FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home

Video

FortiGuard

Fuse

KB

Support

  • All Files

Home > Online Help

> Chapter 9 - Firewall > Building firewall objects and policies > Example: Virtual IP address

Example: Virtual IP address

The company has an web server on the internal network that needs to be accessed from the Internet.

  • The internal IP address is 192.168.50.37
  • The external IP address is 256.85.94.60 (for example use only. Not a valid IP address)
  • The external IP address is assigned by ISP "A" on WAN1
  • The port that needs to be mapped is 80
  1. Go to Policy & Objects > Objects> Virtual IPs and select Create New.
  2. Fill out the fields with the following information.
VIP Type IPv4
Name Web1-VIP
Comments Virtual IP for the Forum Webserver
Interface wan1
Type (This field can only be changed in the CLI)
Source Address Filter <disabled>
External IP Address/Range 256.85.94.60
Mapped IP Address/Range 192.168.50.37
Port Forwarding <enabled>
Protocol TCP
External Service Port 80
Map to Port 80
  1. Select OK.
  2. Enter the following CLI command:

config firewall vip

edit Web1-VIP

set comment “Virtual IP for the Forum Webserver”

set extintf wan1

set extip 256.85.94.60

set mappedip 192.168.50.37

set portforward enable

set protocol tcp

set extport 80

set mapped port 80

end

end

To verify that the category was added correctly:
  1. Go to Policy & Objects > Objects> Virtual IPs. Check that the virtual IP address has been added to the list and that it is correct.
  2. Enter the following CLI command:

config firewall vip

edit <the name of the vip that you wish to verify>

show full-configuration

VIP group

The company has only a single external IP address but multiple servers with different functions running on its internal LAN that need to be accessed from the Internet.

  • The external IP address of the company on wan1 is 256.34.56.149 (for example use only. Not a valid IP address)
  • The webserver is on the internal LAN on 192.168.100.86
  • The webserver needs to answer on ports 80 443
  • The administration of the FortiGate firewall connects on port 4443 instead of 443
  • There is are also a separate email server, FTP server, and Terminal Server for specialised applications.
  • 2 Virtual IPs have been created to map 256.34.56.149 to 192.168.100.86 on ports 80 and 443. The names are webserver_80 and webserver_443 respectively.
  1. Go to Policy & Objects > Objects> Virtual IPsand select Create New > Virtual IP Group.
  2. Fill out the fields with the following information.
Type IPv4 VIP Group
Name WebServer_Grp
Comments (Optional)
Interface wan1
Members webserver_80

webserver_443
  1. Enter the following CLI command:

config firewall vipgrp

edit WebServer_Grp

set member “webserver_80” “webserver_443”

next

end

To verify that the category was added correctly:
  1. Go to Policy & Objects > Objects > Virtual IPs. Check that the virtual IP address group has been added to the list and that it is correct.
  2. Enter the following CLI command:

config firewall vipgrp

edit <the name of the vip that you wish to verify>

show full-configuration

 

Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy