We have a Fortigate 100D. I am setting up some port forward & port address translation rules. In looking at the documentation in the KB and the cookbook, I see some differences to the recommendations:
* KB article: http://kb.fortinet.com/kb/documentLink.do?externalID=12945
* Cookbook article: http://cookbook.fortinet.com/using-virtual-ips-configure-port-forwarding-54/
They basically recommend the same process of 1) Create VIP 2) Create Firewall Policy to allow traffic to VIP.
The cookbook says to create the policy and limit the services allowed to only the ports/services needed by the VIP, however the KB articles says when creating the policy that it is not necessary to specify a service to allow, and that it can be left to "ANY" since the VIP (with Port Address Translation turned on) only forwards packets using the specified port.
So my questions are this:
1) Is this ok to leave as the "Action=Accept" for "Service=All" for the policy if the "Destination=VIP"? Would the logs still show traffic getting dropped if someone tries to access the public IP on a port that is not getting forwarded via the VIP?
2) If so, why wouldn't I just create one policy/rule that allows access to All services with the destination defined as all my VIPS and/or ViP Groups? Why go through the hassle of creating custom services (since I have one public IP accepting same service on behalf of multiple internal machines) and putting them into the rule? The custom services seem redundant in that they ask for source and destination ports to be defined again. The only reason I can think is that maybe the logs wouldn't show the traffic dropping for ports outside the defined range. I also want to be extra sure the VIP is not allowing any traffic on the ports not defined/forwarded as part of the VIP.
Hope this was clear.
Thanks for any clarification on best practices around VIPs and Port Forwarding.