Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nweckel
Staff
Staff

Created on ‎08-28-2024 03:37 AM

Article Id 336993

Technical Tip: How to configure FQDN VIP to perform destination NAT

Description This article describes how to configure an FQDN firewall VIP to perform destination NAT.
Scope Any supported version of FortiGate.
Solution

Scenario 1: Redirect traffic to a FQDN address to a different FQDN address.

This scenario can for example be used in case a legacy service using a FQDN address was migrated to a new FQDN address but the legacy FQDN is still in use. The goal is to forward traffic from FQDN legacy.service.com to FQDN new.service.com.

 

  1. Create FQDN address objects for each FQDN.

config firewall address
    edit "legacy"
        set type fqdn
        set fqdn "legacy.service.com"
    next

    edit "new"
        set type fqdn
        set fqdn "new.service.com"
    next
end

 

  1. Create a firewall vip using previously created FQDN objects.


    config firewall vip
        edit "vip-Legacy_to_new"
            set type fqdn
            set extintf "any"
            set arp-reply disable
            set extaddr "legacy.service.com"
            set mapped-addr "new.service.com"
        next
    end

  2. Create a firewall policy referring to the previously created VIP in the destination address.

    config firewall policy
        edit 1
            set name "Legacy_to_new"
            set srcintf "internal"
            set dstintf "external"
            set action accept
            set srcaddr "all"
            set dstaddr "vip-Legacy_to_new"
            set schedule "always"
            set service "ALL"
        next
    end

     

     

Scenario 2: Perform port translation for a specific FQDN.

This scenario can for example be used in case a client initiates a connection using a different port than the one the server listens on.

Example: a user initiates SSH connection to new.service.com:22 but the server only accepts SSH connections on port 8022.

 

  1. Create a FQDN address object.

config firewall address
    edit "new"
        set type fqdn
        set fqdn "new.service.com"
    next

end

 

  1. Create a firewall vip using a previously created FQDN object.

    config firewall vip
        edit "vip-ssh_to_new"
            set type fqdn
            set extintf "any"
            set arp-reply disable
            set extaddr "new.service.com"
            set mapped-addr "new.service.com"

            set extport 22
            set mappedport 8022
        next
    end

  2. Create a firewall policy referring to the previously created VIP in the destination address.

     

config firewall policy
    edit 1
        set name "ssh_to_new"
        set srcintf "internal"
        set dstintf "external"
        set action accept
        set srcaddr "all"
        set dstaddr "vip-ssh_to_new"
        set schedule "always"
        set service "ALL"
    next
end
Labels:
1894
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.