There is a change in the behavior when VIP is configured on the loopback.

This article will describe how VIP with loopback should be configured on FortiOS v7.4.8+.

Topology:

Follow the steps below to configure it from the GUI:

1. To configure VIP using FortiGate GUI:

Go to Policy & Objects -> VIP.

Select Create New. 

2. Configure the loopback interface as below:

Go to Network -> Interfaces.

Select Create New -> Set type as Loopback Interface and set the IP address:

3. Further configure policy using VIP and Loopback Interface as below:

    

Below is the VIP configuration from CLI:

config firewall vip
    edit "VIP_DNAT"
        set uuid b4d25542-19d2-51ee-aa4d-842ac4cf1420
        set service "SSH"
        set extip 10.10.99.1
        set mappedip "192.168.1.70"
        set extintf "any"
    next
end

Loopback configuration:

config system interface
    edit "loopback_1"
        set vdom "root"
        set ip 10.10.99.1 255.255.255.255
        set allowaccess ping https ssh http
        set type loopback
        set role lan
        set snmp-index 21
    next
end

Firewall configuration:

config firewall policy
    edit 3
        set name "WAN_to_Loopback"
        set uuid 767d2dfe-b11e-51f0-57cd-821bed033515
        set srcintf "wan1"
        set dstintf "loopback_1"
        set action accept
        set srcaddr "all"
        set dstaddr "h-10.10.99.1"
        set schedule "always"
        set service "ALL"
    next
    edit 4

        set name "Loopback_to_real_server"
        set uuid e3fe33e8-b176-51f0-7d63-a6ee1b81fb58
        set srcintf "loopback_1"
        set dstintf "lan"
        set action accept
        set srcaddr "all"
        set dstaddr "VIP_DNAT"
        set schedule "always"
        set service "SSH"
    next
end

Output from debug flow :

id=65308 trace_id=904 func=print_pkt_detail line=5945 msg="vd-root:0 received a packet(proto=6, 192.168.0.222:47228->10.10.99.1:22) tun_id=0.0.0.0 from wan1. flag [S], seq 1932703686, ack 0, win 64240"
id=65308 trace_id=904 func=init_ip_session_common line=6138 msg="allocate a new session-00061ed2"
id=65308 trace_id=904 func=iprope_dnat_check line=5480 msg="in-[wan1], out-[]"
id=65308 trace_id=904 func=iprope_dnat_tree_check line=834 msg="len=1"
id=65308 trace_id=904 func=__iprope_check_one_dnat_policy line=5342 msg="checking gnum-100000 policy-693"
id=65308 trace_id=904 func=get_new_addr line=1274 msg="find DNAT: IP-192.168.1.70, port-0(fixed port)"
id=65308 trace_id=904 func=__iprope_check_one_dnat_policy line=5436 msg="matched policy-693, act=accept, vip=693, flag=104, sflag=2000000"
id=65308 trace_id=904 func=iprope_dnat_check line=5506 msg="result: skb_flags-02000000, vid-693, ret-matched, act-accept, flag-00000104"
id=65308 trace_id=904 func=__iprope_fwd_check line=809 msg="in-[wan1], out-[loopback_1], skb_flags-02000000, vid-693, app_id: 0, url_cat_id: 0"
id=65308 trace_id=904 func=__iprope_tree_check line=529 msg="gnum-100004, use int hash, slot=84, len=2"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2138 msg="checked gnum-100004 policy-3, ret-matched, act-accept" <-----
id=65308 trace_id=904 func=__iprope_user_identity_check line=1899 msg="ret-matched"
id=65308 trace_id=904 func=__iprope_check line=2400 msg="gnum-4e20, check-5f02a790"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2138 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2138 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2138 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=904 func=__iprope_check line=2419 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2371 msg="policy-3 is matched, act-accept"
id=65308 trace_id=904 func=__iprope_fwd_check line=846 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-3"
id=65308 trace_id=904 func=iprope_fwd_auth_check line=875 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-3"
id=65308 trace_id=904 func=fw_pre_route_handler line=190 msg="VIP-192.168.1.70:22, outdev-unknown"
id=65308 trace_id=904 func=__ip_session_run_tuple line=3486 msg="DNAT 10.10.99.1:22->192.168.1.70:22"
id=65308 trace_id=904 func=vf_ip_route_input_common line=2613 msg="find a route: flag=04000000 gw-192.168.1.70 via lan"
id=65308 trace_id=904 func=__iprope_fwd_check line=809 msg="in-[loopback_1], out-[lan], skb_flags-020000c0, vid-693, app_id: 0, url_cat_id: 0"
id=65308 trace_id=904 func=__iprope_tree_check line=529 msg="gnum-100004, use int hash, slot=63, len=2"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2138 msg="checked gnum-100004 policy-4, ret-matched, act-accept" <-------
id=65308 trace_id=904 func=__iprope_user_identity_check line=1899 msg="ret-matched"
id=65308 trace_id=904 func=__iprope_check line=2400 msg="gnum-4e20, check-5f02a790"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2138 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2138 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2138 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=904 func=__iprope_check line=2419 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=904 func=__iprope_check_one_policy line=2371 msg="policy-4 is matched, act-accept"
id=65308 trace_id=904 func=__iprope_fwd_check line=846 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-4"
id=65308 trace_id=904 func=iprope_fwd_auth_check line=875 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-4"
id=65308 trace_id=904 func=fw_forward_handler line=996 msg="Allowed by Policy-4:"
id=65308 trace_id=904 func=__if_queue_push_xmit line=397 msg="send out via dev-internal, dst-mac-00:0c:29:9e:79:83"

Session list:

session info: proto=6 proto_state=01 duration=45 expire=3587 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=3498/20/1 reply=4292/19/1 tuples=2
tx speed(Bps/kbps): 76/0 rx speed(Bps/kbps): 93/0
orgin->sink: org pre->post, reply pre->post dev=6->31/31->6 gwy=192.168.1.70/192.168.0.222
hook=pre dir=org act=dnat 192.168.0.222:47228->10.10.99.1:22(192.168.1.70:22)
hook=post dir=reply act=snat 192.168.1.70:22->192.168.0.222:47228(10.10.99.1:22)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4 pol_uuid_idx=917 auth_info=0 chk_client_info=0 vd=0
serial=00061ed2 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x040108
no_ofld_reason: non-npu-intf
total session: 1

It is expected behavior that only one session for the firewall policy ID 4 is visible in the session list.

Related documents:

FortiOS 7.4.8 release notes 

Technical Tip: Virtual IP (VIP) port forwarding configuration