Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
noorani92
New Contributor

Juniper to Fortigate: Confusion Regarding Juniper MIP and VIP alternative in Fortinet

Hello Everyone,

 

We have recently purchased Fortigate 501E and will be replacing Juniper SSG-140. We have multiple MIP and VIP configured in Juniper.

 

What is the alternative for MIP and VIP of Juniper in Fortigate? Following is one of our configuration in juniper

MIP

Mapped IP:172.16.5.132

Host IP:192.168.5.21

Netmask:255.255.255.255

 

and for the same public IP there is a VIP configuration

IP Address:172.16.5.132

Virtual Port:80

Service Port:80

Server IP:192.168.5.21

 

Following are the policies related to above external address

 

Source:192.168.1.0/24

Destination:MIP(172.16.5.132)

Service:POP3

Action:Allow

 

Source:Any

Destination:MIP(172.16.5.132)

Service:HTTP/HTTPS

Action:Allow

 

Source:192.168.1.0/24

Destination:MIP(172.16.5.132)

Service:HTTP/HTTPS

Action:Allow

 

How do I implement that in Fortigate? 

 

TIA

 

 

4 REPLIES 4
lobstercreed
Valued Contributor

In the middle policy above, did you mean to say VIP instead of MIP?  Otherwise I don't see any use of the VIP in the Juniper config.

 

Anyway, I'm not familiar with Juniper personally, but it looks to me like VIPs are VIPs in both worlds (though of course there may be subtle differences).  MIPs appear to be IP Pools in the FortiGate world.  However, unless you're doing central NAT you don't specify the internal address at all.  On the FortiGate IP Pool you would just define the external IP, and then use that IP Pool when programming what NAT to use for the specific outbound policy.

 

Hope this helps.  There is tons of documentation on FortiGate's site, especially their cookbooks that might be helpful to you.  https://cookbook.fortinet.com/

 

- Daniel

rwpatterson
Valued Contributor III

noorani92 wrote:

What is the alternative for MIP and VIP of Juniper in Fortigate? Following is one of our configuration in juniper

MIP

Mapped IP:172.16.5.132

Host IP:192.168.5.21

Netmask:255.255.255.255

 

and for the same public IP there is a VIP configuration

IP Address:172.16.5.132

Virtual Port:80

Service Port:80

Server IP:192.168.5.21

In the Fortigate world, all of this is configured in the Virtual IP definition. An inbound policy would simply allow/deny access to the internal server in one step. You simply use the VIP definition as the target of the policy with the associated service(s) of course. The example you provided would be referred to as a 'Port Forwarding' Virtual IP. You may also map all ports to an IP address if you have the availability. This option will send ICMP traffic to the internal host as well, while a port forward will not.

 

Hope that helps a bit.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
tanr
Valued Contributor II

noorani92
New Contributor

Thank you everyone for your responses. Ok let me just explain our requirement: 

 

We have MDaemon (Email Server) running in our environment which has local IP and that IP is mapped to the public IP which I have mentioned above. The email server uses a DomainPOP mechanism to fetch emails from hosted pop server which means we'll be needing POP service to open. The email server also has webmail which will be accessed locally and externally for that we need http/https to be open.

Labels
Top Kudoed Authors