Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aahmadzada
Staff
Staff

Created on ‎06-09-2023 07:58 AM Edited on ‎02-03-2025 10:13 PM By Community Manager

Article Id 259694

Technical Tip: Firewall VIP - difference in 'srcintf-filter' and 'extintf'

Description This article describes the difference between 'srcintf-filter' and 'extintf' in the VIP settings.
Scope FortiOS, FortiProxy.
Solution

The Virtual IP settings 'srcintf-filter' and 'extintf' have different functions, and when customizing them it is important to understand the difference to ensure the intended NAT is applied.


'srcintf-filter' defines source interfaces that can match a Virtual IP address for Destination NAT:

In most deployments, srcintf-filter should be the same as extintf if a specific extintf was chosen.  When extintf is 'any', srcintf-filter can be used to restrict interfaces that will be checked for Destination NAT using the Virtual IP.

'extintf' has the following functions:

  • When arp-reply is enabled for a Virtual IP, FortiGate will reply to ARP requests for the Virtual IP's external address if the ARP request is received on the extintf. If extintf is set to 'any', FortiGate replies to ARP requests received on any interface.
  • If nat-source-vip is disabled on a virtual IP, traffic from the internal IP of the Virtual IP is only Source NAT to the external address of the Virtual IP if the exit interface is the same as 'extintf'. This is true by default, see the article 'Technical Tip: How to use a VIP's External IP Address for Source NAT when Central NAT is disabled' for more detail.
  • extintf does NOT prevent the destination NAT from being checked and applied if traffic is received on a different interface, since that function is provided by srcintf-filter. If a specific extintf is chosen, srcintf-filter should be configured to match.
  • When Central SNAT is disabled, 'extintf' defines which source interface can be used in a firewall policy that references the Virtual IP. Central SNAT is disabled by default. For example, the following virtual IP can only be configured as a destination on a firewall policy with port3 as the source interface.

 

config firewall vip

edit "port3_vip"

set extip 10.255.200.19

set mappedip "192.168.200.19"

set extintf "port3"

next

end

config firewall policy

edit <index>

set name "Example"

set srcintf "port3"  <----- Attempting to set a different srcintf will generate an error.

set dstintf "port4"

set srcaddr "all"

set dstaddr "port3_vip"

set action accept

set schedule "always"

set service "ALL"

next

end

 

extintf will not bind the Destination NAT to the chosen interface. If a connection attempt to 10.255.200.19 comes in on port1 with the example configuration above, the Virtual IP will be matched but traffic will be dropped since there is no firewall policy to allow the traffic.

srcintf-filter will restrict the Destination NAT to a specific set of interfaces configured on the Virtual IP. This is helpful in conjunction with extintf, or when DNAT translation is only desired on a subset of interfaces.

 

config firewall vip

edit "port3_vip"

set extip 10.255.200.19

set mappedip "192.168.200.19"

set extintf "port3"

set srcintf-filter "port3"

next

end

 

Setting multiple interfaces in srcintf-filter can be helpful when setting up redundant interfaces that should each have the same Virtual IP available, such as primary and secondary IPsec tunnels.

 

To create multiple VIPs with the same external IP but different mapped IP addresses depending on the ingress interface, use 'srcintf-filter' to map the VIP to a specific interface.

 

VIP 1:

 

config firewall vip

edit "wan1_VIP-test"

set extip 192.168.150.1
set mappedip "192.168.151.5"
set srcintf-filter "wan1"

next

end

 

config firewall policy

edit <index>

set name "wan1 access DMZ"

set srcintf "wan1"

set dstintf "dmz"

set srcaddr "Allowed Public Sources"

set dstaddr "wan1_VIP-test"

set action accept

set schedule "always"

set service "Publicly Accessible Services Group"

next

end

 

 

VIP 2:

 

config firewall vip

edit "S2S Tunnel_VIP-test"

set extip 192.168.150.1

set mappedip "10.255.151.5"

set srcintf-filter "S2S tunnel"

next

end

 

config firewall policy

edit <index>

set name "S2S tunnel access internal server"

set srcintf "S2S tunnel"

set dstintf "internal"

set srcaddr "Allowed Private Sources"

set dstaddr "S2S Tunnel_VIP-test"

set action accept

set schedule "always"

set service "Privately Accessible Services Group"

next

end

 

Although Destination NAT is applied for matching traffic regardless of whether a Virtual IP is configured on a firewall policy, it is still necessary to add firewall policies that allow the traffic.

 

Related article:

Technical Tip: FortiOS Destination NAT (DNAT) logic when Central NAT is disabled

 

4624
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.