FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 9 - Firewall > Firewall objects > Virtual IPs

Virtual IPs

The mapping of a specific IP address to another specific IP address is usually referred to as Destination NAT. FortiOS has a component that is a bit more specialized along this line called a Virtual IP Address, sometimes referred to as a VIP. FortiOS uses a Virtual IP address to map an External IP address to an IP address. This address does not have to be an individual host, it can also be an address range. This mapping can include all TCP/UDP ports or if Port Forwarding is enabled it will only refer to the specific ports configured.

Virtual IP addresses are typically used to NAT external or Public IP addresses to internal or Private IP addresses. Using a Virtual IP address between 2 internal Interfaces made up of Private IP addresses is possible but there is rarely a reason to do so as the 2 networks can just use the IP addresses of the networks without the need for any address translation. Using a Virtual IP address for traffic going from the inside to the Internet is even less likely to be a requirement, but it is supported.

Something that needs to be considered when there are multiple Public IP addresses on the external interface(s) is that when a Virtual IP address is used without Port Forwarding enabled there is a reciprocal effect as far as traffic flow is concerned. Normally, on a firewall policy where NAT is enabled, for outgoing traffic the internal address is translated to the Public address that is assigned to the FortiGate, but if there is a Virtual IP address with no port forwarding enabled, then the Internal IP address in the Mapped field would be translated to the IP address configured as the External Address in the VIP settings.

Best practice: Put any policies with a VIP right at the beginning of the policy list, with nothing before them. VIP traffic is processed first, before the regular rules of order in policies are applied. The sequence of the policies not containing VIPS will not effect those that do contain VIPS, regardless of the order they are in. Put VIP policies before any others to remind yourself of where they really are in the sequence. For more on this topic, read the Exception to policy order.
Example
  • The assigned External address (WAN1) of the FortiGate unit is 172.12.96.3 with a subnet mask of 255.255.255.128
  • There is a Virtual IP address set up to map the external address 172.12.96.127 on WAN1 to the internal IP address of 192.168.1.127
  • Port Forwarding is not enabled because you want all allowed traffic going to the external IP address to go to this server.

In this case any outbound traffic from 192.168.1.127 will go out on WAN1 with the IP address of 172.12.96.127 as the source IP address.

In terms of actually using the Virtual IP address, they would be using in the security policies in the same places that other addresses would be used, usually as a Destination Address.

UUID support for VIP

UUID is now supported in for virtual IPs and virtual IP groups. This includes virtual IPs for IPv4, IPv6, NAT46, and NAT64. To view the UUID for these objects in a FortiGate unit's logs, log-uuid must be set to extended mode, rather than policy-only (which only shows the policy UUID in a traffic log). UUID can only be configured through the CLI

Syntax:

config sys global

set log-uuid {disable | policy-only | extended}

end

There is another type of address that the term “virtual IP address” commonly refers to which is used in load balancing and other similar configurations. In those cases, a number of devices share a separately created virtual IP address that can be sent to multiple possible devices. In FortiOS these are referred to as Virtual Servers and are configured in the “Load Balance” section.

Dynamic VIP according to DNS translation

When a dynamic virtual IP is used in a policy, the dynamic DNS translation table is installed along with the dynamic NAT translation table into the kernel. All matched DNS responses will be translated and recorded regardless if they hit the policy. When a client request hits the policy, dynamic NAT translation will occur if it matches a record, otherwise the traffic will be blocked.

Syntax

config firewall vip

edit "1"

set type dns-translation

set extip 192.168.0.1-192.168.0.100

set extintf "dmz"

set dns-mapping-ttl 604800

set mappedip "3.3.3.0/24" "4.0.0.0/24"

end

end

Creating a virtual IP

  1. Go to Policy & Objects > Objects > Virtual IPs.
  2. Select Create New.
  • If you use the down arrow next to Create New, select Virtual IP.
  1. Choose the VIP Type.

    The options available are:
  1. IPv4 VIP - IPv4 on both sides of the FortiGate Unit.
  2. IPv6 VIP - IPv6 on both sides of the FortiGate Unit.
  3. NAT46 VIP - Going from an IPv4 Network to an IPv6 Network.
  4. NAT64 VIP - Going from an IPv6 Network to an IPv4 Network.

Which is chosen will depend on which of the IP version networks is on the external interface of the FortiGate unit and which is on the internal interface.

  1. Input a Name for the Virtual IP.
  2. Input any additional information in the Comments field.
  3. Using the dropdown menu for the Interface Field, choose the incoming interface for the traffic.
    The IPv4 VIP Type is the only one that has a field for the interface. This is a legacy function from previous versions so that they can be upgraded without complicated reconfigureation. The External IP address, which is a required field, tells the unit which interface to use so it is perfectly acceptable to choose Any as the interface. In some configurations, if the Interface field is not set to Any the VIP is not one of the displayed options when choosing a destination address.
  1. If only specific IP addresses are allowed to be the source address for traffic uing the VIP, check the box for the Source Address Filter.
  1. To specific the allowed address range select Create New.
  2. Enter the ip address for the start of the set of IP address(es) in the Range Start field.
  3. Enter the ip address for the end of the set of IP address(es) in the Range End field.
  1. Enter the IP address for the External IP Address/Range.
    If there is a single IP address, use that address in both fields.
  1. Set the Mapped IP Type.
    This will be either Subnet or Address Range.
    If you only have a single destination address you can use either:
  • Subnet: x.x.x.x/32
  • Address Range: x.x.x.x - x.x.x.x, where x.x.x.x is the same IP address.
  1. Enter the IP address(es) for the Mapped IP Address/Range.
    This will be the address of the host that the traffic is being directed to.
  2. If you are only going to use specific ports, enable Port Forwarding.
  1. Select one of 3 Protocol types:
  • TCP
  • UDP
  • SCTP
  1. Enter the port number or range that the traffic will be connecting to in the External Service Port fields.
  2. Enter the port number or range that is the final destination of the traffic in the Map to Port fields
  1. Press OK.

Example

This example is for a VIP that is being used to direct traffic from the external IP address to a webserver on the internal network.The webserver is for company use only. The company’s public facing webserver already used port 80 and there is only one IP external IP address so the traffic for this server is being listened for on port 8080 of the external interface and being sent to port 80 on the internal host.

VIP Type IPv4
Name Internal_Webserver
Comments Webserver with Colaboration tools for Corporate employees
Interface Any
Source Address Filter <list of IP addresses of remote users>
External IP Address/Range 172.13.100.27 <this would normally be a public IP address
Mapped IP Type Subnet
Mapped IP Address/Range 192.168.34.150
Port Forwarding enabled
Protocol TCP
External Service Port 8080 - 8080
Map to Port 80 - 80