Follow the steps below to create a VIP:

• Go to Policy & Objects -> Virtual IPs and select Create New -> Virtual IP.
• Enter a name for the newly created VIP.
• Select an external interface.
• For Type, select FQDN.
• For External, select FQDN and enter the FQDN.
• In the Mapped address, It is necessary to select FQDN. It will not give the option to select the IP address.

To configure the VIP with external FQDN ('extdomain.com' in this particular scenario) to map the internal server IP address, create the DNS database on FortiGate, which will resolve the mapped FQDN to an internal IP address.

Here, extdomain.com is an FQDN that resolves into the public IP address of FortiGate and the name extdomain.com is used as an example for this article. In this scenario, extdomain.com is resolving into a private IP address (10.0.0.180) provided by the ISP on wan1. However, there is one public IP address which was used by the ISP to forward the traffic to the private IP address of FortiGate. Consequently, for the external user, 'extdomain.com' resolves into a public IP address. When the user makes the request, the ISP forwards that request to a private IP address on WAN on FortiGate.

1. To create a DNS entry on FortiGate, enable the DNS database option from System -> Feature Visibility.

2. Go to Network -> DNS server -> Create the DNS Database.

3. DNS entry that will resolve the internal.server.fg to internal map IP(server IP) Address 10.0.10.10:

config system dns-database

    edit "test"

        set domain "fg"

            config dns-entry

                edit 1

                    set hostname "internal.server"

                    set ip 10.0.10.10

                next

            end

        next

    end

Note:

To resolve the internal FQDN, one method is to have the DNS record in FortiGate's DNS database. Resolving FQDN on an internal server and integrating it into FortiGate's DNS is an alternative.

4. Verify that the FortiGate can resolve the FQDN to the mapped internal server IP address.

exe ping internal.server.fg
PING internal.server.fg (10.0.10.10): 56 data bytes

5. Create an address object with the type set to FQDN for 'internal.server.fg'.

config firewall address

    edit "Internal Server FQDN"

        set uuid 08ff070e-8c92-51ef-f45a-08ce78c52aea

        set type fqdn

        set fqdn "internal.server.fg"

    next

end

6. Create an address object with the type as FQDN for External FQDN 'extdomain.com'.

config firewall address

edit "External FQDN"

set uuid f9a6f104-8c91-51ef-cc7e-616f9e221430

set type fqdn

set fqdn "extdomain.com"

next

end 

7. Configure a VIP as shown below:

config firewall vip

edit "Internal Server"

set uuid 0b84c9aa-8c92-51ef-550d-941fa72480a3

set type fqdn

set extintf "port2"

set extaddr "External FQDN"

set mapped-addr "Internal Server FQDN"

next

end

This solution will help to create VIP with external FQDN to map the internal server IP address. The flow debug snippet of the traffic from the configuration above would look like this:

2024-10-17 17:08:23 id=20085 trace_id=1 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=6, x.x.x.x:11561->10.0.0.180:4433) tun_id=0.0.0.0 from wan1. flag [S], seq 443772567, ack 0, win 64240"

2024-10-17 17:08:23 id=20085 trace_id=1 func=init_ip_session_common line=6046 msg="allocate a new session-02998d1b, tun_id=0.0.0.0"

2024-10-17 17:08:23 id=20085 trace_id=1 func=get_new_addr line=1221 msg="find DNAT: IP-10.0.10.10, port-4433"

2024-10-17 17:08:23 id=20085 trace_id=1 func=fw_pre_route_handler line=178 msg="VIP-10.0.10.10:4433, outdev-wan1"

2024-10-17 17:08:23 id=20085 trace_id=1 func=__ip_session_run_tuple line=3500 msg="DNAT 10.0.0.180:4433->10.0.10.10:4433"

2024-10-17 17:08:23 id=20085 trace_id=1 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-10.0.10.1 via internal5"

2024-10-17 17:08:23 id=20085 trace_id=1 func=fw_forward_handler line=719 msg="Allowed by Policy-45"