In this example, VIP is configured to access the internal RDP server through VIP, as shown in the topology below:

Server: 10.102.0.202:3389.

External IP: 10.5.192.200.

Step 1: Verify the VIP configuration:

config firewall vip
    edit "Server"
        set extip 10.5.192.200
        set mappedip "10.102.0.202"
        set extintf "wan1"
        set portforward enable
        set extport 3389
        set mappedport 3389
    next
end

Step 2: Ensure that an allowed policy exists under SSL Inspection & Authentication. Generally, there will be a ‘Default’ policy that allows any to any. If there is no Default policy, create a new SSL Inspection & Authentication policy from the External Interface to the Internal interface to allow the traffic:

config firewall policy
    edit <index>
        set name "VIP_Policy"
        set srcintf "wan1"
        set dstintf "LAN"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
    next
end

Step 3: There must be a Security Policy allowing the traffic from the External interface to the Internal interface :

config firewall address

    edit "10.102.0.202/32"

        set subnet 10.102.0.202 255.255.255.255

    next

end

config firewall security-policy
    edit <index>
        set name "Wan-to-Lan"
        set srcintf "wan1"
        set dstintf "LAN"
        set srcaddr "all"
        set dstaddr "10.102.0.202/32" <-- Address object containing the mapped IP of the VIP.
        set action accept
        set schedule "always"
        set logtraffic all
    next
end

Note: 

With a FortiGate firewall in NGFW policy-based mode, Virtual IP (VIP) objects are not configured in the firewall policy. The firewall will automatically handle the NAT translation and port forwarding as long as the VIP is configured. This is because Central NAT is enforced when policy-based NGFW mode is enabled, see FortiOS v7.6.4 Administration Guide | Central DNAT

Step 4: Confirm the traffic is reaching the FortiGate.

diagnose sniffer packet wan1 'host 10.5.192.200 and port 3389' 4 0 l
interfaces=[wan1]
filters=[host 10.5.192.200 and port 3389]
2025-09-15 08:49:51.055832 wan1 -- 10.5.255.254.64295 -> 10.5.192.200.3389: syn 2497031367  

Step 5: Run debug commands to verify DNAT is happening properly and SSL Inspection & Authentication Policy matches:

diagnose debug reset

diagnose debug flow filter addr 10.5.192.200

diagnose debug flow filter port 3389

diagnose debug flow show function-name enable

diagnose debug flow trace start 20

diagnose debug enable

Below is  debug output :

id=65308 trace_id=10008 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=6, 10.5.255.254:64441->10.5.192.200:3389) tun_id=0.0.0.0 from wan1. flag [S], seq 3272374413, ack 0, win 64240"
id=65308 trace_id=10008 func=init_ip_session_common line=6070 msg="allocate a new session-0002047d"
id=65308 trace_id=10008 func=get_new_addr line=1265 msg="find DNAT: IP-10.102.0.202, port-3389"
id=65308 trace_id=10008 func=fw_pre_route_handler line=187 msg="VIP-10.102.0.202:3389, outdev-LAN"
id=65308 trace_id=10008 func=__ip_session_run_tuple line=3446 msg="DNAT 10.5.192.200:3389->10.102.0.202:3389"
id=65308 trace_id=10008 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-10.102.0.202 via wan2"
id=65308 trace_id=10008 func=__iprope_tree_check line=539 msg="gnum-100004, use addr/intf hash, len=2"
id=65308 trace_id=10008 func=fw_forward_handler line=991 msg="Allowed by Policy-2:"

Step 6: Run PME debug to verify the Security Policy Match:

Note that running a PME debug can increase CPU usage and is recommended to run during less busy times. For more details and filter commands, see Technical Tip: How to check NGFW policy matching.

To start debugging:

diagnose ips filter set "host X.X.X.X"    <----- X.X.X.X is the source/destination IP address.
diagnose ips pme debug enable

diagnose ips pme detail all
diagnose debug enable

The CLI output of the pme debug command confirms a policy match for the specified source and destination IP addresses:

PME[482/0] auth query not needed

PME[482/0] current {
PME[482/0] SRC intf= 7 tuple=10.5.255.254:63442    <----- Source IP.
PME[482/0] DST intf= 8 tuple=10.102.0.202:3389    <----- Destination IP.
PME[482/0] vdom=0 vrf=0 proto=6 time=7772 serial=00013189
PME[482/0] user=0 groups-count=0 groups=[]
PME[482/0] }
PME[482/0] static {
PME[482/0] policy: id=1 "Wan-to-Lan" intf={src_ids: { 7 }, dst_ids: { 8 }} flags=180
PME[482/0] policy: id=2 "LAN_TO_WAN" intf={src_ids: { 8 }, dst_ids: { 7 }} flags=180
PME[482/0] }
PME[482/0] policy 1: static match passed
PME[482/0] policy 2: static match not passed
PME[482/0] session was created
PME[482/0] policies 1 {
01 : 01 Wan-to-Lan
}
PME[482/0] match: app=none url=-1 UNKNOWN
PME[482/0] matching policy "Wan-to-Lan"
PME[482/0] ...matching apps
PME[482/0] ...explicit match
PME[482/0] ...matching actions
PME[482/0] [EXPLICIT PASS] Wan-to-Lan : url=-1
PME[482/0] ...trigger policy 1 Wan-to-Lan      <----- Matching Security Policy.
PME[482/0] [DECISION MADE] PASS view=3 policy=1 features={p:0x4 s:0}
PME[482/0] policy=1 action=0 log_traffic=1 isdb_src/dst=0/0

To stop debugging:

diagnose ips pme debug disable
diagnose ips pme detail none

diagnose debug reset

diagnose ips filter clear