Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Zenhusen
New Contributor

Created on ‎11-25-2025 12:32 PM Edited on ‎11-25-2025 01:10 PM

fortigate virtual ip cant access from outside

I have replaced the current firewall an old 50E with a new 60F
Sadly we could not use the config file from the old one.

 

1. I have setup VirtualsIP for our meters(we have meters that collects info for our building)
2. And then i did a virtual IP Group, with all the meters
3. Then i setup Firewall policy

The issue i have is that i cannot access the meters when i am on another network(over internet).

Here is how i have setup the firewall, have i forgotten something. Must say i am not used to work with firewalls at all.

virtualIP-ploicy2.pngvirtualIP-ploicy.pngvirtualIp-Group.pngvirtualIP.png

104
0 Kudos
9 REPLIES 9
Toshi_Esumi
SuperUser
SuperUser

Created on ‎11-25-2025 12:58 PM Edited on ‎11-25-2025 12:59 PM

The VIP is for accessing from the Internet to wan1 interface. If the "another network" you're coming from is inside of this 60F (not from the internet), you need to have a hairpin NAT set up explained below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448

Toshi

94
0 Kudos
Zenhusen
New Contributor
In response to Toshi_Esumi

Created on ‎11-25-2025 01:10 PM

We are using VIP for accessing the meters via Internet, but cant access them over internet.  So when i said another network i meant internet, i will update the original question.

I can access the VIP when i am on the same network as the Firewall, and i am on that network outside the firewall
So i use the external ip adress then i can access it. But if i use another network/Internet I canot access it

91
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Zenhusen

Created on ‎11-25-2025 01:32 PM Edited on ‎11-25-2025 01:33 PM

Does sniffer show your access goes out to the interface where the meters are on with the correct port 80? That's the first thing to check.
Then if it's not going out, you probably need to run flow debug to see where it's going or why it's dropped.
https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/54688/debugging-the-packet-f...


Toshi

85
0 Kudos
Zenhusen
New Contributor
In response to Toshi_Esumi

Created on ‎11-25-2025 01:52 PM

Hi will check it tomorrow, one question . 
Sniffer i read briefly about it now, so what i understand i can see traffic, do I need to before i do sniffer try to access the meters from internet. Or do i only do a basic sniffer

75
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Zenhusen

Created on ‎11-25-2025 02:06 PM

The sniffer, not only FGT but any other kind like Wireshark, captures packet only when it's running. So you need to start capturing either GUI packet capture or CLI diag sniffer packet first, then while it's capturing you can try accessing one of the meters. Then when it fails, you can stop capturing then examine the output. For CLI sniffer, you might want to save the screenoutput of the terminal emulator you're using to SSH into it or console into it.

Toshi

66
0 Kudos
johnlloyd13
New Contributor III

Created on ‎11-25-2025 05:46 PM

hi,

try to disable/toggle the 'NAT' setting in the FW policy.

VIP will perform the inbound and outbound internet access for the VIP group.

46
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to johnlloyd13

Created on ‎11-25-2025 06:18 PM Edited on ‎11-25-2025 11:54 PM

If the default route at the destination is not coming back to the FGT, yes, changing the the source IP to the FGT itself with NAT is necessary. But if that's not the case, having NAT or no-NAT won't affect the incoming packets to reach the destination. Only returning packets direction might change.

At this moment, you don't know if it's going out toward the internal devices, which you need to confirm first.

Toshi

40
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎11-26-2025 01:57 AM

IMHO the policy does not allow this traffic.

It needs to allow HTTP (port 80) and your custom service (tcp/10020). Please give it a try.

 

If unsuccessful, run a 'diag debug flow' to see what happens. Post it here for interpretation.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
1
0 Kudos
funkylicious
SuperUser
SuperUser
In response to ede_pfau

Created on ‎11-26-2025 02:03 AM Edited on ‎11-26-2025 02:03 AM

like @ede_pfau mentioned, if in the VIP you are using custom port forwarding then in the firewall rule I would set in the services option either ALL ( since you are using PubPort>PrivPort, 1:1 ) or those specific ports ( PubPort ) from the VIP in the services.

"jack of all trades, master of none"
"jack of all trades, master of none"
0
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.