FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description The purpose of this article is to explain why adding a VIP object can disrupt service even though the VIP is not
applied to any security policy.
"FortiGate_1" VIP configuration:
config firewall vip
set extip 22.214.171.124
set extintf "wan1"
set mappedip 192.168.0.100
- New Virtual IP "VIP_1" was created on "FortiGate_1", but it
wasn't still applied to any firewall policy.
- "VIP_1" external IP is the same as IP address of existing "Remote
Server" on "Site_2" (126.96.36.199).
- "VIP_1" mapped IP is 192.168.0.100 which belongs to the "Local
Network" workstation on "Site_1".
- "FortiGate_1" has working route for IP 188.8.131.52 in its
- However "Remote Server" became unreachable immediately for any
users (LAN and Internet).
- After deleting "VIP_1" object from "FortiGate_1" the "Remote
Server" became reachable again for all users.
Why does a VIP entry, that is not applied to any policy, cause
traffic destined to 184.108.40.206 to drop?
From the FortiGate unit's point of view, the firewall VIP entry is
seen as a local IP address and therefore affects the routing of
traffic to the external IP defined in the VIP.
When creating a new VIP entry always take into account the
1. Every VIP object created on a FortiGate is counted as a local
logical IP address since the moment of its creation (VIP answers on
ARP requests by default).
2. VIP entries are used to translate destination IP addresses of
the packets (every VIP object is considered as a "Destination NAT"
3. "Destination NAT" operation is always performed before any
"Routing" operations (VIP forwards traffic from the "external" IP
address to the "mapped" IP address).
Even if a VIP entry is not applied to any policy, it obeys the
Whether or not there is a matching policy only determines whether
traffic is successfully forwarded to the local server.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.