Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tanaki
New Contributor II

VIP port forwarding policy problem

Hello,

 

Fortigate 60f v7.2.4   Policy-based NGFW.

 

I am trying to set VIP port forwarding (https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...)  but the VIP object is not listed in Destination ?

 

Any ideas ?

 

Thanks ,

T

1 Solution
sw2090
Honored Contributor

there is also a known bug with vip nt beeing displayedin policy manager when the ipv6 settings are incorrect. FGT and FMG do accept these settings (and do not accept the default Fortinet puts in there when you create a VIP) but the VIP is not displayed  in policy manager afterwards.

This can  be resolved by clearing out the ip v6 addresses in the vip and save it.

Unfortunately there is no switch to completely disable v6 in a vip :(

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
11 REPLIES 11
Christian_89
Contributor III

Is the interface in the policy correct?
First select the interface from where you come and then the interface where you want to go.
Then the target system should be selectable.

tanaki
New Contributor II

Only limited list of addresses appear in Destination,   there is no  single member of VIP.

Incoming and outgoing interfaces are OK.

ezhupa
Staff
Staff

Hello Tanaki, 

Since you are using FGT in policy mode I suppose you already have central NAT enabled, right? 

When Central NAT is enabled, it is not necessary to add the VIP object into the firewall policy as the destination address. This is normal behaviour due to the fact that, in a Central NAT status, the DNAT is injected into the kernel since the object is created into the Policy & Objects -> DNAT & Virtual IPs.

Create the firewall policy and in the destination field, select the local IP configured into the VIP.



You can refer to the below KB for VIP configuration: 
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-firewall-policies-for-a-VIP-when...

tanaki
New Contributor II

Thank you,

I think Central NAT is disabled, how is it possible to check its status?

ezhupa

Central NAT should already be enabled by default in case your device is in Policy Mode. 
Should be visible under Policy & OBjects > Central NAT in the GUI or by running the below command in the CLI:

show full system settings | grep "central-nat"

tanaki
New Contributor II

Hi,  it's visible in the GUI  , but CLI command result  is empty.

gui.jpgcli.jpg

sw2090
Honored Contributor

there is also a known bug with vip nt beeing displayedin policy manager when the ipv6 settings are incorrect. FGT and FMG do accept these settings (and do not accept the default Fortinet puts in there when you create a VIP) but the VIP is not displayed  in policy manager afterwards.

This can  be resolved by clearing out the ip v6 addresses in the vip and save it.

Unfortunately there is no switch to completely disable v6 in a vip :(

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
tanaki
New Contributor II

Quite odd TBH, I am new to Fortinet,  've been  using Cisco, pFsense, Wrt  etc.  for years no such generic flaws

gfleming
Staff
Staff

Not completely related to your question but may I ask what the decision was behind using Policy-based NGFW? It's generally recommended to run FortiGate as Profile-based.

Cheers,
Graham
Top Kudoed Authors