FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to configure port forwarding as per the below topology.
From the GUI:
To create a VIP object, go to Policy and Objects -> Virtual IPs and select 'Create New'.
In the above example, 22.214.171.124 is an external WAN IP and 10.0.0.10 is a mapped internal server IP.
The incoming traffic is on port 80 and is mapped internally to the same port 80.
Using other ports for mapping is also possible.
To create an IPv4 policy to allow the traffic, go to Policy and Objects -> IPv4 and select 'Create New'.
Above is the IPv4 policy configuration where the WAN interface is port3 and the LAN (Server) connected interface is port4.
A common mistake in firewall policy configuration is to set an IP address object or 'all' as the 'destination', which also refers to IP addresses. The correct action is to set the VIP address.
If NAT is enabled, it is impossible to know the source client IP address details, and clients will know the internal server IP details.
From the CLI:
config firewall vip edit "Test" set extip 126.96.36.199 set extintf "port3" set portforward enable (depends on requirement) set mappedip 10.0.0.10 set extport 80 (depends on requirement) set mappedport 80 (depends on requirement) next end
config firewall policy edit 1 set srcintf "port3" set dstintf "port4" set srcaddr "all" set dstaddr "Test" set action accept set schedule "always" (depends on the requirement). set service "ANY" (depends on the requirement). set nat enable (depends on the requirement). next end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.