Description | This article describes the preference between VIP and Virtual servers when configured for the same mapped IP. |
Scope | FortiGate. |
Solution |
The mapping of a specific IP address to another specific IP address is usually referred to as Destination NAT (DNAT). On FortiGate VIP and Virtual server features can be used as DNAT.
VIP: When the Central NAT is not being used, FortiOS calls this a Virtual IP Address, sometimes called a VIP. FortiOS uses a DNAT or Virtual IP address to map an External IP address to an IP address. This address does not have to be an individual host, it can also be an address range.
Virtual server: This is a special virtual IP type. Use this type of VIP to implement server load balancing.
However, the Virtual Server has the highest preference when the VIP and Virtual server are both configured mapping the same external IP to the internal IP (real server).
When configuring a VIP and a Virtual server mapping the same external IP to the same internal IP (real server) as below, even if keeping the Firewall policy for VIP on top of the policy for Virtual server, traffic will always follow the Virtual sever DNAT.
VIP:
Virtual server: A virtual server is mapped between the same external and internal IP, however, we used a different port 80 as the mapped port to show the preference in sniffer and flow debug.
Firewall policy:
Sniffers:
2024-09-23 11:59:14.358314 port2 -- 10.121.8.132.52189 -> 10.45.8.135.80: syn 3646009695
Flow Debug:
23-09-2024 12:16 vd-root:0 received a packet(proto=6, 10.121.8.132:52511->10.121.7.212:8080) tun_id=0.0.0.0 from port3. flag [S], seq 170079641, ack 0, win 64240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.