Fortinet white logo
Fortinet white logo

Administration Guide

Virtual IPs with port forwarding

Virtual IPs with port forwarding

If you need to hide the internal server port number or need to map several internal servers to the same public IP address, enable port-forwarding for Virtual IP.

This topic shows how to use virtual IPs to configure port forwarding on a FortiGate unit. This example has one public external IP address. We map TCP ports 8080, 8081, and 8082 to different internal WebServers' TCP port 80. This allows remote connections to communicate with a server behind the firewall.

Sample configuration

To create a virtual IP with port forwarding in the GUI:
  1. Go to Policy & Objects > Virtual IPs and select the Virtual IP tab.

  2. Click Create new.

  3. Enter a unique name for the virtual IP.

  4. Configure the fields in the Network section. For example:

    • Set Interface to any.

    • Set External IP Address/Range to 10.1.100.199.

    • Set Mapped IP Address/Range to 172.16.200.55.

  5. Leave Optional Filters disabled.

  6. Enable Port Forwarding and configure the fields. For example:

    • Set Protocol to TCP.

    • Set External Service Port to 8080.

    • Set Map to IPv4 port to 80.

  7. Click OK.

  8. Follow the above steps to create two additional virtual IPs.

    1. For one virtual IP:

      • Use a different Mapped IP Address/Range, for example 172.16.200.56.

      • Set External Service Port to 8081.

      • Use the same Map to IPv4 port number: 80.

    2. For the other virtual IP:

      • Use a different Mapped IP Address/Range, for example 172.16.200.57.

      • Set External Service Port to 8082.

      • Use the same Map to IPv4 port number: 80.

  9. Create a Virtual IP Group and put the above three virtual IPs into that group:

    1. Go to Policy & Objects > Virtual IPs and select the Virtual IP Group tab.

    2. Click Create new.

    3. Enter a name for the group.

    4. Add the three previously created virtual IPs as members.

    5. Click OK.

To see the results:
  1. Apply the above virtual IP to the Firewall policy.

  2. The results are:

    • Access 10.1.100.199:8080 from external network and FortiGate maps to 172.16.200.55:80 in internal network.

    • Access 10.1.100.199:8081 from external network and FortiGate maps to 172.16.200.56:80 in internal network.

    • Access 10.1.100.199:8082 from external network and FortiGate maps to 172.16.200.57:80 in internal network

Virtual IPs with port forwarding

Virtual IPs with port forwarding

If you need to hide the internal server port number or need to map several internal servers to the same public IP address, enable port-forwarding for Virtual IP.

This topic shows how to use virtual IPs to configure port forwarding on a FortiGate unit. This example has one public external IP address. We map TCP ports 8080, 8081, and 8082 to different internal WebServers' TCP port 80. This allows remote connections to communicate with a server behind the firewall.

Sample configuration

To create a virtual IP with port forwarding in the GUI:
  1. Go to Policy & Objects > Virtual IPs and select the Virtual IP tab.

  2. Click Create new.

  3. Enter a unique name for the virtual IP.

  4. Configure the fields in the Network section. For example:

    • Set Interface to any.

    • Set External IP Address/Range to 10.1.100.199.

    • Set Mapped IP Address/Range to 172.16.200.55.

  5. Leave Optional Filters disabled.

  6. Enable Port Forwarding and configure the fields. For example:

    • Set Protocol to TCP.

    • Set External Service Port to 8080.

    • Set Map to IPv4 port to 80.

  7. Click OK.

  8. Follow the above steps to create two additional virtual IPs.

    1. For one virtual IP:

      • Use a different Mapped IP Address/Range, for example 172.16.200.56.

      • Set External Service Port to 8081.

      • Use the same Map to IPv4 port number: 80.

    2. For the other virtual IP:

      • Use a different Mapped IP Address/Range, for example 172.16.200.57.

      • Set External Service Port to 8082.

      • Use the same Map to IPv4 port number: 80.

  9. Create a Virtual IP Group and put the above three virtual IPs into that group:

    1. Go to Policy & Objects > Virtual IPs and select the Virtual IP Group tab.

    2. Click Create new.

    3. Enter a name for the group.

    4. Add the three previously created virtual IPs as members.

    5. Click OK.

To see the results:
  1. Apply the above virtual IP to the Firewall policy.

  2. The results are:

    • Access 10.1.100.199:8080 from external network and FortiGate maps to 172.16.200.55:80 in internal network.

    • Access 10.1.100.199:8081 from external network and FortiGate maps to 172.16.200.56:80 in internal network.

    • Access 10.1.100.199:8082 from external network and FortiGate maps to 172.16.200.57:80 in internal network