fortigate virtual ip cant access from outside

Zenhusen · ‎11-25-2025

I have replaced the current firewall an old 50E with a new 60F
Sadly we could not use the config file from the old one.

1. I have setup VirtualsIP for our meters(we have meters that collects info for our building)
2. And then i did a virtual IP Group, with all the meters
3. Then i setup Firewall policy

The issue i have is that i cannot access the meters when i am on another network(over internet).

Here is how i have setup the firewall, have i forgotten something. Must say i am not used to work with firewalls at all.

sw2090 · ‎11-28-2025

The Fortigate itself has a way to find your wan ip:

on cli do "diag sys waninfo ipfy <interface> "

Besides that:

I ca give you an example that we use here:

We have some mailserver behind a fortigate that has to be reachable from the internet with some services. One is IMAPS.

So I have a policy:

name: WAN_to_imaps

Incoming interface: wan1

outoing iface: lan

Source Address: all

Destination: VIP-imaps

and then the VIP "VIP-imaps" has:

Interface: wan1

Network type: static NAT

External IP: the FGTs WAN iP on wan1

Mapped ip4v Address: internal ip of the server

Portforwarding is enabled

And its set to forward 993/TCP to 993/TCP

Works fine here...

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

ezhupa · ‎11-28-2025

Can you run a debug flow while trying to reproduce the issue or generating traffic towards the particular resource?
This way we can check if the DNAT is happening as expected, or if there is any problem with the packet forwarding.
It might be that the policy is not matching at all because the services on the policy are only HTTP and HTTPS and the ext port on one of the VIPs shown is 10020. Try setting services to ALL on the policy as a test, and try to connect again.

sw2090 · ‎11-28-2025

oh I forgot one info in my last post:

the serviceset in that policy is just service IMAPS.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

sw2090 · ‎11-28-2025

the one other thing that I have in mind besides the port ezhupa described is that the wan ip in the vip is either incorrect or he uses the wrong wan ip to access it.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

sw2090 · ‎11-28-2025

Debug flow btw at least since FOS 7.2. can be done on gui (Network=>dignose).

You could also look at your FGT's forward traffic log and try to find the traffic in there (for that you have to set the logging level in your policy to log all traffic AND you have to enable the logging for policy #0 (disabled by default). So all traffic hitting your policy will be logged in forward traffic log and also Traffic that doesn't match any policy will be logged (in this case the forward traffic log will state "Policy violation").

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

fortigate virtual ip cant access from outside

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website