Fortinet white logo
Fortinet white logo

Administration Guide

Static virtual IPs

Static virtual IPs

Static Virtual IPs (VIP) are used to map external IP addresses to internal IP addresses. This is also called destination NAT, where a packet's destination is being NAT'd, or mapped, to a different address.

Static VIPs are commonly used to map public IP addresses to resources behind the FortiGate that use private IP addresses. A static one-to-one VIP is when the entire port range is mapped. A port forwarding VIP is when the mapping is configured on a specific port or port range.

Some of the VIP configuration options are:

Setting

Description

VIP Type

  • IPv4 (config firewall vip) - The source and destination are both IPv4.

  • IPv6 (config firewall vip6) - The source and destination are both IPv6.

  • NAT46 (config firewall vip46) - The source if IPv4 and the destination is IPv6.

  • NAT64 (config firewall vip64) - The source if IPv6 and the destination is IPv4.

Note: IPv6 is only available when IPv6 is enabled in the Feature Visibility. NAT46 and NAT64 are only available when IPv6 and NAT46 & NAT64 are enabled in the Feature Visibility. IPv6 must be enabled so that the NAT46 & NAT64 option is available.

Interface (extintf)

The external interface that the firewall policy source interface must match.

For example, if the external interface is port1, then the VIP can be used in a policy from port1 to port3, but not in a policy from port2 to port3.

If the external interface is any, then the VIP can be used in any firewall policy.

Type (type)

  • Static NAT - Use an external IP address or address range.

  • FQDN - Use an external IP or FQDN address.

  • load-balance (CLI only) - Load balance traffic.

  • server-load-balance - Load balance traffic across multiple servers. SSL processing can be offloaded to the FortiGate. This type of VIP is configure from Policy & Objects > Virtual Servers.

  • dns-translation (CLI only) - DNS translation.

  • access-proxy - Used for ZTNA. See ZTNA HTTPS access proxy example for details.

External IP address/range (extip)

In a static NAT VIP, the external IP address is the IP address that the FortiGate listens for traffic on.

When the external interface in not any, 0.0.0.0 can be used to make the external IP address equivalent to the external interface's IP address.

The external IP address is also used to perform SNAT for the mapped server when the server outbound traffic with a destination interface that matches the external interface. The firewall policy must also have NAT enabled.

Mapped IP address/range (mappedip)

The address or range that the internal resource is being mapped to.

srcintf-filter (CLI only)

Listen for traffic to the external IP address only on the specified interface.

While the external interface restricts the policies where the VIP can be used, it does not restrict listening to only the external interface. To restrict listening to only a specific interface, srcint-filter must be configured.

nat-source-vip (CLI only)

Force all of the traffic from the mapped server to perform SNAT with the external IP address, regardless of the destination interface.

If srcint-filter is defined, then nat-source-vip only forces SNAT to be performed when the destination matches the srcintf-filter interface.

In both cases, the firewall policy must have NAT enabled.

arp-reply (CLI only)

Enable/disable responding to ARP requests on the external IP address (default = enable).

Source address (src-filter)

Restrict the source IP address, address range, or subnet that is allowed to access the VIP.

Services (service)

Set the services that are allowed to be mapped.

Port Forwarding (portforward)

Enable port forwarding to specify the port (mappedport) to map to

If no services are configured, you can configure the protocol (protocol) to use when forwarding packets, the external service port range (extport) to be mapped to a port range on the destination network, and the mapped port range (mappedport) on the destination network.

Sample configuration

To create a virtual IP in the GUI:
  1. In Policy & Objects > Virtual IPs and click Create New > Virtual IP.

  2. Select a VIP Type based on the IP versions used.

  3. Enter a unique name for the virtual IP.

  4. Enter values for the External IP address/range and Mapped to IP address/range fields:

  5. Click OK.

To create a virtual IP in the CLI:
config firewall vip
    edit "Internal_WebServer"
        set extip 10.1.100.199
        set extintf "any"
        set mappedip "172.16.200.55"
    next
end
To apply a virtual IP to policy in the CLI:
config firewall policy
    edit 8
        set name "Example_Virtual_IP_in_Policy"
        set srcintf "wan2"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "Internal_WebServer"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

Static virtual IPs

Static virtual IPs

Static Virtual IPs (VIP) are used to map external IP addresses to internal IP addresses. This is also called destination NAT, where a packet's destination is being NAT'd, or mapped, to a different address.

Static VIPs are commonly used to map public IP addresses to resources behind the FortiGate that use private IP addresses. A static one-to-one VIP is when the entire port range is mapped. A port forwarding VIP is when the mapping is configured on a specific port or port range.

Some of the VIP configuration options are:

Setting

Description

VIP Type

  • IPv4 (config firewall vip) - The source and destination are both IPv4.

  • IPv6 (config firewall vip6) - The source and destination are both IPv6.

  • NAT46 (config firewall vip46) - The source if IPv4 and the destination is IPv6.

  • NAT64 (config firewall vip64) - The source if IPv6 and the destination is IPv4.

Note: IPv6 is only available when IPv6 is enabled in the Feature Visibility. NAT46 and NAT64 are only available when IPv6 and NAT46 & NAT64 are enabled in the Feature Visibility. IPv6 must be enabled so that the NAT46 & NAT64 option is available.

Interface (extintf)

The external interface that the firewall policy source interface must match.

For example, if the external interface is port1, then the VIP can be used in a policy from port1 to port3, but not in a policy from port2 to port3.

If the external interface is any, then the VIP can be used in any firewall policy.

Type (type)

  • Static NAT - Use an external IP address or address range.

  • FQDN - Use an external IP or FQDN address.

  • load-balance (CLI only) - Load balance traffic.

  • server-load-balance - Load balance traffic across multiple servers. SSL processing can be offloaded to the FortiGate. This type of VIP is configure from Policy & Objects > Virtual Servers.

  • dns-translation (CLI only) - DNS translation.

  • access-proxy - Used for ZTNA. See ZTNA HTTPS access proxy example for details.

External IP address/range (extip)

In a static NAT VIP, the external IP address is the IP address that the FortiGate listens for traffic on.

When the external interface in not any, 0.0.0.0 can be used to make the external IP address equivalent to the external interface's IP address.

The external IP address is also used to perform SNAT for the mapped server when the server outbound traffic with a destination interface that matches the external interface. The firewall policy must also have NAT enabled.

Mapped IP address/range (mappedip)

The address or range that the internal resource is being mapped to.

srcintf-filter (CLI only)

Listen for traffic to the external IP address only on the specified interface.

While the external interface restricts the policies where the VIP can be used, it does not restrict listening to only the external interface. To restrict listening to only a specific interface, srcint-filter must be configured.

nat-source-vip (CLI only)

Force all of the traffic from the mapped server to perform SNAT with the external IP address, regardless of the destination interface.

If srcint-filter is defined, then nat-source-vip only forces SNAT to be performed when the destination matches the srcintf-filter interface.

In both cases, the firewall policy must have NAT enabled.

arp-reply (CLI only)

Enable/disable responding to ARP requests on the external IP address (default = enable).

Source address (src-filter)

Restrict the source IP address, address range, or subnet that is allowed to access the VIP.

Services (service)

Set the services that are allowed to be mapped.

Port Forwarding (portforward)

Enable port forwarding to specify the port (mappedport) to map to

If no services are configured, you can configure the protocol (protocol) to use when forwarding packets, the external service port range (extport) to be mapped to a port range on the destination network, and the mapped port range (mappedport) on the destination network.

Sample configuration

To create a virtual IP in the GUI:
  1. In Policy & Objects > Virtual IPs and click Create New > Virtual IP.

  2. Select a VIP Type based on the IP versions used.

  3. Enter a unique name for the virtual IP.

  4. Enter values for the External IP address/range and Mapped to IP address/range fields:

  5. Click OK.

To create a virtual IP in the CLI:
config firewall vip
    edit "Internal_WebServer"
        set extip 10.1.100.199
        set extintf "any"
        set mappedip "172.16.200.55"
    next
end
To apply a virtual IP to policy in the CLI:
config firewall policy
    edit 8
        set name "Example_Virtual_IP_in_Policy"
        set srcintf "wan2"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "Internal_WebServer"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end