Description
This article explains how since FortiOS 5.6, it is possible to create VIP with same External IP and Mapped IP.
However, until firmware 6.0 creating VIP with same External IP and Mapped IP will throw an error in both CLI and GUI.
CLI Error:
Solution
Change the VIP Type from static-nat to load-balance while creating VIP.
Disable the arp-reply, which is enabled by default.
Via CLI:
This article explains how since FortiOS 5.6, it is possible to create VIP with same External IP and Mapped IP.
However, until firmware 6.0 creating VIP with same External IP and Mapped IP will throw an error in both CLI and GUI.
CLI Error:
Static NAT's extip should be different from mappedip.GUI Error:
object check operator error, -8, discard the setting
Command fail. Return code -8
Solution
Change the VIP Type from static-nat to load-balance while creating VIP.
Disable the arp-reply, which is enabled by default.
Via CLI:
#config firewall vip
edit "SSH_redirect"
set extip 10.50.50.150
set extintf "any"
set portforward enable
set mappedip "10.50.50.150"
set extport 666
set mappedport 22
set arp-reply disable
set type load-balance
endVia GUI:
Create a new VIP, because if the change is processed on an existent VIP's Type from static-nat to load-balance an error will occur.
The difference between static-nat and load-balance is that load-balance is used to balance the traffic between different Servers behind a FortiGate.
The difference between static-nat and load-balance is that load-balance is used to balance the traffic between different Servers behind a FortiGate.
But if only one-to-one DNAT mapping is used, it will work the same way.
