Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff

Created on ‎04-26-2020 12:19 AM Edited on ‎04-23-2025 11:53 PM By Community Manager

Article Id 198143

Technical Tip: Virtual IP (VIP) port forwarding configuration

Description


This article describes how to configure port forwarding for the below topology.

User  -> (Internet) -> Wan1 (Port1) --[ FortiGate ]-- Lan (Port 2) -> Server.

 

Scope


FortiGate.


Solution


From the GUI:

 

  1. To create a VIP object, go to Policy and Objects -> Virtual IPs and select 'Create New'.
    In the above example, 1.1.1.1 is an external WAN IP and 10.0.0.10 is a mapped internal server IP.
    The incoming traffic is on port 80 and is mapped internally to the same port 80.
    Using other ports for mapping is also possible.

Untitled1.gif

 

  1. To create an IPv4 policy to allow the traffic, go to Policy and Objects -> IPv4 and select 'Create New'.
 
Above is the IPv4 policy configuration where the WAN interface is port3 and the LAN (Server) connected interface is port4.
A common mistake in firewall policy configuration is to set an IP address object or 'all' as the 'destination', which also refers to IP addresses. The correct action is to set the VIP address. If NAT is enabled, it is impossible to know the source user IP address details, and clients will know the internal server IP details.
 

Screenshot 2024-10-22 144504.jpg

Note:
In case the VIP is not shown to be chosen as the destination in policy, it is because the incoming interface of the policy is different than the interface binding configured from the VIP. Make sure the binding interface is as same as the incoming interface on the policy or use 'any' instead when configuring VIP.

From the CLI:
 
config firewall vip
    edit "Test"
        set extip 1.1.1.1
        set extintf "port3"
        set portforward enable   <----- Depends on the requirement.
        set mappedip 10.0.0.10
        set extport 80           <----- Depends on the requirement.
        set mappedport 80        <----- Depends on the requirement.
    next
end
 
config firewall policy
    edit 1
        set srcintf "port3"
        set dstintf "port4"
        set srcaddr "all"
        set dstaddr "Test"
        set action accept
        set schedule "always"   <----- Depends on the requirement.
        set service "ALL"  <----- Depends on the requirement.
        set nat enable         <----- Depends on the requirement.
    next
end
 
Note:
To enhance network security, specify only the known source public IP addresses and services in the VIP firewall policy. This ensures that the traffic is allowed exclusively from trusted public IPs and for specific services only.
Additionally, when using specific/custom services in a VIP firewall policy, traffic may be denied due to implicit deny. In such cases, ensure that the service does not specify a source port. Otherwise, the VIP firewall policy will also check the source port and deny traffic due to a mismatch. To avoid this, custom services should only specify the destination port. 
 
Related articles:
116642
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.