Topology:

FGT1----------->FGT2(10.5.61.164)------------->PC(20.20.20.2).

In the above scenario, the PC takes access to FGT1 using the Public IP of FGT2 10.5.61.164 on port 5444.

Configuration on FGT2 is done as below:

1. Create VIP with the below details:

• External IP-10.5.61.164.
• Internal IP-10.10.10.2.
• Port-5444.

graviton-kvm39 # config firewall vip

graviton-kvm39 (vip) # edit "FW-Access"

graviton-kvm39 (FW-Access) # show
config firewall vip
    edit "FW-Access"
        set uuid 2512f288-da2c-51ef-c4e6-8129fcadf143
        set extip 10.5.61.164
        set mappedip "10.10.10.2"
        set extintf "any"
        set portforward enable
        set srcintf-filter "port4"
        set extport 5444
        set mappedport 5444
    next
end

2. Create firewall policy:
   
   Create a firewall policy that permits traffic from the internal network to the VIP. 

graviton-kvm39 # config firewall policy

graviton-kvm39 (policy) # edit "2"

graviton-kvm39 (2) # show
config firewall policy
    edit 2
        set name "VIP-TEST"
        set uuid 5ddf386a-da2c-51ef-d51d-d39829f5092c
        set srcintf "port2"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "FW-Access"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

Note:

Make sure to enable the source interface in the VIP configuration. 

If multiple VIPs are there with different mapped IPs, and different mapped Interfaces, use 'srcintf-filter' to map the VIP to a specific interface as below.

graviton-kvm39 (FW-Access) # set srcintf-filter port4

graviton-kvm39 (FW-Access) # end

Try to access FGT1 with the Public IP of FGT2 from the PC.