Fortinet white logo
Fortinet white logo

Administration Guide

Configuring VIP groups

Configuring VIP groups

Virtual IP addresses (VIPs) can be organized into groups. After creating the VIP group, add it to a firewall policy.

VIP groups are useful when multiple VIPs are used together in firewall policies. If the VIP group members change, or a group member's settings change (such as the IP address, port, or port mapping type), then those changes are automatically updated in the corresponding firewall policies.

The following table summarizes which VIP types are allowed and not allowed to be members of a VIP group:

Group type

VIP types allowed as members

VIP types not allowed as members

IPv4

  • Static NAT

  • Load balance

  • DNS translation

  • FQDN

  • Access proxy

  • Server load balance

IPv6

  • Static NAT

  • Access proxy

  • Server load balance

Different VIP types can be added to the same group.

To configure a VIP group in the GUI:
  1. Go to Policy & Objects > Virtual IPs.

  2. Navigate to the Virtual IP Group or IPv6 Virtual IP Group tab.

  3. Click Create new.

  4. Enter a name.

  5. Optionally, enter additional information in the Comments field.

  6. For IPv4 groups, select the Interface. Select a specific interface if all of the VIPs are on the same interface; otherwise, select any.

  7. Click the + in the Members field and select the members to add to the group.

  8. Click OK.

To configure an IPv4 VIP group in the CLI:
config firewall vipgrp
    edit <name>
        set interface <name>
        set member <vip1> <vip2> ...
    next
end
To configure an IPv6 VIP group in the CLI:
config firewall vipgrp6
    edit <name>
        set member <vip1> <vip2> ...
    next
end

Configuring VIP groups

Configuring VIP groups

Virtual IP addresses (VIPs) can be organized into groups. After creating the VIP group, add it to a firewall policy.

VIP groups are useful when multiple VIPs are used together in firewall policies. If the VIP group members change, or a group member's settings change (such as the IP address, port, or port mapping type), then those changes are automatically updated in the corresponding firewall policies.

The following table summarizes which VIP types are allowed and not allowed to be members of a VIP group:

Group type

VIP types allowed as members

VIP types not allowed as members

IPv4

  • Static NAT

  • Load balance

  • DNS translation

  • FQDN

  • Access proxy

  • Server load balance

IPv6

  • Static NAT

  • Access proxy

  • Server load balance

Different VIP types can be added to the same group.

To configure a VIP group in the GUI:
  1. Go to Policy & Objects > Virtual IPs.

  2. Navigate to the Virtual IP Group or IPv6 Virtual IP Group tab.

  3. Click Create new.

  4. Enter a name.

  5. Optionally, enter additional information in the Comments field.

  6. For IPv4 groups, select the Interface. Select a specific interface if all of the VIPs are on the same interface; otherwise, select any.

  7. Click the + in the Members field and select the members to add to the group.

  8. Click OK.

To configure an IPv4 VIP group in the CLI:
config firewall vipgrp
    edit <name>
        set interface <name>
        set member <vip1> <vip2> ...
    next
end
To configure an IPv6 VIP group in the CLI:
config firewall vipgrp6
    edit <name>
        set member <vip1> <vip2> ...
    next
end