FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff

Description


This article describes how to configure port forwarding as per the below topology.

 

Scope


FortiGate.


Solution


From GUI.

1) To create a VIP object, go to Policy and Objects -> Virtual IPs and select 'Create New'.



 
 
In the above example, 1.1.1.1 is an external WAN IP and 10.0.0.10 is a mapped internal server IP.
The incoming traffic is on port 80 and is mapped internally to the same port 80.
Use other ports for mapping is also possible.

2) To create an IPv4 policy for allowing the traffic, go to Policy and Objects -> IPv4 and select 'Create New'.
 
 
 
 
Above is the IPv4 policy configuration where the WAN interface is port3 and LAN (Server) connected interface is port4.
A common mistake that user do in policy configuration is that in the destination section, selecting the created VIP object is necessary, not the IP address object.
 
If NAT is enabled, this is impossible to know the source client IP address details and clients will not be known the internal server IP details.
 
From CLI.
# config firewall vip
    edit "VIP"
        set extip 1.1.1.1
        set extintf "port3"
        set portforward enable    (depends on requirement)
        set mappedip 10.0.0.10
        set extport 80            (depends on requirement)
        set mappedport 80         (depends on requirement)
    next
end
# config firewall policy
    edit 1
        set srcintf "port3"
        set dstintf "port4"
            set srcaddr "all"
            set dstaddr "Test"
        set action accept
        set schedule "always"   (depends on requirement)
            set service "ANY"   (depends on requirement)
        set nat enable          (depends on requirement)
    next
end

 

Contributors