Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hbac
Staff
Staff

Created on ‎04-06-2023 09:36 PM Edited on ‎10-06-2025 10:35 PM By Community Manager

Article Id 251572

Technical Tip: How to configure port forwarding/Virtual IPs when using NGFW policy-based mode

 

Description

This article describes how to configure Virtual IPs (aka VIPs/Destination NAT) and port forwarding when the FortiGate is configured for NGFW policy-based mode. This article also discusses troubleshooting techniques for identifying policy misconfigurations associated with VIPs on NGFW policy-based mode.
Scope FortiGate; NGFW policy-based mode
Solution

In NGFW policy-based mode, Central NAT is automatically enabled, which means that Virtual IPs do not need to be explicitly placed into policies for the address/port translation to take effect. Instead, the Virtual IP Destination NAT translation will take place automatically, and all policies are expected to be based on the post-NAT address of the Virtual IP (i.e., the real private IP of the host).

 

However, when configuring VIPs/port forwarding on NGFW policy-based mode, administrators must ensure that traffic is allowed in two separate policy sections: the SSL Inspection & Authentication Policy section (config firewall policy in the CLI) as well as the Security Policy section (config firewall security-policy).

 

Configuration:

In the following example, consider an administrator who wants to port forward TCP/22 from the external address of 10.9.31.3 to the internal host address of 10.0.0.1:

 

To create a VIP object, go to Policy & Objects -> DNAT & Virtual IPs and select Create New.

 

dnat.png

 

With the VIP created, the FortiGate will automatically translate incoming connections for 10.9.31.3 for TCP/22 to the real address of 10.0.0.1 (also destined for TCP/22 in this case). However, an SSL Inspection & Authentication policy must be available that matches this incoming traffic; otherwise, the traffic will be dropped by the implicit-deny rule.

 

Bult, an Any/Any rule exists that will match and allow this traffic, but if that rule is removed, then a policy must be added under Policy & Objects -> SSL Inspection & AuthenticationThe screenshot below shows this 'Default' policy:

 

sslpolicy.png

 

Finally, consider that a Security Policy must also exist that allows traffic to flow to the real IP address of the VIP (e.g., 10.0.0.1 in this case). A rule must be added under Policy & Objects -> Security Policy.

 

Troubleshooting:

Below is the debug flow output showing that the traffic is being NATed from 10.9.31.3 to 10.0.0.1 correctly. Policy-1 represents the ‘Default’ policy.

 

debug flow.png

 

Note regarding Virtual Server feature support:

In NGFW policy-mode, traffic is handled in a purely flow-based way by the IPS Engine and the Policy Match Engine (PME) sub-component, and so proxy features such as the HTTP-redirect option for Virtual Servers are not supported or available. For more information, see the following KB article: Technical Tip: Unable to use http-redirect option under virtual server configuration when NGFW polic...
1953
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.