Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tom3182
New Contributor

Created on ‎10-16-2017 08:30 AM

Virtual IPs and "duplicate entry exists"

Please forgive me for adding to a commonly discussed topic.

Things I commonly need and commonly fail with Fortigates are:

[ol]
  • Port forwarding based on source address: Forwarding port x to same port on internal machine A in general, but to the same port on another machine B, if connected from a (short) list of known IPs. Trying to set this up with Virtual IPs with source filter, but as the general rule overlaps with the specific rule I always end up with "duplicate entry already exists".
  • Having a mapping between an external address and an internal address A, however still needing to forward that one single exceptional port x to another internal machine B. Obviously, you cannot have a 1:1 mapping and as well port forwardings.[/ol]

    In the first case you seem to have to add dozens of VIPs with IP ranges in order to avoid duplicate entries (this is just unmaintainable, so I end up e.g. with a second firewall behind the Fortigate which does not have this limitation, which is not a good solution). In the second case you end up with at least 5 VIPs (range 0-x, x-65535 for both TCP and UDP plus the VIP for Port x) and an IP Pool (since you explicitly have to NAT outgoing traffic to the external address - which would happen automatically if you could use 1:1-NAT). This isn't actually very maintenance friendly, neither.

     

    Is this really the way to go, or am I just missing a more elegant way due to my limited know-how about Fortigates?

     

    Many thanks in advance for any hint!

     

    Best regards,

    Tom

    • 3848
    0 Kudos
    0 REPLIES 0
    Announcements
    Check out our Community Chatter Blog! Click here to get involved
    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2025 Fortinet, Inc. All Rights Reserved.