Virtual IPs

Dynamic VIP according to DNS translation

When a dynamic virtual IP is used in a policy, the dynamic DNS translation table is installed along with the dynamic NAT translation table into the kernel. All matched DNS responses will be translated and recorded regardless if they hit the policy. When a client request hits the policy, dynamic NAT translation will occur if it matches a record, otherwise the traffic will be blocked.

 

Syntax

config firewall vip edit “1”

set type dns-translation

set extip 192.168.0.1-192.168.0.100 set extintf “dmz”

set dns-mapping-ttl 604800

set mappedip “3.3.3.0/24” “4.0.0.0/24” end

end

 

Virtual IP Groups

Just like other address, Virtual IP addresses can be organized into groups for ease of administration. If you have multiple virtual IPs that are likely to be associated to common firewall policies rather than add them individually to each of the policies you can add the instead. That way, if the members of the group change then any changes made to the group will propagate to all of the policies using that group.

When using a Virtual IP address group the firewall policy will take into account all of the configured parameters of the Virtual IPs: IP addresses, Ports and port types.

 

Creating a Virtual IP Group

1. Go to Policy & Objects > Virtual IPs.

2. Select Create New. A drop down menu is displayed. Select Virtual IP.

3. Select the Type fo VIP group you wish to create.

The options available are:

  • IPv4 – IPv4 on both sides of the FortiGate Unit.
  • IPv6 – IPv6 on both sides of the FortiGate Unit.
  • NAT46 – Going from an IPv4 Network to an IPv6 Network.
  • NAT64 – Going from an IPv6 Network to an IPv4 Network.

 

Which is chosen will depend on which of the IP version networks is on the external interface of the FortiGate unit and which is on the internal interface.The options will be:

4. Enter a unique identifier for the group in the Name field.

5. Enter any additional information in the Comments field.

6. Use the drop-down menu of the Interface field to select the interface if all of the VIPs are on the same interface. If any of the VIPS are on different interfaces or if any of them are associated with the “any” option, choose the any option for the group.

7. Select anywhere in the Members field to bring forth the pane of potential members for selection to the group.

8. Press OK.

3 thoughts on “Virtual IPs

    1. Mike Post author

      I have heard of this issue but haven’t run into it myself. I know several users that are being forced to use the local creation then re-import work around to step around this issue until Fortinet can make progress on resolving it.

      Reply
  1. Jose Suarez

    hi good day. I made a configuration in a fortigate 5.6.2…. with virtual ips’ etc. works fine.
    Then I set the SD-WAN….. I set a new interface with another ip to add in the SD-WAN… but I have a static route…… I can have http other services etc…. but virtual ips… does not respond…. I know is for the static route… but i can’t set a policy route correctly. If you any clue?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.