Excellent in its explanation document and it is only unfortunate that it does not contain the keyword hairpinning, which is all-accepted term for this configuration (Juniper, Cisco, Mikrotik etc.) So when people search for "hairpinning fortigate" they get FortiOS 5.4 cookbook https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/856642/configuring-hair-pinning-on-a-for...  

and https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448 which uses "hairpin", instead of "hairpinning".  But not this document. 

SEO is less than optimal :)

hello dear ,

yes it's bounded with WAN1 interface not any

Hi MustphaBassim.

Assumptions used in my example:
lan = interface with internal users

dmz = interface with the real server (where the VIP points to)

wan = extintf of the VIP

Replace these with your actual values/names/interfaces.

You probably already have a wan->dmz policy with the VIP for external access from public clients. Keep that in place, unchanged.

To let internal users access this VIP, you need to add a lan->wan(!) policy. The destination address of this policy must match the VIP extip (or "all"). The service of the policy must match the pre-DNAT destination port (VIP's extport; or "ALL").

Further notes:

- If you already have a lan->wan policy with dst=all & service=ALL, this may be sufficient to let the traffic through (possibly depending on UTM settings, if used).

- If "lan" and "dmz" are actually the same segment (internal users are in the same subnet as the real server behind the VIP), you will need to introduce SNAT in order to avoid the traffic flow breaking due to asymmetric routing.