  
  

2. Policy & Objects → Firewall Policy → Create New.

• Incoming interface: that WAN.
• Destination: the created VIP.
• Outgoing interface: LAN/DMZ of the server.
• Service: the published port(s).
• NAT: disabled (it is DNAT).

Example: 

config firewall vip

    edit "vip_web_wan1"

        set extip 203.0.113.10

        set mappedip "10.10.10.10"

        set extintf "wan1"

        set portforward enable

        set extport 443

        set mappedport 443

    next

end

config firewall policy

    edit 100

        set name "in_web_wan1"

        set srcintf "wan1"

        set dstintf "lan"

        set srcaddr "all"

        set dstaddr "vip_web_wan1"

        set action accept

        set schedule "always"

        set service "HTTPS"

        set nat disable

    next

end

Option B: Two WANs.

Create a VIP for each WAN (each with its own public IP) and set up two identical policies by changing the Incoming interface and the Destination (VIP of WAN1 / VIP of WAN2). SD-WAN does not perform inbound load balancing; if it is required public high availability, utilize two DNS records (A/AAAA) with a low TTL or a failover mechanism in the DNS/ISP.

Example:

config firewall vip

    edit "vip_web_wan2"

        set extip 198.51.100.20

        set mappedip "10.10.10.10"

        set extintf "wan2"

        set portforward enable

        set extport 443

        set mappedport 443

    next

end

config firewall policy

    edit 101

        set name "in_web_wan2"

        set srcintf "wan2"

        set dstintf "lan"

        set srcaddr "all"

        set dstaddr "vip_web_wan2"

        set action accept

        set schedule "always"

        set service "HTTPS"

        set nat disable

    next

end

Notes:

• Do not use the SD-WAN zone as an interface in the VIP or as Incoming in the policy; use the physical WAN(s) instead. If the VIP stops working after enabling SD-WAN, it is often due to this or the response traffic going through the wrong WAN; check the SD-WAN rules/policy routes.
• If the public IP of the VIP is not configured on the interface but is within the same subnet (ISP /29 block), enable ARP Reply on the VIP so that the FortiGate can respond for that IP. Visit this KB article, Technical Tip: ARP reply setting in Virtual IP/IP Pool, for more information.

Troubleshooting.

diagnose sniffer packet any 'host <public_IP> and port <port>' 4 0 l

• Check Forward Traffic logs to ensure the incoming policy (ID) is the one created.
• If there are no 'hits' on the VIP/Policy, check that the port is not in use by SSL-VPN/admin on that IP/port.

Related documents:

Static virtual IPs

Technical Tip: VIP not working with SD-WAN reply traffic causing issue

config firewall vip

VIP and SD-WAN