Just like other address, Virtual IP addresses can be organized into groups for ease of administration. If you have multiple virtual IPs that are likely to be associated to common firewall policies rather than add them individually to each of the policies you can add the instead. That way, if the members of the group change then any changes made to the group will propagate to all of the policies using that group.
When using a Virtual IP address group the firewall policy will take into account all of the configured parameters of the Virtual IPs: IP addresses, Ports and port types.
- Go to Policy & Objects > Objects > Virtual IPs.
- Use the down arrow next to Create New, select Virtual IP Group.
- Select the Type fo VIP group you wish to create.
The options available are:
- IPv4 VIP - IPv4 on both sides of the FortiGate Unit.
- IPv6 VIP - IPv6 on both sides of the FortiGate Unit.
- NAT46 VIP - Going from an IPv4 Network to an IPv6 Network.
- NAT64 VIP - Going from an IPv6 Network to an IPv4 Network.
Which is chosen will depend on which of the IP version networks is on the external interface of the FortiGate unit and which is on the internal interface.The options will be:
- Enter a Name for the VIP
- Enter any additional information in the Comments field.
- Use the dropdown menu of the Interface field to select the interface that the member VIPs are associated with, if any.
- Use the dropdown menu fo the Members field to select the VIPs that will be part of the group.
- Press OK.