Heya! Thanks for your reply. That post shows an internal " fake" IP address. As I mentioned, I just got this today, so I need help from square one. I have the DVR with a variety of ports (and there will pass ALL traffic) to a public IP address. I need the firewall to basically say " all traffic to that public address should go straight to that address." I tried making a VIP with that public IP: Name: cameras External Interface: Outside External IP Address/Range: public IP of DVR - public IP of DVR Mapped IP Address/Range: public IP of DVR - public IP of DVR Did NOT check port forwarding. Made a policy for the rule: Outside-Interface -> Inside-Interface Source Address - all Destination Address - cameras Schedule - Always Service - Any Action - Accept Nothing else checked. This policy is at the bottom of the list for that section. Should I move it up? What other changes should I make? Thanks again!

External IP Address/Range: public IP of DVR - public IP of DVR Mapped IP Address/Range: public IP of DVR - public IP of DVR

Are these the same IP, or is the mapped IP a public range in a DMZ? Normally I' d have something like : External IP Address/Range: public IP of DVR Mapped IP Address/Range: private IP of DVR eg, External IP Address/Range: 123.123.123.123 Mapped IP Address/Range: 10.10.10.10

They are the same IP. Basically, I just need access to this device via public IP. Frankly, I' d like the Fortinet to ignore all traffic going to the device. As I mentioned, it is a device with a public IP that I can' t change (for er, ' political' reasons). Just had a thought - we don' t have a DMZ. So, if I stuck a switch between the external router connection, then came out of switch to Fortinet with one wire and direct to the DVR with another wire, that should solve the problem, right? Just bypass the Fortinet completely for any device on that switch. Sound feasible?

Ok, so I' m assuming that your ISP is providing you a range of IP' s and you don' t have a connecting /30 point to point range on the FortiGate? So you' ve got something like : 123.123.123.121 / 29 - for your ISP gateway 123.123.123.122 /29 as the fortigate external interface And you want your DVR to have 123.123.123.123 /29 on the physical NIC? If this is the case, yes a switch between the FortiGate and the ISP connection would allow you to have the DVR with a public IP and would bypass the FortiGate. Ideally I' d want everything to go through the FortiGate though. Is this similar to your setup?

Yes, that is my setup. Thanks! Ideally, I would like to have it running through the Fortinet, too. But, it looks like I' ll put a switch in there since I can' t change the IP of the device. Thanks for your input!

Just as a followup and to close this out: I fought my case and won. The DVR now has a private internal IP address and is set up as a VIP to a public address. No extra switch needed. Thanks for everyone' s input!