FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 198143


This article describes how to configure port forwarding as per the below topology.





From the GUI:


  1. To create a VIP object, go to Policy and Objects -> Virtual IPs and select 'Create New'.

In the above example, is an external WAN IP and is a mapped internal server IP.
The incoming traffic is on port 80 and is mapped internally to the same port 80.
Using other ports for mapping is also possible.

  1. To create an IPv4 policy to allow the traffic, go to Policy and Objects -> IPv4 and select 'Create New'.
Above is the IPv4 policy configuration where the WAN interface is port3 and the LAN (Server) connected interface is port4.
A common mistake in firewall policy configuration is to set an IP address object or 'all' as the 'destination', which also refers to IP addresses. The correct action is to set the VIP address.
If NAT is enabled, it is impossible to know the source client IP address details, and clients will know the internal server IP details.
From the CLI:
config firewall vip
    edit "Test"
        set extip
        set extintf "port3"
        set portforward enable    (depends on requirement)
        set mappedip
        set extport 80            (depends on requirement)
        set mappedport 80         (depends on requirement)
config firewall policy
    edit 1
        set srcintf "port3"
        set dstintf "port4"
        set srcaddr "all"
        set dstaddr "Test"
        set action accept
        set schedule "always"  
(depends on the requirement).
        set service "ALL"  
(depends on the requirement).
        set nat enable         
(depends on the requirement).