Technical Tip: Virtual IP (VIP) port forwarding configuration

carabhavi · ‎04-26-2020

Description

This article describes how to configure port forwarding for the below topology.

User -> (Internet) -> Wan1 (Port1) --[ FortiGate ]-- Lan (Port 2) -> Server.

Scope

FortiGate.

Solution

From the GUI:

To create a VIP object, go to Policy and Objects -> Virtual IPs and select 'Create New'.In the above example, 1.1.1.1 is an external WAN IP, and 10.0.0.10 is a mapped internal server IP. The incoming traffic is on port 80 and is mapped internally to the same port 80. Using other ports for mapping is also possible.

To create an IPv4 policy to allow the traffic, go to Policy and Objects -> IPv4 and select 'Create New'. Above is the IPv4 policy configuration where the WAN interface is port3 and the LAN (Server) connected interface is port4. A common mistake in firewall policy configuration is to set an IP address object or 'all' as the 'destination', which also refers to IP addresses. The correct action is to set the VIP address. If NAT is enabled, it is impossible to know the source user's IP address details, and clients will know the internal server's IP address details.

Screenshot 2024-10-22 144504.jpg

Note:
In case the VIP is not shown to be chosen as the destination in policy, it is because the incoming interface of the policy is different than the interface binding configured for the VIP. Make sure the binding interface is as same as the incoming interface on the policy, or use 'any' instead when configuring VIP.

In FortiGate firewalls, VIP (Virtual IP) objects are primarily used for Destination NAT (DNAT) purposes. Typically, VIP objects are applied in the Destination field of firewall policies, and they are not used in the Source field.

From the CLI:

config firewall vip
    edit "Test"
        set extip 1.1.1.1
        set extintf "port1"
        set portforward enable   <----- Depends on the requirement.
        set mappedip 10.0.0.10
        set extport 80           <----- Depends on the requirement.
        set mappedport 80        <----- Depends on the requirement.
    next
end

config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "port2"
set srcaddr "all"
set dstaddr "Test"
        set action accept
        set schedule "always" <----- Depends on the requirement.
set service "ALL"  <----- Depends on the requirement.
        set nat enable         <----- Depends on the requirement.
    next
end

Note:

To enhance network security, specify only the known source public IP addresses and services in the VIP firewall policy. This ensures that the traffic is allowed exclusively from trusted public IPs and for specific services only, as shown below.

As the picture displays, the source (9.9.9.9) will be the known source public IP and the service(HTTP) from which the traffic will be allowed for the VIP.

Additionally, when using specific/custom services in a VIP firewall policy, traffic may be denied due to implicit deny. In such cases, ensure that the service does not specify a source port. Otherwise, the VIP firewall policy will also check the source port and deny traffic due to a mismatch. To avoid this, custom services should only specify the destination port.

Always verify that the VIP’s external IP and interface binding are unique and correctly match the actual ingress interface, overlapping VIPs or mismatched bindings can cause traffic to be dropped or matched to the wrong policy.

Note: In version 7.4.8, the options empty-cert-action, user-agent-detect and client-cert have been removed from system.access-proxy. Instead, they are added under the VIP configuration.

config firewall vip

set type access-proxy

set empty-cert-action <action>

user-agent-detect {enable|disable}

client-cert {enable|disable}

end

Related articles:

Technical Tip: Virtual IP (VIP) port forwarding configuration

You are leaving our website