When configuring FortiGate for service publishing, two primary methods are available: Virtual Server and Virtual IP (VIP). Each method functions differently, particularly in how traffic is inspected and handled.

The mapping of a specific IP address to another specific IP address is usually referred to as Destination NAT (DNAT). On FortiGate VIP and Virtual server features can be used as DNAT.

VIP: When the Central NAT is not being used, FortiOS calls this a Virtual IP Address, sometimes called a VIP. FortiOS uses a DNAT or Virtual IP address to map an External IP address to an IP address. This address does not have to be an individual host, it can also be an address range.

Virtual server: This is a special virtual IP type. Use this type of VIP to implement server load balancing.

However, the Virtual Server has the highest preference when the VIP and Virtual server are both configured mapping the same external IP to the internal IP (real server).

When configuring a VIP and a Virtual server mapping the same external IP to the same internal IP (real server) as below, even if keeping the Firewall policy for VIP on top of the policy for Virtual server, traffic will always follow the Virtual sever DNAT. 

VIP:

Virtual server:

A virtual server is mapped between the same external and internal IP, however, we used a different port 80 as the mapped port to show the preference in sniffer and flow debug.

Firewall policy:

Sniffers:

2024-09-23 11:59:14.358314 port2 -- 10.121.8.132.52189 -> 10.45.8.135.80: syn 3646009695
2024-09-23 11:59:15.409444 port2 -- 10.121.8.132.52189 -> 10.45.8.135.80: syn 3646009695
2024-09-23 11:59:17.489456 port2 -- 10.121.8.132.52189 -> 10.45.8.135.80: syn 3646009695

Flow Debug:

23-09-2024 12:16 vd-root:0 received a packet(proto=6, 10.121.8.132:52511->10.121.7.212:8080) tun_id=0.0.0.0 from port3. flag [S], seq 170079641, ack 0, win 64240
23-09-2024 12:16 allocate a new session-007ef9bf
23-09-2024 12:16 in-[port3], out-[]
23-09-2024 12:16 len=2
23-09-2024 12:16 checking gnum-100000 policy-1
23-09-2024 12:16 match vip-Virtual srver, naddr=10.45.8.135, nport=80 <-----------
23-09-2024 12:16 matched policy-1, act=accept, vip=1, flag=100, sflag=2000400
23-09-2024 12:16 result: skb_flags-02000400, vid-1, ret-matched, act-accept, flag-00000100
23-09-2024 12:16 VIP-10.45.8.135:80, outdev-port3
23-09-2024 12:16 DNAT 10.121.7.212:8080->10.45.8.135:80
23-09-2024 12:16 find a route: flag=00000000 gw-0.0.0.0 via port2
23-09-2024 12:16 in-[port3], out-[port2], skb_flags-020004c0, vid-1, app_id: 0, url_cat_id: 0
23-09-2024 12:16 gnum-100004, use addr/intf hash, len=3
23-09-2024 12:16 checked gnum-100004 policy-2, ret-matched, act-accept
23-09-2024 12:16 policy-4 is matched, act-accept
23-09-2024 12:16 Allowed by Policy-4: AV <--- Allowed by the Policy with ID=4 (Virtual Server policy).

Behavioral Differences:

Traffic published via a VIP does not undergo the same level of deep inspection as a Virtual Server. This is why traffic may pass through without issues when using a VIP, while it may face certificate errors with a Virtual Server.

Load Balancing Considerations:

One advantage of Virtual Servers is built-in load balancing across multiple backend servers, making them ideal for large-scale environments. However, this feature can introduce traffic inspection issues, such as certificate mismatches or failures.

Recommendation:

If advanced features such as load balancing and SSL inspection are required, a Virtual Server is the better choice. However, for a more straightforward service publishing setup with minimal configuration, using a VIP is recommended.

This explanation should help clarify the behavioral differences between Virtual Servers and Virtual IPs and guide the selection of the most suitable option based on the network requirements.