Fortinet white logo
Fortinet white logo

Administration Guide

Static virtual IPs

Static virtual IPs

Static Virtual IPs (VIP) are used to map external IP addresses to internal IP addresses. This is also called destination NAT, where a packet's destination is being NAT'd, or mapped, to a different address.

Static VIPs are commonly used to map public IP addresses to resources behind the FortiGate that use private IP addresses. A static one-to-one VIP is when the entire port range is mapped. A port forwarding VIP is when the mapping is configured on a specific port or port range.

When Central NAT is enabled, DNAT is no longer configured on the Policy & Objects > Virtual IPs page and is instead configured on the Policy & Objects > DNAT & Virtual IPs page. See Central DNAT for more information.

Sample configuration

To create a virtual IP in the GUI:
  1. Go to Policy & Objects > Virtual IPs or, if Central NAT is enabled, Policy & Objects > DNAT & Virtual IPs.

  2. Select the Virtual IP or IPv6 Virtual IP tab based on the IP versions used.

  3. Click Create new.

  4. Enter a unique name for the virtual IP.

  5. Enter values for the external IP address/range and map to IPv4/IPv6 address/range fields.

  6. Click OK.

To create a virtual IP in the CLI:
config firewall vip
    edit "Internal_WebServer"
        set extip 10.1.100.199
        set extintf "any"
        set mappedip "172.16.200.55"
    next
end
To apply a virtual IP to policy in the CLI:
config firewall policy
    edit 8
        set name "Example_Virtual_IP_in_Policy"
        set srcintf "wan2"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "Internal_WebServer"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

IP pools and VIPs as local IP addresses

IP pools and VIPs are considered local IP addresses if responding to ARP requests on these external IP addresses is enabled (set arp-reply enable, by default). In this case, the FortiGate is considered a destination for those IP addresses and can receive reply traffic at the application layer successfully.

However, as a side-effect, once an IP pool or VIP has been configured, even if it is never used in a firewall policy, the FortiGate considers it as a local address and will not forward traffic based on the routing table. Therefore, any unused IP pools or VIPs should be deleted to prevent any unexpected behavior.

Caution

For a history of behaviour changes related to IP pools and VIPs, see Technical Tip: IP pool and virtual IP behaviour changes in FortiOS 6.4, 7.0, 7.2, and 7.4.

Community Links

Static virtual IPs

Static virtual IPs

Static Virtual IPs (VIP) are used to map external IP addresses to internal IP addresses. This is also called destination NAT, where a packet's destination is being NAT'd, or mapped, to a different address.

Static VIPs are commonly used to map public IP addresses to resources behind the FortiGate that use private IP addresses. A static one-to-one VIP is when the entire port range is mapped. A port forwarding VIP is when the mapping is configured on a specific port or port range.

When Central NAT is enabled, DNAT is no longer configured on the Policy & Objects > Virtual IPs page and is instead configured on the Policy & Objects > DNAT & Virtual IPs page. See Central DNAT for more information.

Sample configuration

To create a virtual IP in the GUI:
  1. Go to Policy & Objects > Virtual IPs or, if Central NAT is enabled, Policy & Objects > DNAT & Virtual IPs.

  2. Select the Virtual IP or IPv6 Virtual IP tab based on the IP versions used.

  3. Click Create new.

  4. Enter a unique name for the virtual IP.

  5. Enter values for the external IP address/range and map to IPv4/IPv6 address/range fields.

  6. Click OK.

To create a virtual IP in the CLI:
config firewall vip
    edit "Internal_WebServer"
        set extip 10.1.100.199
        set extintf "any"
        set mappedip "172.16.200.55"
    next
end
To apply a virtual IP to policy in the CLI:
config firewall policy
    edit 8
        set name "Example_Virtual_IP_in_Policy"
        set srcintf "wan2"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "Internal_WebServer"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

IP pools and VIPs as local IP addresses

IP pools and VIPs are considered local IP addresses if responding to ARP requests on these external IP addresses is enabled (set arp-reply enable, by default). In this case, the FortiGate is considered a destination for those IP addresses and can receive reply traffic at the application layer successfully.

However, as a side-effect, once an IP pool or VIP has been configured, even if it is never used in a firewall policy, the FortiGate considers it as a local address and will not forward traffic based on the routing table. Therefore, any unused IP pools or VIPs should be deleted to prevent any unexpected behavior.

Caution

For a history of behaviour changes related to IP pools and VIPs, see Technical Tip: IP pool and virtual IP behaviour changes in FortiOS 6.4, 7.0, 7.2, and 7.4.