Fortinet black logo

Cookbook

Virtual IP with services

Virtual IP with services

Virtual IP with services is a more flexible virtual IP mode. This mode allows users to define services to a single port number mapping.

This recipe shows how to use virtual IP with services enabled. This example has one public external IP address. We map TCP ports 8080, 8081, and 8082 to an internal WebServer TCP port 80. This allows remote connections to communicate with a server behind the firewall.

Sample configuration

To create a virtual IP with services using the GUI:
  1. In Policy & Objects > Virtual IPs.
  2. Click Create New and select Virtual IP.
  3. For VIP Type, select IPv4.
  4. Enter a unique name for the virtual IP and fill in the other fields.
  5. Configure the fields in the Network section. For example:
    • Set Interface to any.
    • Set External IP Address/Range to 10.1.100.199.
    • Set Mapped IP Address/Range to 172.16.200.55.
  6. Enable Optional Filters and then enable Services.
  7. In the Services field, click + to display the Services pane.
  8. In the Services pane, select TCP_8080, TCP_8081, and TCP_8082.
  9. Enable Port Forwarding.
  10. Set Map to Port to 80.

  11. Click OK.
To see the results:
  1. Apply the above virtual IP to the Firewall policy.
  2. The results are:
    • Access 10.1.100.199:8080 from external network and FortiGate maps to 172.16.200.55:80 in internal network.
    • Access 10.1.100.199:8081 from external network and FortiGate maps to 172.16.200.55:80 in internal network.
    • Access 10.1.100.199:8082 from external network and FortiGate maps to 172.16.200.55:80 in internal network.
To create a virtual IP with services using the CLI:
config firewall vip
    edit "WebServer_VIP_Services"
        set service "TCP_8080" "TCP_8081" "TCP_8082"
        set extip 10.1.100.199
        set extintf "any"
        set portforward enable
        set mappedip "172.16.200.55"
        set mappedport 80
    next
end

Virtual IP with services

Virtual IP with services

Virtual IP with services is a more flexible virtual IP mode. This mode allows users to define services to a single port number mapping.

This recipe shows how to use virtual IP with services enabled. This example has one public external IP address. We map TCP ports 8080, 8081, and 8082 to an internal WebServer TCP port 80. This allows remote connections to communicate with a server behind the firewall.

Sample configuration

To create a virtual IP with services using the GUI:
  1. In Policy & Objects > Virtual IPs.
  2. Click Create New and select Virtual IP.
  3. For VIP Type, select IPv4.
  4. Enter a unique name for the virtual IP and fill in the other fields.
  5. Configure the fields in the Network section. For example:
    • Set Interface to any.
    • Set External IP Address/Range to 10.1.100.199.
    • Set Mapped IP Address/Range to 172.16.200.55.
  6. Enable Optional Filters and then enable Services.
  7. In the Services field, click + to display the Services pane.
  8. In the Services pane, select TCP_8080, TCP_8081, and TCP_8082.
  9. Enable Port Forwarding.
  10. Set Map to Port to 80.

  11. Click OK.
To see the results:
  1. Apply the above virtual IP to the Firewall policy.
  2. The results are:
    • Access 10.1.100.199:8080 from external network and FortiGate maps to 172.16.200.55:80 in internal network.
    • Access 10.1.100.199:8081 from external network and FortiGate maps to 172.16.200.55:80 in internal network.
    • Access 10.1.100.199:8082 from external network and FortiGate maps to 172.16.200.55:80 in internal network.
To create a virtual IP with services using the CLI:
config firewall vip
    edit "WebServer_VIP_Services"
        set service "TCP_8080" "TCP_8081" "TCP_8082"
        set extip 10.1.100.199
        set extintf "any"
        set portforward enable
        set mappedip "172.16.200.55"
        set mappedport 80
    next
end