Virtual IP groups

5 Replies

Virtual IP groups

Just like other address, Virtual IP addresses can be organized into groups for ease of administration. If you have multiple virtual IPs that are likely to be associated to common firewall policies rather than add them individually to each of the policies you can add the instead. That way, if the members of the group change then any changes made to the group will propagate to all of the policies using that group.

When using a Virtual IP address group the firewall policy will take into account all of the configured parameters of the Virtual IPs: IP addresses, Ports and port types.

Creating a virtual IP group

  1. Go to Policy & Objects > Virtual IPs.
  2. Select Create New. A drop down menu is displayed. Select Virtual IP Group.
  3. Select the Type for VIP group you wish to create. The options available are:

l IPv4 – IPv4 on both sides of the FortiGate Unit. l IPv6 – IPv6 on both sides of the FortiGate Unit. l NAT46 – Going from an IPv4 Network to an IPv6 Network. l NAT64 – Going from an IPv6 Network to an IPv4 Network.

Which is chosen will depend on which of the IP version networks is on the external interface of the FortiGate unit and which is on the internal interface. The options will be:

  1. Enter a unique identifier for the group in the Name
  2. Enter any additional information in the Comments
  3. If you wish, use the Change link to change the Color of icons in the GUI. There are 32 color options.
  4. If the Type is IPv4, the Interface field will be available. Use the drop-down menu to select the interface if all of the VIPs are on the same interface. If any of the VIPS are on different interfaces or if any of them are associated with the “any” option, choose the any option for the group.
  5. Select anywhere in the Members field to bring forth the pane of potential members for selection to the group.
  6. Press
This entry was posted in Administration Guides, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

5 thoughts on “Virtual IP groups

  1. Amit

    I feel that fortinet in future may remove the concept of nat on policy. They will move on to Central nat instead of selecting nat on all policy, for static nat DNAT and virtual IP feature will be used. In other words the concept of selecting Nat option on policy will phase out.. What are your comments on this

    Reply
  2. Manny Fernandez

    Central NAT is much better. It is inline with most of the other competitors. Makes more sense. There is no need for VIP Groups in central NAT.

    Reply
    1. Mike Post author

      I’m a fan of it. Most deployments I come across do not utilize central NAT though. At least, not yet…

      Reply
  3. Chris

    Implemented a rule to only allow SIP traffic (5060) from the external SIP server direct to internal SIP server. Does not look to be working as WAN port still getting hit with hacker requests for 5060.
    Virtual IP Group for SIP phone has all the necessary ports configured. Should it be setup from external SIP server direct to this VIP group instead?

    Reply
  4. Chris

    Existing SIP policy has VIP group set from all sources to this group. WAN port getting hit with SIP attacks. Set a policy from valid external SIP server to the IP of internal SIP server. Not working. Should policy be from external SIP server to this VIP group instead?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.