Static virtual IPs
Static Virtual IPs (VIP) are used to map external IP addresses to internal IP addresses. This is also called destination NAT, where a packet's destination is being NAT'd, or mapped, to a different address.
Static VIPs are commonly used to map public IP addresses to resources behind the FortiGate that use private IP addresses. A static one-to-one VIP is when the entire port range is mapped. A port forwarding VIP is when the mapping is configured on a specific port or port range.
Some of the VIP configuration options are:
Setting |
Description |
---|---|
VIP Type |
Note: IPv6 is only available when IPv6 is enabled in the Feature Visibility. NAT46 and NAT64 are only available when IPv6 and NAT46 & NAT64 are enabled in the Feature Visibility. IPv6 must be enabled so that the NAT46 & NAT64 option is available. |
Interface ( |
The external interface that the firewall policy source interface must match. For example, if the external interface is port1, then the VIP can be used in a policy from port1 to port3, but not in a policy from port2 to port3. If the external interface is any, then the VIP can be used in any firewall policy. |
Type ( |
|
External IP address/range ( |
In a static NAT VIP, the external IP address is the IP address that the FortiGate listens for traffic on. When the external interface in not any, 0.0.0.0 can be used to make the external IP address equivalent to the external interface's IP address. The external IP address is also used to perform SNAT for the mapped server when the server outbound traffic with a destination interface that matches the external interface. The firewall policy must also have NAT enabled. |
Mapped IP address/range ( |
The address or range that the internal resource is being mapped to. |
|
Listen for traffic to the external IP address only on the specified interface. While the external interface restricts the policies where the VIP can be used, it does not restrict listening to only the external interface. To restrict listening to only a specific interface, |
|
Force all of the traffic from the mapped server to perform SNAT with the external IP address, regardless of the destination interface. If In both cases, the firewall policy must have NAT enabled. |
|
Enable/disable responding to ARP requests on the external IP address (default = enable). |
Source address ( |
Restrict the source IP address, address range, or subnet that is allowed to access the VIP. |
Services ( |
Set the services that are allowed to be mapped. |
Port Forwarding ( |
Enable port forwarding to specify the port ( If no services are configured, you can configure the protocol ( |
Sample configuration
To create a virtual IP in the GUI:
-
In Policy & Objects > Virtual IPs and click Create New > Virtual IP.
-
Select a VIP Type based on the IP versions used.
-
Enter a unique name for the virtual IP.
-
Enter values for the External IP address/range and Mapped to IP address/range fields:
-
Click OK.
To create a virtual IP in the CLI:
config firewall vip edit "Internal_WebServer" set extip 10.1.100.199 set extintf "any" set mappedip "172.16.200.55" next end
To apply a virtual IP to policy in the CLI:
config firewall policy edit 8 set name "Example_Virtual_IP_in_Policy" set srcintf "wan2" set dstintf "internal" set srcaddr "all" set dstaddr "Internal_WebServer" set action accept set schedule "always" set service "ALL" set nat enable next end