Creating a Virtual IP
1. Go to Policy & Objects > Virtual IPs.
2. Select Create New. A drop down menu is displayed. Select Virtual IP.
3. From the VIP Type options, choose an applicable type based on the IP addressing involved. Which is chosen will depend on which of the IP version networks is on the external interface of the FortiGate unit and which is on the internal interface.
The available options are:
- IPv4 – IPv4 on both sides of the FortiGate Unit.
- IPv6 – IPv6 on both sides of the FortiGate Unit.
- NAT46 – Going from an IPv4 Network to an IPv6 Network.
- NAT64 – Going from an IPv6 Network to an IPv4 Network.
4. In the Name field, input a unique identifier for the Virtual IP.
5. Input any additional information in the Comments field. In the Network section
6. If an IPv4 type of Virtual IP, select the Interface setting.
Using the dropdown menu for the Interface Field, choose the incoming interface for the traffic.
The IPv4 VIP Type is the only one that uses this field. This is a legacy function from previous versions so that they can be upgraded without complicated reconfigureation. The External IP address, which is a required field, tells the unit which interface to use so it is perfectly acceptable to choose “any” as the interface. In some configurations, if the Interface field is not set to “any” the Virtual IP object will not one of the displayed options when choosing a destination address.
7. Configure the External IP Address/Range.
There are two fields. If there is a single IP address, use that address in both fields.This will be the address on the outside of the network that is usually the public address of the server. The format of the address will depend on the VIP Type option that was selected.
8. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.
There are two fields. If there is a single IP address, use that address in both fields.The format of the address will depend on the VIP Type option that was selected.
9. Disable/Enable the Source Address Filter.
If only specific IP addresses are allowed to be the source address for traffic using the VIP, enable the Source Address Filter.To add an allowed address select Create New. The value fo the address field for the Source Address Filter can be formatted in three different ways.
- Source IP – Use the standard format for a single IP address based on whether it’s IPv4 or IPv6
- Range – Enter the first and last members of the range
- Subnet – Enter the IP address of the broadcast address for the subnet.
10. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
i. Select the Protocol.
Depending on which Virtual IP type is being configured there can be one of up to 4 different protocols being forwarded.
- IPv4 can forward: TCP, UDP, SCTP or ICMP
- IPv6 can forward: TCP, UDP, or SCTP
- NAT46 can forward: TCP or UDP
- NAT64 can forward: TCP or UDP
ii. Configure the External Service Port.
This will be the listening port that the traffic is being sent to. If ICMP was selected, there will not be any port options available. This is because only one internal address will be able to respond to ICMP requests. For the other options there will be 2 field to configure. The start and the end of the port range. If only a single port is being configured, enter the same value in both fields.
iii. Configure the setting Map to Port.
This will be the listening port on the device on the internal side of the network. It does not have to be the same as the External Service Port. There will be 2 field to configure. The start and the end of the port range. If only a single port is being configured, enter the same value in both fields.
11. Press OK.
Example
This example is for a VIP that is being used to direct traffic from the external IP address to a webserver on the internal network.The webserver is for company use only. The company’s public facing webserver already used port 80 and there is only one IP external IP address so the traffic for this server is being listened for on port 8080 of the external interface and being sent to port 80 on the internal host.
Field Value
VIP Type IPv4
Name Internal_Webserver
Comments Webserver with Colaboration tools for Corporate employees
Interface Any
External IP Address/Range
Mapped IP Address/Range
172.13.100.27 <this would normally be a public IP address> 192.168.34.150
Source Address
Filter
<list of IP addresses of remote users>
Port Forwarding enabled
Protocol TCP
External Service
Port
8080 – 8080
Map to Port 80 – 80
look this problem with virtual ip on fortimanager 5.4.1 https://www.reddit.com/r/fortinet/comments/4yer17/fortimanager_problems_with_port_forewarding_vips/
I have heard of this issue but haven’t run into it myself. I know several users that are being forced to use the local creation then re-import work around to step around this issue until Fortinet can make progress on resolving it.
hi good day. I made a configuration in a fortigate 5.6.2…. with virtual ips’ etc. works fine.
Then I set the SD-WAN….. I set a new interface with another ip to add in the SD-WAN… but I have a static route…… I can have http other services etc…. but virtual ips… does not respond…. I know is for the static route… but i can’t set a policy route correctly. If you any clue?