Technical Tip: Virtual IP (VIP) port forwarding order of execution

In FortiGate Virtual IP (VIP) port forwarding priority goes from top to bottom, and the Firewall Policy order to which these VIPs are applied does not matter.

In the first example, FortiGate is forwarding WAN (DMZ) interface ports 442-444 to Loopback Interface 2 port 443 and port 443 to Loopback Interface 3 port 443. However, since the Loopback Interface 2 VIP comes first this will be triggered first.

FortiGate Loopback Interfaces below:

 
FortiGate VIP and Firewall Policy are below:

The second example involves having a VIP forwarding all ports and another VIP forwarding only a specific port. As it can be observed, although Lpk3 is more specific Lpk2 is triggered first.

This order can be changed but only through CLI.

The next image shows how to change the VIP order, in regards to the first example.

After using the command it can be observed the successful order change, over both CLI and GUI.

Related articles:

Technical Tip: Virtual IP (VIP) port forwarding configuration

Technical Tip: Local In Policy VS Virtual IP Policy

Technical Tip: Configure firewall policies for a VIP when Central NAT is enabled