Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Accessing VIP from internal network

Hi everyone. We have an FG200B and I am trying to set up an internal server that can be accessed by a VIP from inside or outside the network. I can access it fine using the local address internally or the VIP externally.


I followed the KB article below and set the VIP to any interface, however it is still not working.


Any ideas? Do I need to set up Policy Based Routing as well?





New Contributor

You have to issue the command "set match-vip enable" on the firewall policy.

New Contributor

I don't know about the match-vip command, but we had to use policy routes to get this to work.

And of course matching Allow rules and the vip listening to any.

Contributor II

Hello! The thing you want to do is also called NAT-hairpinning. Some routers use this automatically but some don't and FortiGate is one such.

I would personally use policy routes as last resort.

But I have always got such thing working when I create two rules: 1. from untrust to trust (that is, from internet to server's network) and 2. from trust to trust where the destination is that vip that was created, not internal address (that works anyway).

New Contributor

I need to add that in our case with policy routes the point was to access vip in dmz from internal. That might have caused the need for policy routes. Maybe internal/internal is easier.

Contributor II

Oh, then you should add policy from internal to dmz with vip as destination. I have done that too and it works. Doesn't matter which internal network is the destination, you just specify that when creating the policy.

New Contributor

Hey guys, thanks for the replies! So after the answers I did a little more digging. It turns out that if you already have policy route in place for that server to the internet, you need to add a new policy route so that the hairpin works!


Tested it out and it is working after adding a policy route with source = internal network, destination = internal ip address of that server, outgoing interface = internal.


Thanks again for the insight!



This KB article explains it nicely, and shows debugging commands:

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
New Contributor II

You not only have to change the Interface of the VIP to any. You also have to create a policy, for example:


source-interface: internal

source-address: any

destination-interface: internal

destination-address: VIP-object

service: any


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors