Fortinet black logo

Handbook

IPv4 VIPs

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:413338
Download PDF

IPv4 VIPs

To add IPv4 VIPs:

  1. Go to Policy & Objects > Virtual IPs and select Create New > Virtual IP.
  2. Give the VIP a Name.
  3. Optionally add a descriptive Comment and change the Color.
  4. Choose the incoming Interface for the traffic.

    The Interface tells the FortiGate which interface to use so it is perfectly acceptable to choose "any" as the interface. In some configurations, if the Interface field is not set to "any" the Virtual IP object will not one of the displayed options when choosing a destination address.

    Note

    The IPv4 VIP Type is set to Static NAT and cannot be changed because this is the only type of VIP that you can configure from the GUI.

  5. Configure the External IP Address/Range.

    There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. The format of the address will depend on the VIP Type option that was selected.

  6. Configure the Mapped IP Address/Range.

    This will be the address that the traffic is being directed to. There are two fields. If there is a single IP address, use that address in both fields. The format of the address will depend on the VIP Type option that was selected.

  7. If required, enable Optional Filters.
  8. Optionally add a Source address.

    If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, specify one or more allowed source IP, range, or subnet:

    • Source IP - Use the standard format for a single IP address.
    • Range - Enter the first and last members of the range.
    • Subnet - Enter the IP address of the broadcast address for the subnet.
  9. Optionally add a Service.
  10. Enable or disable Port Forwarding.
  11. If only the traffic for a specific port or port range is being forwarded, enable this setting.
  12. Select the Protocol from:

    • TCP
    • UDP
    • SCTP
    • ICMP
  13. Configure the External Service Port.

    This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.

  14. Configure the setting Map to Port.

    This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.

  15. Select OK.

Example

This example is for a VIP that is being used to direct traffic from the external IP address to a web server on the internal network. The web server is for company use only. The company’s public facing web server already used port 80 and there is only one IP external IP address so the traffic for this server is being listened for on port 8080 of the external interface and being sent to port 80 on the internal host.

Field Value
VIP Type IPv4
Name Internal_Webserver
Comments Web server with Collaboration tools for Corporate employees
Interface Any
External IP Address/Range 172.13.100.27 <this would normally be a public IP address>
Mapped IP Address/Range 192.168.34.150
Optional Filters enabled
Source Address Filter <list of IP addresses of remote users>
Services enabled with HTTP in the list
Port Forwarding enabled
Map to Port 80 - 80

IPv4 VIPs

To add IPv4 VIPs:

  1. Go to Policy & Objects > Virtual IPs and select Create New > Virtual IP.
  2. Give the VIP a Name.
  3. Optionally add a descriptive Comment and change the Color.
  4. Choose the incoming Interface for the traffic.

    The Interface tells the FortiGate which interface to use so it is perfectly acceptable to choose "any" as the interface. In some configurations, if the Interface field is not set to "any" the Virtual IP object will not one of the displayed options when choosing a destination address.

    Note

    The IPv4 VIP Type is set to Static NAT and cannot be changed because this is the only type of VIP that you can configure from the GUI.

  5. Configure the External IP Address/Range.

    There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. The format of the address will depend on the VIP Type option that was selected.

  6. Configure the Mapped IP Address/Range.

    This will be the address that the traffic is being directed to. There are two fields. If there is a single IP address, use that address in both fields. The format of the address will depend on the VIP Type option that was selected.

  7. If required, enable Optional Filters.
  8. Optionally add a Source address.

    If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, specify one or more allowed source IP, range, or subnet:

    • Source IP - Use the standard format for a single IP address.
    • Range - Enter the first and last members of the range.
    • Subnet - Enter the IP address of the broadcast address for the subnet.
  9. Optionally add a Service.
  10. Enable or disable Port Forwarding.
  11. If only the traffic for a specific port or port range is being forwarded, enable this setting.
  12. Select the Protocol from:

    • TCP
    • UDP
    • SCTP
    • ICMP
  13. Configure the External Service Port.

    This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.

  14. Configure the setting Map to Port.

    This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.

  15. Select OK.

Example

This example is for a VIP that is being used to direct traffic from the external IP address to a web server on the internal network. The web server is for company use only. The company’s public facing web server already used port 80 and there is only one IP external IP address so the traffic for this server is being listened for on port 8080 of the external interface and being sent to port 80 on the internal host.

Field Value
VIP Type IPv4
Name Internal_Webserver
Comments Web server with Collaboration tools for Corporate employees
Interface Any
External IP Address/Range 172.13.100.27 <this would normally be a public IP address>
Mapped IP Address/Range 192.168.34.150
Optional Filters enabled
Source Address Filter <list of IP addresses of remote users>
Services enabled with HTTP in the list
Port Forwarding enabled
Map to Port 80 - 80