Virtual IPs

Virtual IPs

The mapping of a specific IP address to another specific IP address is usually referred to as Destination NAT.

When the Central NAT Table is not being used, FortiOS calls this a Virtual IP Address, sometimes referred to as a VIP. FortiOS uses a DNAT or Virtual IP address to map an External IP address to an IP address. This address does not have to be an individual host, it can also be an address range. This mapping can include all TCP/UDP ports or if Port Forwarding is enabled it will only refer to the specific ports configured. Because, the Central NAT table is disabled by default the term Virtual IP address or VIP will be used predominantly.

Virtual IP addresses are typically used to NAT external or Public IP addresses to internal or Private IP addresses. Using a Virtual IP address between 2 internal Interfaces made up of Private IP addresses is possible but there is rarely a reason to do so as the 2 networks can just use the IP addresses of the networks without the need for any address translation. Using a Virtual IP address for traffic going from the inside to the Internet is even less likely to be a requirement, but it is supported.

Something that needs to be considered when there are multiple Public IP addresses on the external interface(s) is that when a Virtual IP address is used without Port Forwarding enabled there is a reciprocal effect as far as traffic flow is concerned. Normally, on a firewall policy where NAT is enabled, for outgoing traffic the internal address is translated to the Public address that is assigned to the FortiGate, but if there is a Virtual IP address with no port forwarding enabled, then the Internal IP address in the Mapped field would be translated to the IP address configured as the External Address in the VIP settings.

Example

  • The assigned External address (WAN1) of the FortiGate unit is 172.12.96.3 with a subnet mask of 255.255.255.128 l There is a Virtual IP address set up to map the external address 172.12.96.127 on WAN1 to the internal IP address of 192.168.1.127
  • Port Forwarding is not enabled because you want all allowed traffic going to the external IP address to go to this server.

In this case any outbound traffic from 192.168.1.127 will go out on WAN1 with the IP address of 172.12.96.127 as the source IP address.

In terms of actually using the Virtual IP address, they would be using in the security policies in the same places that other addresses would be used, usually as a Destination Address.

UUID Support for VIP

UUID is now supported in for virtual IPs and virtual IP groups. This includes virtual IPs for IPv4, IPv6, NAT46, and NAT64. To view the UUID for these objects in a FortiGate unit’s logs, log-uuid must be set to extended mode, rather than policy-only (which only shows the policy UUID in a traffic log). UUID can only be configured through the CLI

Syntax

config sys global set log-uuid {disable | policy-only | extended}

end

There is another type of address that the term “virtual IP address” commonly refers to which is used in load balancing and other similar configurations. In those cases, a number of devices share a separately created virtual IP address that can be sent to multiple possible devices. In FortiOS these are referred to as Virtual Servers and are configured in the “Load Balance” section.

If Central-NAT is enabled in the CLI the GUI will be different.

Instead of VIP Type, the field lable will be DNAT & VIP Type

Instead of IPv4 the option will be IPv4 DNAT

There will also be the addition setting of Source Interface Filter.

Commands to set central-nat:

config system settings set central-nat [enable | disable] end

Creating a Virtual IP

  1. Go to Policy & Objects > Virtual IPs.
  2. Select Create New. A drop down menu is displayed. Select Virtual IP.
  3. From the VIP Type options, choose an applicable type based on the IP addressing involved. Which is chosen will depend on which of the IP version networks is on the external interface of the FortiGate unit and which is on the internal interface.

The available options are:

l IPv4 – IPv4 on both sides of the FortiGate Unit. l IPv6 – IPv6 on both sides of the FortiGate Unit. l NAT46 – Going from an IPv4 Network to an IPv6 Network. l NAT64 – Going from an IPv6 Network to an IPv4 Network.

  1. In the Name field, input a unique identifier for the Virtual IP.
  2. Input any additional information in the Comments
  3. The Color of the icons that represent the object in the GUI can be changed by clicking on the [Change] link and choosing from the 32 colors.

Because the configuration differs slightly for each type the next steps will be under a separate heading based on the type of the VIP

Configuring a VIP for IPv4

In the Network section:

  1. If an IPv4 type of Virtual IP, select the Interface

Using the drop down menu for the Interface Field, choose the incoming interface for the traffic.

The IPv4 VIP Type is the only one that uses this field. This is a legacy function from previous versions so that they can be upgraded without complicated reconfiguration. The External IP address, which is a required field, tells the unit which interface to use so it is perfectly acceptable to choose “any” as the interface. In some configurations, if the Interface field is not set to “any” the Virtual IP object will not one of the displayed options when choosing a destination address.

  1. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. The format of the address will depend on the VIP Type option that was selected.

  1. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields. The format of the address will depend on the VIP Type option that was selected. In the Optional Filters

  1. Disable/Enable the Optional Filters.

If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, enable the Optional Filters.

  1. To specify an allowed address enter the value in the field labeled Source Address. The value can be formatted in three different ways.

l Source IP – Use the standard format for a single IP address l Range – Enter the first and last members of the range l Subnet – Enter the IP address of the broadcast address for the subnet.

To add additional addresses, click on the “+” below the last field with an address. To subtract an address, click on the “X” next to the field you wish to delete.

  1. To specify an allowed Service, toggle the Services option to enabled. Set the Services parameter by selecting the field with the “+” in the field. This will slide a window out from the right. Single or multiple options can be selected by highlighting the services wanted, unless the ALL option is chosen, in which case it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  2. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
  3. Select the Protocol from l TCP l UDP l SCTP l ICMP
  4. Configure the External Service Port. This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  5. Configure the setting Map to Port.This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  6. Press

Example

This example is for a VIP that is being used to direct traffic from the external IP address to a web server on the internal network. The web server is for company use only. The company’s public facing web server already used port 80 and there is only one IP external IP address so the traffic for this server is being listened for on port 8080 of the external interface and being sent to port 80 on the internal host.

Field Value
VIP Type IPv4
Name Internal_Webserver
Comments Web server with Collaboration tools for Corporate employees
Interface Any
Field Value
External IP

Address/Range

172.13.100.27 <this would normally be a public IP address>
Mapped IP

Address/Range

192.168.34.150
Optional Filters enabled
Source Address

Filter

<list of IP addresses of remote users>
Services enabled with HTTP in the list
Port Forwarding enabled
Map to Port 80 – 80

Configuring a VIP for IPv6

In the Network section:

  1. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. Enter the address in the standard IPv6 format.

  1. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields. Enter the address in the standard IPv6 format.

In the Optional Filters

  1. Disable/Enable the Optional Filters.

If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, enable the Optional Filters.

  1. To specify an allowed address enter the value in the field labeled Source Address. The value can be formatted in three different ways.

l Source IP – Use the standard format for a single IP address l Range – Enter the first and last members of the range l Subnet – Enter the IP address of the broadcast address for the subnet.

To add additional addresses, click on the “+” below the last field with an address. To subtract an address, click on the “X” next to the field you wish to delete.

  1. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
  2. Select the Protocol from l TCP l UDP

l SCTP

  1. Configure the External Service Port. This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  2. Configure the setting Map to Port.This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  3. Press

Configuring a VIP for NAT46

In the Network section:

  1. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. Enter the address in the standard IPv4 format.

  1. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields. Enter the address in the standard IPv6 format.

In the Optional Filters

  1. Disable/Enable the Optional Filters.

If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, enable the Optional Filters.

  1. To specify an allowed address enter the value in the field labeled Source Address. The value can be formatted in three different ways.

l Source IP – Use the standard format for a single IP address l Range – Enter the first and last members of the range l Subnet – Enter the IP address of the broadcast address for the subnet.

To add additional addresses, click on the “+” below the last field with an address. To subtract an address, click on the “X” next to the field you wish to delete.

  1. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
  2. Select the Protocol from l TCP l UDP
  3. Configure the External Service Port. This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  4. Configure the setting Map to Port.This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the

range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.

  1. Press

Configuring a VIP for NAT64

In the Network section:

  1. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. Enter the address in the standard IPv6 format.

  1. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields. Enter the address in the standard IPv4 format.

In the Optional Filters

  1. Disable/Enable the Optional Filters.

If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, enable the Optional Filters.

  1. To specify an allowed address enter the value in the field labeled Source Address. The value can be formatted in three different ways.

l Source IP – Use the standard format for a single IP address l Range – Enter the first and last members of the range l Subnet – Enter the IP address of the broadcast address for the subnet.

To add additional addresses, click on the “+” below the last field with an address. To subtract an address, click on the “X” next to the field you wish to delete.

  1. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
  2. Select the Protocol from l TCP l UDP
  3. Configure the External Service Port. This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  4. Configure the setting Map to Port.This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  5. Press

FQDN in VIPs

Instead of mapping to an IP address a VIP can use a FQDN(Fully Qualified Domain Name). This has to be configured in the CLI and the FQDN must be an address object that is already configured in the address listing.

The syntax for using a FQDN is:

config firewall vip edit <VIP id> set type fqdn

set mappped-addr <FQDN address object> end

Dynamic VIP according to DNS translation

When a dynamic virtual IP is used in a policy, the dynamic DNS translation table is installed along with the dynamic NAT translation table into the kernel. All matched DNS responses will be translated and recorded regardless if they hit the policy. When a client request hits the policy, dynamic NAT translation will occur if it matches a record, otherwise the traffic will be blocked.

Syntax

config firewall vip edit “1” set type dns-translation set extip 192.168.0.1-192.168.0.100

set extintf “dmz” set dns-mapping-ttl 604800 set mappedip “3.3.3.0/24” “4.0.0.0/24” end end

Virtual IP Groups

Just like other address, Virtual IP addresses can be organized into groups for ease of administration. If you have multiple virtual IPs that are likely to be associated to common firewall policies rather than add them individually to each of the policies you can add the instead. That way, if the members of the group change then any changes made to the group will propagate to all of the policies using that group.

When using a Virtual IP address group the firewall policy will take into account all of the configured parameters of the Virtual IPs: IP addresses, Ports and port types.

Creating a Virtual IP Group

  1. Go to Policy & Objects > Virtual IPs.
  2. Select Create New. A drop down menu is displayed. Select Virtual IP Group.
  3. Select the Type fo VIP group you wish to create. The options available are:

l IPv4 – IPv4 on both sides of the FortiGate Unit. l IPv6 – IPv6 on both sides of the FortiGate Unit. l NAT46 – Going from an IPv4 Network to an IPv6 Network. l NAT64 – Going from an IPv6 Network to an IPv4 Network.

Which is chosen will depend on which of the IP version networks is on the external interface of the

 

FortiGate unit and which is on the internal interface. The options will be:

  1. Enter a unique identifier for the group in the Name
  2. Enter any additional information in the Comments
  3. If you wish, use the Change link to change the Color of icons in the GUI. There are 32 color options.
  4. If the Type is IPv4, the Interface field will be available. Use the drop-down menu to select the interface if all of the VIPs are on the same interface. If any of the VIPS are on different interfaces or if any of them are associated with the “any” option, choose the any option for the group.
  5. Select anywhere in the Members field to bring forth the pane of potential members for selection to the group.
  6. Press
This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

12 thoughts on “Virtual IPs

  1. Jan-Pieter

    Hi, thanks for the complete post. I have some virtual IP’s which are running fine, from WAN1 to internal subnets.
    However I have one issue: the local applications see users coming in not from their public IP-address, but with the fortinet as source. So 192.168.1.1 instead of the public 100.101.102.103 IP which I would expect with NAT.

    This leads to some issues for my applications. How can I fix this, so that the fortigate is not the source IP anymore towards my own app?

    Reply
    1. Mike Post author

      If the traffic is coming from internal sources I normally recommend address objects and INSIDE to DMZ style policy. The way for this to work is site.com should resolve to external IP for outside folks while it should resolve to internal space for internal folks. Split brain DNS is required to make this happen. It is much cleaner and removes any hairpin routing that is necessary otherwise (which the FortiGate doesn’t respond well to).

      Let me know if this helps or if I completely misunderstood the question.

      Reply
    2. E

      Very easy mistake to make but never use NAT on your WAN -> LAN policies,
      Setting the VIP as the policy destination handles the traffic forwarding.
      Check your WAN -> LAN policy with the VIP as the destination, disable NAT!

      Reply
      1. Charles

        For WAN–>LAN, does just using VIPs and leaving NAT disabled expose any risk to the LAN systems? Can external/public users see anything they coulnd’t when NAT is enabled? It seems that VIP = DNAT that most of us are familiar with. I am wondering why using a VIP doesn’t automatically disable NAT or at least give you a warning saying “You don’t need DNAT now that you’re using a VIP”.

        Reply
  2. Shuja R

    Hi

    This was a really good and comprehensive post. However, i have found that you can’t use VIP groups as destination in DNAT. Correct me if i am wrong as it this is what i have found in the fortinet documentation as well. I have tried configuring policies and using VIP group as a destination but it never shows up in options to select from.

    Cheers

    Reply
  3. Patrick

    Your examples as well as all the FGT example’s I’ve seen use one or more VIP IP’s that are different from the FGT’s WAN IP. I need to setup a VIP that uses the FGT’s own external IP on a distinct port and needs to NAT+portmap it to a server on an internal non-routable IP.
    Explicitly, the FGT’s wan IP is 10.1.1.1/30 and there is a webserver on 192.168.1.1 port 80 that I need to connect to. I cannot just connect to http://192.168.1.1:80 as the network 192.168.1.0/24 isn’t routed. I cannot setup a VIP using an IP on the wan interface different from the fortigate’s IP as it is a /30 and there are thus no available IPs.

    Logically, I should be able to setup something on the FGT that maps an unused port (ex: 12380) on the wan interface to 192.168.1.1 port 80.
    I’d test this but the FGT is remote and I’m afraid of cutting off my access to it if the VIP doesn’t work as expected.

    Reply
    1. Mike Post author

      as long as you don’t port forward the port that allows you to administer the FortiGate you will be fine. You may want someone on site with a backup of the config JUST in case you fat finger an entry somewhere though.

      Reply
  4. SOU

    Is it possible to create a virtual server on the internal interface with real server also on the internal interface? My idea is to “loadbalanced” for example an internal squid proxy or an internal dns server. Thank you.

    Reply
  5. david

    I come from a pfsense background where it was easy to redirect dns and ntp traffic using nat port fowards and in doing so it auto created firewall rules.
    I have not figured out how to do so on the fortigate. It seems you can do wan to lan VIP(port fowards), but not lan trying to to go to wan and redirect it back to specific lan servers.
    I’m trying to figure out how to redirect workers misconfigured machines to stop their own dns and ntp from going out to the wan. I want to redirect that traffic to internal dns and ntp servers.
    I can only block anything going to wan and only accept traffic going towards my internal dns and ntp servers.

    Reply
  6. Matt

    Something that’s driving me nuts is I want to create a policy that opens a range of ports to a server inside.
    Version 6.2.5
    In this case so I want ports 6000-6050 forwarded to a server inside on that same range.
    I try to create a VIP and it won’t let me do ranges and will only work if I add one entry per port.
    WhenI look up VIP on any forums or Fortigate help, there are no examples of this but shows that everything can be in ranges. Any suggestions?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.