Hello,
I've two FQDN vips using the same external IP address and port (443).
But this is not working, only matching the first one,
KR
Hello
If you mean you have two domain name pointing to the same IP then I don't think FortiGate can distinguish them (I think so but I'm not sure). You may need something else inside doing HTTP content routing.
Dear Ipi,
If you have VIP configuration like that :
config firewall vip
edit "VIP_FQDN_No1"
set type fqdn
set extip 192.168.1.1
set extintf "any"
set mapped-addr "VIP_destination_1.com"
next
edit "VIP_FQDN_No2"
set type fqdn
set extip 192.168.1.1
set extintf "any"
set mapped-addr "VIP_destination_2.com"
next
end
This will not work, even if you have 2 VIP objects with IP instead of FQDN using the same external IP address, Fortigate will match the first one.
Best regards,
Fortinet
Hello,
If you listen to an external IP I can understand that this will not work.
But the VIP can be mapped to an IP or an external FQDN.
If I take your example,
VIP_destination_1.com --> VIP_destination_1.internal
VIP_destination_2.com --> VIP_destination_2.internal
In fact exactly in the same way as a web servers virtual host.
KR
Hello Ipi,
Correct me if i am wrong, but maybe you have something like this :
config firewall vip
edit "VIP_FQDN_No1"
set type fqdn
set extip 192.168.1.1
set extintf "any"
set mapped-addr "VIP_destination_1.com"
next
edit "VIP_FQDN_No2"
set type fqdn
set extip 192.168.1.2
set extintf "any"
set mapped-addr "VIP_destination_1.com"
next
end
Then Fortigate will match only one of the VIPs again .
You can have only one external IP address mapped to 2 or more different internal IP addresses , Fortigate will do load balance based on the HTTP-host check in the HTTP header, this is known as a reverse proxy.
You can check the link bellow :
Setting up a VIP load-balance with HTTP-host check in HTTP header
No the config is like this.
edit "VIP_FQDN_No1"
set type fqdn
set extip 0.0.0.0
set extaddr : "VIP_destination_1.com"
set extintf "wan2"
set mapped-addr "VIP_destination_1.internal"
protocol : tcp
extport : 443
mappedport : 443
portmapping-type : 1-to-1
next
set type fqdn
set extip 0.0.0.0
set extaddr : "VIP_destination_2.com"
set extintf "wan2"
set mapped-addr "VIP_destination_2.internal"
protocol : tcp
extport : 443
mappedport : 443
portmapping-type : 1-to-1
next
Hi @lpi,
Please run the following debug flow commands and replicate the issue to see if the traffic is being dropped. You can replace x.x.x.x with the source public IP address.
di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr x.x.x.x
di deb flow filter port 443
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable
Regards,
Hi @lpi,
I would suggest using virtual server with HTTP host. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-up-a-VIP-load-balance-with-HTTP-ho...
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1789 | |
1120 | |
768 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.