Static virtual IPs
Static Virtual IPs (VIP) are used to map external IP addresses to internal IP addresses. This is also called destination NAT, where a packet's destination is being NAT'd, or mapped, to a different address.
Static VIPs are commonly used to map public IP addresses to resources behind the FortiGate that use private IP addresses. A static one-to-one VIP is when the entire port range is mapped. A port forwarding VIP is when the mapping is configured on a specific port or port range.
When Central NAT is enabled, DNAT is no longer configured on the Policy & Objects > Virtual IPs page and is instead configured on the Policy & Objects > DNAT & Virtual IPs page. See Central DNAT for more information.
Sample configuration
To create a virtual IP in the GUI:
-
Go to Policy & Objects > Virtual IPs or, if Central NAT is enabled, Policy & Objects > DNAT & Virtual IPs.
-
Select the Virtual IP or IPv6 Virtual IP tab based on the IP versions used.
-
Click Create new.
-
Enter a unique name for the virtual IP.
-
Enter values for the external IP address/range and map to IPv4/IPv6 address/range fields.
-
Click OK.
To create a virtual IP in the CLI:
config firewall vip edit "Internal_WebServer" set extip 10.1.100.199 set extintf "any" set mappedip "172.16.200.55" next end
To apply a virtual IP to policy in the CLI:
config firewall policy edit 8 set name "Example_Virtual_IP_in_Policy" set srcintf "wan2" set dstintf "internal" set srcaddr "all" set dstaddr "Internal_WebServer" set action accept set schedule "always" set service "ALL" set nat enable next end
IP pools and VIPs as local IP addresses
IP pools and VIPs are considered local IP addresses if responding to ARP requests on these external IP addresses is enabled (set arp-reply enable
, by default). In this case, the FortiGate is considered a destination for those IP addresses and can receive reply traffic at the application layer successfully.
However, as a side-effect, once an IP pool or VIP has been configured, even if it is never used in a firewall policy, the FortiGate considers it as a local address and will not forward traffic based on the routing table. Therefore, any unused IP pools or VIPs should be deleted to prevent any unexpected behavior.
For a history of behaviour changes related to IP pools and VIPs, see Technical Tip: IP pool and virtual IP behaviour changes in FortiOS 6.4, 7.0, 7.2, and 7.4. |