i have 2 wan ports, wan1 and lan2.

wan1 vip works without any problems, there are 5 rules. Exchange and rdp etc.

VIP on LAN 2 does not work, I can connect to the external IP address I assigned to LAN2, but the VIP operation does not work.

I enabled nat but it didn't help.

can you confirm that traffic is entering lan2 ( wan2 ) interface ?

do a , diag sniffer packet lan2 'host SRC' 4 0 l , to confirm.

can you also please share the config of the rules and vip ? show firewall policy <> and show firewall vip <> for this new one?

L.E. also the routing table would be quite important, get router info routing-table static ( assuming that there are static routes for wan connection, otherwise please use all instead of static )

Evet, WAN (LAN2) IP adresi ile dışarıdan fortigate arayüzüne erişiyorum. Mobil telefonun dışından 176.xx.xx IP adresine erişerek fortigate gui'yi açabilirim.

KameraWan(lan4) -----> KameraLan(lan2)

1- fw politikası 

FortiGate-80F (10) #
yapılandırma güvenlik duvarı politikasını göster
düzenle 10
adı ayarla "CameraVip"
uuid'yi ayarla fa53a266-dd84-51ef-6f1d-e046bdc28c72
srcintf'yi ayarla "internal4"
dstintf'yi ayarla "internal2"
eylemi kabul et
srcaddr'ı ayarla "all"
dstaddr'ı ayarla "CamerasVip"
zamanlamayı ayarla "always"
hizmetini ayarla "Camera"
logtraffic all
sonraki
son

2- vip - Bunları tek bir grup altında birleştirdim

3-Yönlendirme  

yönlendiriciyi statik olarak
düzenle 6
ağ geçidini 176.xx.xxx.xxx olarak ayarla
önceliği ayarla 4
aygıtı "internal4" olarak ayarla
sonraki
son

I would suspect the fact that the return/reply traffic exists the other WAN1 interface since internal4 ( WAN2 ) isnt the primary one, but you stated that you enabled NAT for this rule id 10 and still didnt work.

The only thing that comes to mind, the service "Camera" contains all the ports for the VIPs ? You could set service to all , since you are doing already a DNAT port to port .

L.E. just to confirm, internal2 is the port where your devices in network 192.168.111.X can be reached, correct ?

I currently have company that works with Juniper SRX, I am thinking of switching to Fortigate. The cameras work stably on Juniper SRX with the same ports. Internal 2 camera network is 111.0/24, rule is defined from int1 to int2 and ping is successful, if I disable the rule, ping is unsuccessful. There is a problem on the VIP side but I can't solve it.

I tried all the ports but it still won't connect.

most likely, there is something wrong with the VIP itself, since I'm not seeing in the last column in your screenshot any hits.

can you please do a show firewall vip <> of one of the objects and let's focus on that.

can you please also confirm that the extip in the VIP is the same IP of internal4 ( WAN2 ) ? 

L.E. you can also DM me with the real IP address and I can test with a telnet IP:port .

a

Hi @social ,

If you are using internal2 as WAN2 facing the Internet, the firewall policy for the new VIP should be using internal2 as the source interface, and internal4 as the destination interface.