Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Cookbook

VIP groups

Virtual IP addresses (VIPs) can be organized into groups. This is useful in scenarios where there are multiple VIPs that are used together in firewall policies. If the VIP group members change, or a group member's settings change (such as the IP address, port, or port mapping type), then those changes are automatically updated in the corresponding firewall policies.

The following table summarizes which VIP types are allowed and not allowed to be members of a VIP group:

Group type

VIP types allowed as members

VIP types not allowed as members

IPv4

  • Static NAT
  • Load balance
  • DNS translation
  • FQDN
  • Server load balance

IPv6

  • Static NAT
  • Server load balance

Different VIP types can be added to the same group.

To configure a VIP group in the GUI:
  1. Go to Policy & Objects > Virtual IPs and click Create New > Virtual IP Group.
  2. Set the Type to IPv4, IPv6, NAT46, or NAT64.
  3. Enter a name.
  4. Optionally, enter additional information in the Comments field.
  5. For IPv4 groups, select the Interface. Select a specific interface if all of the VIPs are on the same interface; otherwise, select any.
  6. Click the + in the Members field and select the members to add to the group.
  7. Click OK.
To configure an IPv4 VIP group in the CLI:
config firewall vipgrp
    edit <name>
        set interface <name>
        set member <vip1> <vip2> ...
    next
end
To configure an IPv6 VIP group in the CLI:
config firewall vipgrp6
    edit <name>
        set member <vip1> <vip2> ...
    next
end

VIP groups

Virtual IP addresses (VIPs) can be organized into groups. This is useful in scenarios where there are multiple VIPs that are used together in firewall policies. If the VIP group members change, or a group member's settings change (such as the IP address, port, or port mapping type), then those changes are automatically updated in the corresponding firewall policies.

The following table summarizes which VIP types are allowed and not allowed to be members of a VIP group:

Group type

VIP types allowed as members

VIP types not allowed as members

IPv4

  • Static NAT
  • Load balance
  • DNS translation
  • FQDN
  • Server load balance

IPv6

  • Static NAT
  • Server load balance

Different VIP types can be added to the same group.

To configure a VIP group in the GUI:
  1. Go to Policy & Objects > Virtual IPs and click Create New > Virtual IP Group.
  2. Set the Type to IPv4, IPv6, NAT46, or NAT64.
  3. Enter a name.
  4. Optionally, enter additional information in the Comments field.
  5. For IPv4 groups, select the Interface. Select a specific interface if all of the VIPs are on the same interface; otherwise, select any.
  6. Click the + in the Members field and select the members to add to the group.
  7. Click OK.
To configure an IPv4 VIP group in the CLI:
config firewall vipgrp
    edit <name>
        set interface <name>
        set member <vip1> <vip2> ...
    next
end
To configure an IPv6 VIP group in the CLI:
config firewall vipgrp6
    edit <name>
        set member <vip1> <vip2> ...
    next
end