FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article explains how since FortiOS 5.6, it is possible to create VIP with same External IP and Mapped IP. However, until firmware 6.0 creating VIP with same External IP and Mapped IP will throw an error in both CLI and GUI.
Static NAT's extip should be different from mappedip. object check operator error, -8, discard the setting Command fail. Return code -8
Solution Change the VIP Type from static-nat to load-balance while creating VIP. Disable the arp-reply, which is enabled by default.
#config firewall vip edit "SSH_redirect" set extip 10.50.50.150 set extintf "any" set portforward enable set mappedip "10.50.50.150" set extport 666 set mappedport 22 set arp-reply disable set type load-balance
Create a new VIP, because if the change is processed on an existent VIP's Type from static-nat to load-balance an error will occur.
The difference between static-nat and load-balance is that load-balance is used to balance the traffic between different Servers behind a FortiGate.
But if only one-to-one DNAT mapping is used, it will work the same way.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.