Creating a Virtual IP

Chapter 7 Firewall : Firewall objects : Virtual IPs : Creating a Virtual IP

1. Go to Policy & Objects > Objects > Virtual IPs.

2. Select Create New.

• If you use the down arrow next to Create New, select Virtual IP.

3. Choose the VIP Type.

The options available are:

a. IPv4 VIP - IPv4 on both sides of the FortiGate Unit.

b. IPv6 VIP - IPv6 on both sides of the FortiGate Unit.

c. NAT46 VIP - Going from an IPv4 Network to an IPv6 Network.

d. NAT64 VIP - Going from an IPv6 Network to an IPv4 Network.

Which is chosen will depend on which of the IP version networks is on the external interface of the FortiGate unit and which is on the internal interface.

4. Input a Name for the Virtual IP.

5. Input any additional information in the Comments field.

6. Using the dropdown menu for the Interface Field, choose the incoming interface for the traffic.

The IPv4 VIP Type is the only one that has a field for the interface. This is a legacy function from previous versions so that they can be upgraded without complicated reconfigureation. The External IP address, which is a required field, tells the unit which interface to use so it is perfectly acceptable to choose Any as the interface. In some configurations, if the Interface field is not set to Any the VIP is not one of the displayed options when choosing a destination address.

7. If only specific IP addresses are allowed to be the source address for traffic uing the VIP, check the box for the Source Address Filter.

a. To specific the allowed address range select Create New.

b. Enter the ip address for the start of the set of IP address(es) in the Range Start field.

c. Enter the ip address for the end of the set of IP address(es) in the Range End field.

8. Enter the IP address for the External IP Address/Range.

If there is a single IP address, use that address in both fields.

9. Set the Mapped IP Type.

This will be either Subnet or Address Range.

If you only have a single destination address you can use either:

• Subnet: x.x.x.x/32

• Address Range: x.x.x.x - x.x.x.x, where x.x.x.x is the same IP address.

10. Enter the IP address(es) for the Mapped IP Address/Range.

This will be the address of the host that the traffic is being directed to.

11. If you are only going to use specific ports, enable Port Forwarding.

a. Select one of 3 Protocol types:

• TCP

• UDP

• SCTP

b. Enter the port number or range that the traffic will be connecting to in the External Service Port fields.

c. Enter the port number or range that is the final destination of the traffic in the Map to Port fields

12. Press OK.