Created on
10-17-2024
03:38 AM
Edited on
06-24-2025
11:49 PM
By
Jean-Philippe_P
Description | This article describes the order of execution of Virtual IPs port forwarding, and how to change that order. |
Scope | FortiGate. |
Solution |
In FortiGate Virtual IP (VIP) port forwarding priority goes from top to bottom and the Firewall Policy order to which these VIPs are applied does not matter. VIPs will only be checked if they are applied on at least one firewall policy.
After using the command it can be observed the successful order change, over both CLI and GUI.
Virtual Servers: Although configured in a different GUI section, Virtual Servers are part of the VIP list. They can be moved relative to other Virtual IP addresses in the same way.
To verify the processing order of Virtual Servers, view the VIP list in the CLI.
VAN_DNAT # show firewall vip edit "Lpk3" set extip 10.5.20.59 next set extip 10.5.20.59 next set type server-load-balance edit 1 set ip 4.4.4.4 next end next end VAN_DNAT (vip) # move "Virtual Server" before Lpk2 VAN_DNAT (vip) # end VAN_DNAT #
In v7.0 and earlier, it was possible but not recommended to have overlapping virtual IP addresses. In these firmware versions, when Central NAT is disabled, it is not possible to re-order VIPs using the move command.
VAN_DNAT # move "Virtual Server" before Lpk2 Moving virtual IP objects in these firmware versions is only possible by removing the virtual IP objects from every firewall policy and reconfiguring them in the intended order.
Check the routing table. In cases where there is more than one ISP or more than one WAN interface, it is important to review the routing table to confirm that the selected WAN interface from the Virtual IP is active. Depending on the case, the selected interface can be as inactive or in a standby state awaiting the other interface to fail.
VAN_DNAT # get router info routing-table all VAN_DNAT # get router info routing-table database
Related articles: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.