Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff

Created on ‎04-26-2020 12:19 AM Edited on ‎10-17-2025 07:16 AM By Moderator

Article Id 198143

Technical Tip: Virtual IP (VIP) port forwarding configuration

Description:


This article describes how to configure port forwarding for the below topology.

vip3.png

Scope


FortiGate.


Solution


From the GUI:

  1. To create a VIP object, go to Policy and Objects -> Virtual IPs and select 'Create New'.In the above example, 1.1.1.1 is an external WAN IP, and 10.0.0.10 is a mapped internal server IP. The incoming traffic is on port 80 and is mapped internally to the same port 80. Using other ports for mapping is also possible.
     
Untitled1.gif

 

  1. To create an IPv4 policy to allow the traffic, go to Policy and Objects -> IPv4 and select 'Create New'. Above is the IPv4 policy configuration where the WAN interface is port3 and the LAN (Server) connected interface is port4. A common mistake in firewall policy configuration is to set an IP address object or 'all' as the 'destination', which also refers to IP addresses. The correct action is to set the VIP address. If NAT is enabled, it is impossible to know the source user's IP address details, and clients will know the internal server's IP address details.
 

Screenshot 2024-10-22 144504.jpg

 

Note:
In case the VIP is not shown to be chosen as the destination in policy, it is because the incoming interface of the policy is different than the interface binding configured for the VIP. Make sure the binding interface is the same as the incoming interface on the policy, or use 'any' instead when configuring VIP.
To find more information on using 'any' for Virtual IP interface versus a specific interface, check the following article: Technical Tip: Pros and Cons of using 'any' for Virtual IP Interface versus a specific interface

In FortiGate firewalls, VIP (Virtual IP) objects are primarily used for Destination NAT (DNAT) purposes. Typically, VIP objects are applied in the Destination field of firewall policies, and they are not used in the Source field.

From the CLI:
 
config firewall vip
    edit "Test"
        set extip 1.1.1.1
        set extintf "port1"
        set portforward enable   <----- Depends on the requirement.
        set mappedip 10.0.0.10
        set extport 80           <----- Depends on the requirement.
        set mappedport 80        <----- Depends on the requirement.
    next
end
 
config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "Test"
        set action accept
        set schedule "always"   <----- Depends on the requirement.
        set service "ALL"  <----- Depends on the requirement.
        set nat enable         <----- Depends on the requirement.
    next
end
 
Port ranges can also be used while configuring a VIP as seen in the following example:

VIP.PNG

 

Make sure to use the external service port range with a starting value and ending value, the mapped port range will only need a starting range value as the ending range value will populate automatically based on the external service port range values.

Note:
To enhance network security, specify only the known source public IP addresses and services in the VIP firewall policy. This ensures that the traffic is allowed exclusively from trusted public IPs and for specific services only, as shown below.
vip2.png
 
As the picture displays, the source (9.9.9.9) will be the known source public IP and the service(HTTP) from which the traffic will be allowed for the VIP. 
 
Additionally, when using specific/custom services in a VIP firewall policy, traffic may be denied due to implicit deny. In such cases, ensure that the service does not specify a source port. Otherwise, the VIP firewall policy will also check the source port and deny traffic due to a mismatch. To avoid this, custom services should only specify the destination port. 
 
Always verify that the VIP’s external IP and interface binding are unique and correctly match the actual ingress interface, overlapping VIPs or mismatched bindings can cause traffic to be dropped or matched to the wrong policy.
 
Note: In version 7.4.8, the options empty-cert-action, user-agent-detect and client-cert have been removed from system.access-proxy. Instead, they are added under the VIP configuration.
 
config firewall vip
    set type access-proxy
    set empty-cert-action <action>
    user-agent-detect {enable|disable}
    client-cert {enable|disable}
end
 
Related articles:
131696
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.