FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msanjaypadma
Staff
Staff
Article Id 199427
Description This article describes how to use virtual IP with services enabled. 
Scope FortiGate.
Solution

This example has one public external IP address and will be mapped with internal IP address. And specific service option enabled in VIP configuration.

 

VIP Object configuration.

  1. Go to Policy & Objects -> Virtual IPs and select 'Create New' -> Virtual IP.
  2. Set VIP Type to IPv4.
  3. Enter a unique name for the virtual IP and fill in the other fields.
  4. Configure the fields in the Network section. For example:
    • Set Interface to any.
    • Set External IP Address/Range to 10.5.59.66.
    • Set Mapped IP Address/Range to 172.31.139.62.
  5. Enable Optional Filters and then enable Services.
  6. In the Services field select '+' to display the Services pane.
  7.  In the Services pane select HTTPS,DNS.
  8. Select 'OK '.
  9. Apply the above virtual IP to the firewall policy. To create a virtual IP with services From CLI.

    config firewall VIP
        edit "InternalServer"
            set service "HTTPS" "DNS"
            set extip 10.5.59.66
            set mappedip "172.31.139.62"
            set extintf "any"
        next
    end

Policy configuration.
In Policy & Objects -> Firewall Policy and select 'Create New'.

 

Note:
In case the VIP is not shown to be chosen as the destination in policy, it is because that incoming interface of the policy is different than the interface binding configured from the VIP. Make sure the binding interface is as same as incoming interface on the policy or use "any" instead when configuring VIP.
To create a policy of virtual IP with services in the CLI.

config firewall policy
    edit 1
        set name "Outside to Internal Server"
        set uuid 14cdedbe-4ce6-51ec-e4eb-aeeee9d26f89
        set srcintf "Test"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "InternalServer"
        set action accept
        set schedule "always"
        set service "ALL"
    next


The results are:

 

  1. Access 10.5.59.66:443 from the external network and FortiGate maps to 172.31.139.62:443 in the internal network.
  2. Access 10.5.59.66:53 from the external network and FortiGate maps to 172.31.139.62:53 in the internal network.