Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Virtual IP allow multiple service ports?

I need to configure a FortiGate 60 to allow multiple service ports using virtual IP. The client now has two public IP addresses and we want to configure the secondary IP address in Virtual IP. Setup: External Interface: WAN1 Port Forwarding enabled External IP address: THE SECONDARY IP External Service Port: would like to use 80, 443, & 25 Map To IP: EXCHANGE SERVER' s LAN IP MAP To Port: would like to use 80, 443, & 25 Protocol: TCP Can I use multiple service ports in this config?
2 REPLIES 2
abelio
SuperUser
SuperUser

2 ways at least: I don' t know which one would be more efficient at this moment Former seems to permit more granular control and latter seems to be easier to maintain. 1) define one VIP for each service with " port-forwarding" and create policies respectively 2) you could set a service-group (ex: myservices) including these protocols config firewall service group edit " myservices" set member " HTTPS" " HTTP" " SMTP" next end After that you only need create your VIP allowing these service-group config firewall vip edit " MyservicesVIP" set extip <THE SECONDARY IP> set mappedip <EXCHANGE SERVER' s LAN IP> set extintf " wan1" next end And apply your appropiate policy, i.e.: config firewall policy edit " <new_id_policy>" set srcintf " wan1" set dstintf " internal or dmz_i don' t know" set srcaddr " all" set dstaddr " MyservicesVIP" set action accept set schedule " <as_required>" set service " myservices" set profile_status enable set logtraffic enable set profile " strict" next end regards

regards




/ Abel

regards / Abel
UkWizard
New Contributor

Just remember, if you use port-forwarding, rather than static NAT, then the outbound connections from the VIP ip addresses will be natted using the firewalls external ip address, rather than the VIP' s external address. In other words, as an example, if you mapped smtp (25) to the mailservers internal ip address, when the server sends emails, it will originate from the firewalls IP address, rather than the VIP' s external IP. A static nat does the reverse, it will use the VIPS address for outbound. So, if you need it to send out on the VIP address, you will need to add poilsy rules for these internal devices, to specifically use a pool (containing the one vip IP) for it. Hope that makes sense, its a confusing subject for some.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors