Fortinet black logo

Handbook

Virtual IPs

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:13499
Download PDF

Virtual IPs

The mapping of a specific IP address to another specific IP address is usually referred to as Destination NAT. When the Central NAT Table is not being used, FortiOS calls this a Virtual IP Address, sometimes referred to as a VIP. FortiOS uses a DNAT or Virtual IP address to map an External IP address to an IP address. This address does not have to be an individual host, it can also be an address range. This mapping can include all TCP/UDP ports or if Port Forwarding is enabled it will only refer to the specific ports configured. Because, the Central NAT table is disabled by default the term Virtual IP address or VIP will be used predominantly.

Virtual IP addresses are typically used to NAT external or Public IP addresses to internal or Private IP addresses. Using a Virtual IP address between 2 internal Interfaces made up of Private IP addresses is possible but there is rarely a reason to do so as the 2 networks can just use the IP addresses of the networks without the need for any address translation. Using a Virtual IP address for traffic going from the inside to the Internet is even less likely to be a requirement, but it is supported.

Something that needs to be considered when there are multiple Public IP addresses on the external interface(s) is that when a Virtual IP address is used without Port Forwarding enabled there is a reciprocal effect as far as traffic flow is concerned. Normally, on a firewall policy where NAT is enabled, for outgoing traffic the internal address is translated to the Public address that is assigned to the FortiGate, but if there is a Virtual IP address with no port forwarding enabled, then the Internal IP address in the Mapped field would be translated to the IP address configured as the External Address in the VIP settings.

Example
  • The assigned External address (WAN1) of the FortiGate unit is 172.12.96.3 with a subnet mask of 255.255.255.128
  • There is a Virtual IP address set up to map the external address 172.12.96.127 on WAN1 to the internal IP address of 192.168.1.127
  • Port Forwarding is not enabled because you want all allowed traffic going to the external IP address to go to this server.

In this case any outbound traffic from 192.168.1.127 will go out on WAN1 with the IP address of 172.12.96.127 as the source IP address.

In terms of actually using the Virtual IP address, they would be using in the security policies in the same places that other addresses would be used, usually as a Destination Address.

UUID support for VIP

UUID is now supported in for virtual IPs and virtual IP groups. This includes virtual IPs for IPv4, IPv6, NAT46, and NAT64. To view the UUID for these objects in a FortiGate unit's logs, log-uuid must be set to extended mode, rather than policy-only (which only shows the policy UUID in a traffic log). UUID can only be configured through the CLI

Syntax

config sys global

set log-uuid {disable | policy-only | extended}

end

note icon There is another type of address that the term “virtual IP address” commonly refers to which is used in load balancing and other similar configurations. In those cases, a number of devices share a separately created virtual IP address that can be sent to multiple possible devices. In FortiOS these are referred to as Virtual Servers and are configured in the “Load Balance” section.
tooltip icon

If Central-NAT is enabled in the CLI the GUI will be different.

Instead of VIP Type, the field label will be DNAT & VIP Type.

Instead of IPv4 the option will be IPv4 DNAT.

There will also be the addition setting of Source Interface Filter.

Commands to set central-nat:

config system settings

set central-nat [enable | disable]

end

Creating a virtual IP

  1. Go to Policy & Objects > Virtual IPs.
  2. Select Create New. A drop down menu is displayed. Select Virtual IP.
  3. From the VIP Type options, choose an applicable type based on the IP addressing involved. Which is chosen will depend on which of the IP version networks is on the external interface of the FortiGate unit and which is on the internal interface.

    The available options are:

    • IPv4 - IPv4 on both sides of the FortiGate Unit.
    • IPv6 - IPv6 on both sides of the FortiGate Unit.
    • NAT46 - Going from an IPv4 Network to an IPv6 Network.
    • NAT64 - Going from an IPv6 Network to an IPv4 Network.
  4. In the Name field, input a unique identifier for the Virtual IP.
  5. Input any additional information in the Comments field.
  6. The Color of the icons that represent the object in the GUI can be changed by clicking on the [Change] link and choosing from the 32 colors.

Because the configuration differs slightly for each type the next steps will be under a separate heading based on the VIP type.

Virtual IPs

The mapping of a specific IP address to another specific IP address is usually referred to as Destination NAT. When the Central NAT Table is not being used, FortiOS calls this a Virtual IP Address, sometimes referred to as a VIP. FortiOS uses a DNAT or Virtual IP address to map an External IP address to an IP address. This address does not have to be an individual host, it can also be an address range. This mapping can include all TCP/UDP ports or if Port Forwarding is enabled it will only refer to the specific ports configured. Because, the Central NAT table is disabled by default the term Virtual IP address or VIP will be used predominantly.

Virtual IP addresses are typically used to NAT external or Public IP addresses to internal or Private IP addresses. Using a Virtual IP address between 2 internal Interfaces made up of Private IP addresses is possible but there is rarely a reason to do so as the 2 networks can just use the IP addresses of the networks without the need for any address translation. Using a Virtual IP address for traffic going from the inside to the Internet is even less likely to be a requirement, but it is supported.

Something that needs to be considered when there are multiple Public IP addresses on the external interface(s) is that when a Virtual IP address is used without Port Forwarding enabled there is a reciprocal effect as far as traffic flow is concerned. Normally, on a firewall policy where NAT is enabled, for outgoing traffic the internal address is translated to the Public address that is assigned to the FortiGate, but if there is a Virtual IP address with no port forwarding enabled, then the Internal IP address in the Mapped field would be translated to the IP address configured as the External Address in the VIP settings.

Example
  • The assigned External address (WAN1) of the FortiGate unit is 172.12.96.3 with a subnet mask of 255.255.255.128
  • There is a Virtual IP address set up to map the external address 172.12.96.127 on WAN1 to the internal IP address of 192.168.1.127
  • Port Forwarding is not enabled because you want all allowed traffic going to the external IP address to go to this server.

In this case any outbound traffic from 192.168.1.127 will go out on WAN1 with the IP address of 172.12.96.127 as the source IP address.

In terms of actually using the Virtual IP address, they would be using in the security policies in the same places that other addresses would be used, usually as a Destination Address.

UUID support for VIP

UUID is now supported in for virtual IPs and virtual IP groups. This includes virtual IPs for IPv4, IPv6, NAT46, and NAT64. To view the UUID for these objects in a FortiGate unit's logs, log-uuid must be set to extended mode, rather than policy-only (which only shows the policy UUID in a traffic log). UUID can only be configured through the CLI

Syntax

config sys global

set log-uuid {disable | policy-only | extended}

end

note icon There is another type of address that the term “virtual IP address” commonly refers to which is used in load balancing and other similar configurations. In those cases, a number of devices share a separately created virtual IP address that can be sent to multiple possible devices. In FortiOS these are referred to as Virtual Servers and are configured in the “Load Balance” section.
tooltip icon

If Central-NAT is enabled in the CLI the GUI will be different.

Instead of VIP Type, the field label will be DNAT & VIP Type.

Instead of IPv4 the option will be IPv4 DNAT.

There will also be the addition setting of Source Interface Filter.

Commands to set central-nat:

config system settings

set central-nat [enable | disable]

end

Creating a virtual IP

  1. Go to Policy & Objects > Virtual IPs.
  2. Select Create New. A drop down menu is displayed. Select Virtual IP.
  3. From the VIP Type options, choose an applicable type based on the IP addressing involved. Which is chosen will depend on which of the IP version networks is on the external interface of the FortiGate unit and which is on the internal interface.

    The available options are:

    • IPv4 - IPv4 on both sides of the FortiGate Unit.
    • IPv6 - IPv6 on both sides of the FortiGate Unit.
    • NAT46 - Going from an IPv4 Network to an IPv6 Network.
    • NAT64 - Going from an IPv6 Network to an IPv4 Network.
  4. In the Name field, input a unique identifier for the Virtual IP.
  5. Input any additional information in the Comments field.
  6. The Color of the icons that represent the object in the GUI can be changed by clicking on the [Change] link and choosing from the 32 colors.

Because the configuration differs slightly for each type the next steps will be under a separate heading based on the VIP type.