FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff
Article Id 198143

Description


This article describes how to configure port forwarding for the below topology.

User  -> (Internet) -> Wan1 (Port1) --[ FortiGate ]-- Lan (Port 2) -> Server.

 

Scope


FortiGate.


Solution


From the GUI:

 

  1. To create a VIP object, go to Policy and Objects -> Virtual IPs and select 'Create New'.
    In the above example, 1.1.1.1 is an external WAN IP and 10.0.0.10 is a mapped internal server IP.
    The incoming traffic is on port 80 and is mapped internally to the same port 80.
    Using other ports for mapping is also possible.

Untitled1.gif

 

  1. To create an IPv4 policy to allow the traffic, go to Policy and Objects -> IPv4 and select 'Create New'.
 
Above is the IPv4 policy configuration where the WAN interface is port3 and the LAN (Server) connected interface is port4.
A common mistake in firewall policy configuration is to set an IP address object or 'all' as the 'destination', which also refers to IP addresses. The correct action is to set the VIP address. If NAT is enabled, it is impossible to know the source user IP address details, and clients will know the internal server IP details.
 

Screenshot 2024-10-22 144504.jpg

Note:
In case the VIP is not shown to be chosen as the destination in policy, it is because the incoming interface of the policy is different than the interface binding configured from the VIP. Make sure the binding interface is as same as the incoming interface on the policy or use 'any' instead when configuring VIP.

From the CLI:
 
config firewall vip
    edit "Test"
        set extip 1.1.1.1
        set extintf "port3"
        set portforward enable   
<----- Depends on the requirement.
        set mappedip 10.0.0.10
        set extport 80           
<----- Depends on the requirement.
        set mappedport 80        
<----- Depends on the requirement.
    next
end
 
config firewall policy
    edit 1
        set srcintf "port3"
        set dstintf "port4"
        set srcaddr "all"
        set dstaddr "Test"
        set action accept
        set schedule "always"   
<----- Depends on the requirement.
        set service "ALL"  
<----- Depends on the requirement.
        set nat enable         
<----- Depends on the requirement.
    next
end
 
Note:
To enhance network security, specify only the known source public IP addresses and services in the VIP firewall policy. This ensures that the traffic is allowed exclusively from trusted public IPs and for specific services only.