| Description | This article describes the difference between port forwarding and service filtering on VIP configuration. |
| Scope | FortiGate, Port Forwarding, one-to-one NAT. |
| Solution |
Understanding the difference is essential for proper NAT and access control.
With port forwarding enabled, only specific traffic from an external IP and port to an internal IP and port (port range can also be used).
Example for HTTPS:
When port forwarding is not enabled, full IP-mapping (one-to-one NAT) is performed, meaning that all traffic on any ports towards the external IP will be redirected to the internal host.
In the example below, any traffic on any ports reaching 192.168.129.1 would be redirected to 192.168.1.100:
The optional filter 'Services' is sometimes misunderstood as 'port forwarding'. With the example below, full IP-Mapping continues to be in use, as per the previous example. The difference is that, if the host 192.168.1.100 is running other services (such as AD, RDP, DNS, etc.), only HTTPS will be allowed. When the optional filter is disabled, the service (HTTPS, AD, RDP, DNS, etc.) will be allowed/denied only by firewall policy.
Related articles: Technical Tip: Configure port forwarding using FortiGate VIPs |
