Fortinet white logo
Fortinet white logo

Administration Guide

Static virtual IPs

Static virtual IPs

Static Virtual IPs (VIP) are used to map external IP addresses to internal IP addresses. This is also called destination NAT, where a packet's destination is being NAT'd, or mapped, to a different address.

Static VIPs are commonly used to map public IP addresses to resources behind the FortiGate that use private IP addresses. A static one-to-one VIP is when the entire port range is mapped. A port forwarding VIP is when the mapping is configured on a specific port or port range.

Some of the VIP configuration options are:

Setting

Description

VIP Type

  • IPv4 (config firewall vip) - The source and destination are both IPv4.

  • IPv6 (config firewall vip6) - The source and destination are both IPv6.

Note: IPv6 is only available when IPv6 is enabled in the Feature Visibility.

Interface (extintf)

The external interface that the firewall policy source interface must match.

For example, if the external interface is port1, then the VIP can be used in a policy from port1 to port3, but not in a policy from port2 to port3.

If the external interface is any, then the VIP can be used in any firewall policy.

Type (type)

  • Static NAT - Use an external IP address or address range.

  • FQDN - Use an external IP or FQDN address.

  • load-balance (CLI only) - Load balance traffic.

  • server-load-balance - Load balance traffic across multiple servers. SSL processing can be offloaded to the FortiGate. This type of VIP is configure from Policy & Objects > Virtual Servers.

  • dns-translation (CLI only) - DNS translation.

  • access-proxy - Used for ZTNA. See ZTNA HTTPS access proxy example for details.

External IP address/range (extip)

In a static NAT VIP, the external IP address is the IP address that the FortiGate listens for traffic on.

When the external interface is notany, 0.0.0.0 can be used to make the external IP address equivalent to the external interface's IP address.

The external IP address is also used to perform SNAT for the mapped server when the server outbound traffic with a destination interface that matches the external interface. The firewall policy must also have NAT enabled.

IPv4 address/range (mappedip)

The IPv4 address or range that the internal resource is being mapped to.

IPv6 address/range (ipv6-mappedip)

The IPv6 address or range that the internal resource is being mapped to.

srcintf-filter (CLI only)

Listen for traffic to the external IP address only on the specified interface.

While the external interface restricts the policies where the VIP can be used, it does not restrict listening to only the external interface. To restrict listening to only a specific interface, srcint-filter must be configured.

nat-source-vip (CLI only)

Force all of the traffic from the mapped server to perform SNAT with the external IP address, regardless of the destination interface.

If srcint-filter is defined, then nat-source-vip only forces SNAT to be performed when the destination matches the srcintf-filter interface.

In both cases, the firewall policy must have NAT enabled.

arp-reply (CLI only)

Enable/disable responding to ARP requests on the external IP address (default = enable).

When a VIP object is created with arp-reply enabled, the object does not need to be referenced in any policies before a FortiGate interface starts responding to ARP requests for the addresses in the VIP.

Source address (src-filter)

Restrict the source IP address, address range, or subnet that is allowed to access the VIP.

Services (service)

Set the services that are allowed to be mapped.

Port Forwarding (portforward)

Enable port forwarding to specify the port (mappedport) to map to.

If no services are configured, you can configure the protocol (protocol) to use when forwarding packets, the external service port range (extport) to be mapped to a port range on the destination network, and the mapped port range (mappedport and ipv6-mappedport) on the destination network.

Port Mapping Type

  • One to one - Each external service port is mapped to one port. A range is allowed, but the number of ports should be the same.
  • Many to Many - The port mapping can be one to one, one to many, or many to one. There are no restrictions on how many external ports must map to internal ports.

Sample configuration

To create a virtual IP in the GUI:
  1. In Policy & Objects > Virtual IPs.

  2. Select the Virtual IP or IPv6 Virtual IP tab based on the IP versions used.

  3. Click Create new.

  4. Enter a unique name for the virtual IP.

  5. Enter values for the external IP address/range and map to IPv4/IPv6 address/range fields.

  6. Click OK.

To create a virtual IP in the CLI:
config firewall vip
    edit "Internal_WebServer"
        set extip 10.1.100.199
        set extintf "any"
        set mappedip "172.16.200.55"
    next
end
To apply a virtual IP to policy in the CLI:
config firewall policy
    edit 8
        set name "Example_Virtual_IP_in_Policy"
        set srcintf "wan2"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "Internal_WebServer"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

IP pools and VIPs as local IP addresses

IP pools and VIPs are considered local IP addresses if responding to ARP requests on these external IP addresses is enabled (set arp-reply enable, by default). In this case, the FortiGate is considered a destination for those IP addresses and can receive reply traffic at the application layer successfully.

However, as a side-effect, once an IP pool or VIP has been configured, even if it is never used in a firewall policy, the FortiGate considers it as a local address and will not forward traffic based on the routing table. Therefore, any unused IP pools or VIPs should be deleted to prevent any unexpected behavior.

Caution

For a history of behaviour changes related to IP pools and VIPs, see Technical Tip: IP pool and virtual IP behaviour changes in FortiOS 6.4, 7.0, 7.2, and 7.4.

Static virtual IPs

Static virtual IPs

Static Virtual IPs (VIP) are used to map external IP addresses to internal IP addresses. This is also called destination NAT, where a packet's destination is being NAT'd, or mapped, to a different address.

Static VIPs are commonly used to map public IP addresses to resources behind the FortiGate that use private IP addresses. A static one-to-one VIP is when the entire port range is mapped. A port forwarding VIP is when the mapping is configured on a specific port or port range.

Some of the VIP configuration options are:

Setting

Description

VIP Type

  • IPv4 (config firewall vip) - The source and destination are both IPv4.

  • IPv6 (config firewall vip6) - The source and destination are both IPv6.

Note: IPv6 is only available when IPv6 is enabled in the Feature Visibility.

Interface (extintf)

The external interface that the firewall policy source interface must match.

For example, if the external interface is port1, then the VIP can be used in a policy from port1 to port3, but not in a policy from port2 to port3.

If the external interface is any, then the VIP can be used in any firewall policy.

Type (type)

  • Static NAT - Use an external IP address or address range.

  • FQDN - Use an external IP or FQDN address.

  • load-balance (CLI only) - Load balance traffic.

  • server-load-balance - Load balance traffic across multiple servers. SSL processing can be offloaded to the FortiGate. This type of VIP is configure from Policy & Objects > Virtual Servers.

  • dns-translation (CLI only) - DNS translation.

  • access-proxy - Used for ZTNA. See ZTNA HTTPS access proxy example for details.

External IP address/range (extip)

In a static NAT VIP, the external IP address is the IP address that the FortiGate listens for traffic on.

When the external interface is notany, 0.0.0.0 can be used to make the external IP address equivalent to the external interface's IP address.

The external IP address is also used to perform SNAT for the mapped server when the server outbound traffic with a destination interface that matches the external interface. The firewall policy must also have NAT enabled.

IPv4 address/range (mappedip)

The IPv4 address or range that the internal resource is being mapped to.

IPv6 address/range (ipv6-mappedip)

The IPv6 address or range that the internal resource is being mapped to.

srcintf-filter (CLI only)

Listen for traffic to the external IP address only on the specified interface.

While the external interface restricts the policies where the VIP can be used, it does not restrict listening to only the external interface. To restrict listening to only a specific interface, srcint-filter must be configured.

nat-source-vip (CLI only)

Force all of the traffic from the mapped server to perform SNAT with the external IP address, regardless of the destination interface.

If srcint-filter is defined, then nat-source-vip only forces SNAT to be performed when the destination matches the srcintf-filter interface.

In both cases, the firewall policy must have NAT enabled.

arp-reply (CLI only)

Enable/disable responding to ARP requests on the external IP address (default = enable).

When a VIP object is created with arp-reply enabled, the object does not need to be referenced in any policies before a FortiGate interface starts responding to ARP requests for the addresses in the VIP.

Source address (src-filter)

Restrict the source IP address, address range, or subnet that is allowed to access the VIP.

Services (service)

Set the services that are allowed to be mapped.

Port Forwarding (portforward)

Enable port forwarding to specify the port (mappedport) to map to.

If no services are configured, you can configure the protocol (protocol) to use when forwarding packets, the external service port range (extport) to be mapped to a port range on the destination network, and the mapped port range (mappedport and ipv6-mappedport) on the destination network.

Port Mapping Type

  • One to one - Each external service port is mapped to one port. A range is allowed, but the number of ports should be the same.
  • Many to Many - The port mapping can be one to one, one to many, or many to one. There are no restrictions on how many external ports must map to internal ports.

Sample configuration

To create a virtual IP in the GUI:
  1. In Policy & Objects > Virtual IPs.

  2. Select the Virtual IP or IPv6 Virtual IP tab based on the IP versions used.

  3. Click Create new.

  4. Enter a unique name for the virtual IP.

  5. Enter values for the external IP address/range and map to IPv4/IPv6 address/range fields.

  6. Click OK.

To create a virtual IP in the CLI:
config firewall vip
    edit "Internal_WebServer"
        set extip 10.1.100.199
        set extintf "any"
        set mappedip "172.16.200.55"
    next
end
To apply a virtual IP to policy in the CLI:
config firewall policy
    edit 8
        set name "Example_Virtual_IP_in_Policy"
        set srcintf "wan2"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "Internal_WebServer"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

IP pools and VIPs as local IP addresses

IP pools and VIPs are considered local IP addresses if responding to ARP requests on these external IP addresses is enabled (set arp-reply enable, by default). In this case, the FortiGate is considered a destination for those IP addresses and can receive reply traffic at the application layer successfully.

However, as a side-effect, once an IP pool or VIP has been configured, even if it is never used in a firewall policy, the FortiGate considers it as a local address and will not forward traffic based on the routing table. Therefore, any unused IP pools or VIPs should be deleted to prevent any unexpected behavior.

Caution

For a history of behaviour changes related to IP pools and VIPs, see Technical Tip: IP pool and virtual IP behaviour changes in FortiOS 6.4, 7.0, 7.2, and 7.4.