Create or edit a virtual IP
Virtual IPs can be configured for IPv4 and then be added to a policy. FortiProxy does not check whether VIPs overlap. As a result, you can configure multiple VIPs with the same external interface and IP. However, you can view overlapping VIPs in the security rating report. See Viewing VIP overlap in security rating reports.
To configure a VIP in the GUI:
-
Go to Policy & Objects > Virtual IPs.
-
Click Create New and select Virtual IP .
-
Configure the following settings:
Name
Enter a name for the VIP.
Comments
Enter a description of the VIP.
Network
Interface (
extintf)The external interface that the policy source interface must match.
For example, if the external interface is port1, then the VIP can be used in a policy from port1 to port3, but not in a policy from port2 to port3.
If the external interface is any, then the VIP can be used in any policy.
External IP address/range (
extip)In a static NAT VIP, the external IP address is the IP address that the FortiProxy listens for traffic on.
When the external interface is not any, 0.0.0.0 can be used to make the external IP address equivalent to the external interface's IP address.
The external IP address is also used to perform SNAT for the mapped server when the server outbound traffic with a destination interface that matches the external interface. The policy must also have NAT enabled.
Mapped IP addresses (
mappedip)The IPv4 address or range that the internal resource is being mapped to.
Type (
type)Type of the virtual IP:
-
Static NAT - Use an external IP address or address range.
-
Access Proxy - Used for ZTNA. See ZTNA HTTPS access proxy example for details.
Port Forwarding (
portforward)Enable port forwarding and display additional options, such as the port (
mappedport) to map to.See Virtual IPs with port forwarding for more information.
Protocol ( protocol)Select the protocol to use when forwarding packets to the port.
External service port (
extport)Enter the external service port range to be mapped to a port range on the destination network.
Map to port (
mappedport)Enter the mapped IPv4 port range on the destination network.
-
- Click OK to save the VIP.
To create a virtual IP in the CLI:
config firewall vip
edit "Internal_WebServer"
set extip 10.1.100.199
set extintf "any"
set mappedip "172.16.200.55"
next
end
To apply a virtual IP to policy in the CLI:
config firewall policy
edit 8
set name "Example_Virtual_IP_in_Policy"
set srcintf "wan2"
set dstintf "internal"
set srcaddr "all"
set dstaddr "Internal_WebServer"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
Viewing VIP overlap in security rating reports
There is no overlap check for VIPs, so there are no constraints when configuring multiple VIPs with the same external interface and IP. A new security rating report alerts users of any VIP overlaps.
To configure two VIPs with the same external interface and IP:
config firewall vip
edit "test-vip44-1"
set extip 10.1.100.154
set mappedip "172.16.200.156"
set extintf "port24"
next
edit "test-vip44-1_clone"
set extip 10.1.100.154
set mappedip "172.16.200.156"
set extintf "port24"
set src-filter 10.1.100.11
next
end
|
No error message appears regarding the overlapping VIPs. |
To use the API Preview:
-
Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.
-
Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
-
Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
-
Click Close to leave the preview.