Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bfreitas
Staff
Staff

Created on ‎10-17-2024 03:38 AM Edited on ‎12-02-2024 10:24 PM By Community Manager

Article Id 350101

Technical Tip: Virtual IP (VIP) port forwarding order of execution

Description This article describes the order of execution of Virtual IPs port forwarding, and how to change that order.
Scope FortiGate.
Solution

In FortiGate Virtual IP (VIP) port forwarding priority goes from top to bottom and the Firewall Policy order to which these VIPs are applied does not matter. VIPs will only be checked if they are applied on at least one firewall policy.

In the first example, FortiGate is forwarding WAN (DMZ) interface ports 442-444 to Loopback Interface 2 port 443 and port 443 to Loopback Interface 3 port 443. However, since the Loopback Interface 2 VIP comes first this will be triggered first.

FortiGate Loopback Interfaces below:


lpk.png

 
FortiGate VIP and Firewall Policy are below:

 

VIP_order_of_execution.png
The second example includes a VIP forwarding all ports and another VIP forwarding only a specific port. Although Lpk3 is more specific Lpk2 is triggered first because of VIP order.


VIP_order_of_execution_2.png


This order can be changed but only through CLI. The next image shows how to change the VIP order, in regards to the first example.


VIP_move_command.png

 

After using the command it can be observed the successful order change, over both CLI and GUI.


VIP_order.png

 

VIP_order_move.png

 

Virtual Servers:

 

Although configured in a different GUI section, Virtual Servers are part of the VIP list. They can be moved relative to other Virtual IP addresses in the same way.

 

Virtual Server.PNG

 

To verify the processing order of Virtual Servers, view the VIP list in CLI.

 

VAN_DNAT # show firewall vip
config firewall vip

edit "Lpk3"

set extip 10.5.20.59
set mappedip "3.3.3.3"
set extintf "dmz"
set portforward enable
set extport 443
set mappedport 443

next
edit "Lpk2"

set extip 10.5.20.59
set mappedip "2.2.2.2"
set extintf "dmz"
set portforward enable
set extport 442-444
set mappedport 443
set portmapping-type m-to-n

next
edit "Virtual Server"

set type server-load-balance
set server-type http
set extip 10.5.20.59
set extintf "any"
set extport 444
config realservers

edit 1

set ip 4.4.4.4
set port 443

next

end

next

end

 
VAN_DNAT # config firewall vip

VAN_DNAT (vip) # move "Virtual Server" before Lpk2

VAN_DNAT (vip) # end

VAN_DNAT #


Earlier Firmware Versions


In v7.0 and earlier, it was possible but not recommended to have overlapping virtual IP addresses. In these firmware versions when Central NAT is disabled, it is not possible to re-order VIPs using the move command.

 

VAN_DNAT # move "Virtual Server" before Lpk2
VIP entry cannot be moved when central-nat is disabled.
Command fail. Return code -651

Moving virtual IP objects in these firmware versions is only possible by removing the virtual IP objects from every firewall policy and reconfiguring them in the intended order.

 

Related articles:

Technical Tip: Virtual IP (VIP) port forwarding configuration

Technical Tip: Local In Policy VS Virtual IP Policy

Technical Tip: Configure firewall policies for a VIP when Central NAT is enabled
797
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.