Static virtual IPs
Static Virtual IPs (VIP) are used to map external IP addresses to internal IP addresses. This is also called destination NAT, where a packet's destination is being NAT'd, or mapped, to a different address.
Static VIPs are commonly used to map public IP addresses to resources behind the FortiGate that use private IP addresses. A static one-to-one VIP is when the entire port range is mapped. A port forwarding VIP is when the mapping is configured on a specific port or port range.
Some of the VIP configuration options are:
Setting |
Description |
---|---|
VIP Type |
Note: IPv6 is only available when IPv6 is enabled in the Feature Visibility. |
Interface ( |
The external interface that the firewall policy source interface must match. For example, if the external interface is port1, then the VIP can be used in a policy from port1 to port3, but not in a policy from port2 to port3. If the external interface is any, then the VIP can be used in any firewall policy. |
Type ( |
|
External IP address/range ( |
In a static NAT VIP, the external IP address is the IP address that the FortiGate listens for traffic on. When the external interface is notany, 0.0.0.0 can be used to make the external IP address equivalent to the external interface's IP address. The external IP address is also used to perform SNAT for the mapped server when the server outbound traffic with a destination interface that matches the external interface. The firewall policy must also have NAT enabled. |
IPv4 address/range ( |
The IPv4 address or range that the internal resource is being mapped to. |
IPv6 address/range ( |
The IPv6 address or range that the internal resource is being mapped to. |
|
Listen for traffic to the external IP address only on the specified interface. While the external interface restricts the policies where the VIP can be used, it does not restrict listening to only the external interface. To restrict listening to only a specific interface, |
|
Force all of the traffic from the mapped server to perform SNAT with the external IP address, regardless of the destination interface. If In both cases, the firewall policy must have NAT enabled. |
|
Enable/disable responding to ARP requests on the external IP address (default = enable). When a VIP object is created with |
Source address ( |
Restrict the source IP address, address range, or subnet that is allowed to access the VIP. |
Services ( |
Set the services that are allowed to be mapped. |
Port Forwarding ( |
Enable port forwarding to specify the port ( If no services are configured, you can configure the protocol ( |
Port Mapping Type |
|
Sample configuration
To create a virtual IP in the GUI:
-
In Policy & Objects > Virtual IPs.
-
Select the Virtual IP or IPv6 Virtual IP tab based on the IP versions used.
-
Click Create new.
-
Enter a unique name for the virtual IP.
-
Enter values for the external IP address/range and map to IPv4/IPv6 address/range fields.
-
Click OK.
To create a virtual IP in the CLI:
config firewall vip edit "Internal_WebServer" set extip 10.1.100.199 set extintf "any" set mappedip "172.16.200.55" next end
To apply a virtual IP to policy in the CLI:
config firewall policy edit 8 set name "Example_Virtual_IP_in_Policy" set srcintf "wan2" set dstintf "internal" set srcaddr "all" set dstaddr "Internal_WebServer" set action accept set schedule "always" set service "ALL" set nat enable next end
IP pools and VIPs as local IP addresses
IP pools and VIPs are considered local IP addresses if responding to ARP requests on these external IP addresses is enabled (set arp-reply enable
, by default). In this case, the FortiGate is considered a destination for those IP addresses and can receive reply traffic at the application layer successfully.
However, as a side-effect, once an IP pool or VIP has been configured, even if it is never used in a firewall policy, the FortiGate considers it as a local address and will not forward traffic based on the routing table. Therefore, any unused IP pools or VIPs should be deleted to prevent any unexpected behavior.
For a history of behaviour changes related to IP pools and VIPs, see Technical Tip: IP pool and virtual IP behaviour changes in FortiOS 6.4, 7.0, 7.2, and 7.4. |