Virtual IPs

The mapping of a specific IP address to another specific IP address is usually referred to as Destination NAT. When the Central NAT Table is not being used, FortiOS calls this a Virtual IP Address, sometimes referred to as a VIP. FortiOS uses a DNAT or Virtual IP address to map an External IP address to an IP address. This address does not have to be an individual host, it can also be an address range. This mapping can include all TCP/UDP ports or if Port Forwarding is enabled it will only refer to the specific ports configured. Because, the Central NAT table is disabled by default the term Virtual IP address or VIP will be used predominantly.

Virtual IP addresses are typically used to NAT external or Public IP addresses to internal or Private IP addresses. Using a Virtual IP address between 2 internal Interfaces made up of Private IP addresses is possible but there is rarely a reason to do so as the 2 networks can just use the IP addresses of the networks without the need for any address translation. Using a Virtual IP address for traffic going from the inside to the Internet is even less likely to be a requirement, but it is supported.

Something that needs to be considered when there are multiple Public IP addresses on the external interface(s) is that when a Virtual IP address is used without Port Forwarding enabled there is a reciprocal effect as far as traffic flow is concerned. Normally, on a firewall policy where NAT is enabled, for outgoing traffic the internal address is translated to the Public address that is assigned to the FortiGate, but if there is a Virtual IP address with no port forwarding enabled, then the Internal IP address in the Mapped field would be translated to the IP address configured as the External Address in the VIP settings.

Example
  • The assigned External address (WAN1) of the FortiGate unit is 172.12.96.3 with a subnet mask of 255.255.255.128
  • There is a Virtual IP address set up to map the external address 172.12.96.127 on WAN1 to the internal IP address of 192.168.1.127
  • Port Forwarding is not enabled because you want all allowed traffic going to the external IP address to go to this server.

In this case any outbound traffic from 192.168.1.127 will go out on WAN1 with the IP address of 172.12.96.127 as the source IP address.

In terms of actually using the Virtual IP address, they would be using in the security policies in the same places that other addresses would be used, usually as a Destination Address.

UUID Support for VIP

UUID is now supported in for virtual IPs and virtual IP groups. This includes virtual IPs for IPv4, IPv6, NAT46, and NAT64. To view the UUID for these objects in a FortiGate unit's logs, log-uuid must be set to extended mode, rather than policy-only (which only shows the policy UUID in a traffic log). UUID can only be configured through the CLI

Syntax

config sys global

set log-uuid {disable | policy-only | extended}

end

note icon There is another type of address that the term “virtual IP address” commonly refers to which is used in load balancing and other similar configurations. In those cases, a number of devices share a separately created virtual IP address that can be sent to multiple possible devices. In FortiOS these are referred to as Virtual Servers and are configured in the “Load Balance” section.
tooltip icon

If Central-NAT is enabled in the CLI the GUI will be different.

Instead of VIP Type, the field lable will be DNAT & VIP Type

Instead of IPv4 the option will be IPv4 DNAT

There will also be the addition setting of Source Interface Filter.

Commands to set central-nat:

config system settings

set central-nat [enable | disable]

end

 

Creating a Virtual IP

     
  1. Go to Policy & Objects > Virtual IPs.
  2. Select Create New. A drop down menu is displayed. Select Virtual IP.
  3. From the VIP Type options, choose an applicable type based on the IP addressing involved. Which is chosen will depend on which of the IP version networks is on the external interface of the FortiGate unit and which is on the internal interface.

The available options are:

  • IPv4 - IPv4 on both sides of the FortiGate Unit.
  • IPv6 - IPv6 on both sides of the FortiGate Unit.
  • NAT46 - Going from an IPv4 Network to an IPv6 Network.
  • NAT64 - Going from an IPv6 Network to an IPv4 Network.
  1. In the Name field, input a unique identifier for the Virtual IP.
  2. Input any additional information in the Comments field.

In the Network section

  1. If an IPv4 type of Virtual IP, select the Interface setting.

Using the dropdown menu for the Interface Field, choose the incoming interface for the traffic.
The IPv4 VIP Type is the only one that uses this field. This is a legacy function from previous versions so that they can be upgraded without complicated reconfigureation. The External IP address, which is a required field, tells the unit which interface to use so it is perfectly acceptable to choose "any" as the interface. In some configurations, if the Interface field is not set to "any" the Virtual IP object will not one of the displayed options when choosing a destination address.

  1. Configure the Source Interface Filter (if available)

If needed, toggle the setting on. This will cause the field with a "+" symbol in it to appear.Once the field is selected, a single or multiple interfaces can be selected from the window that slides out from the right.

  1. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields.This will be the address on the outside of the network that is usually the public address of the server. The format of the address will depend on the VIP Type option that was selected.

  1. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields.The format of the address will depend on the VIP Type option that was selected.

  1. Disable/Enable the Source Address Filter.

If only specific IP addresses are allowed to be the source address for traffic using the VIP, enable the Source Address Filter.To add an allowed address select Create New. The value fo the address field for the Source Address Filter can be formatted in three different ways.

    • Source IP - Use the standard format for a single IP address based on whether it's IPv4 or IPv6
    • Range - Enter the first and last members of the range
    • Subnet - Enter the IP address of the broadcast address for the subnet.
  1. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
  1. Select the Protocol.

Depending on which Virtual IP type is being configured there can be one of up to 4 different protocols being forwarded.

  • IPv4 can forward: TCP, UDP, SCTP or ICMP
  • IPv6 can forward: TCP, UDP, or SCTP
  • NAT46 can forward: TCP or UDP
  • NAT64 can forward: TCP or UDP
  1. Configure the External Service Port.

This will be the listening port that the traffic is being sent to. If ICMP was selected, there will not be any port options available. This is because only one internal address will be able to respond to ICMP requests. For the other options there will be 2 field to configure. The start and the end of the port range. If only a single port is being configured, enter the same value in both fields.

  1. Configure the setting Map to Port.

This will be the listening port on the device on the internal side of the network. It does not have to be the same as the External Service Port. There will be 2 field to configure. The start and the end of the port range. If only a single port is being configured, enter the same value in both fields.

  1. Press OK.

Example

This example is for a VIP that is being used to direct traffic from the external IP address to a webserver on the internal network.The webserver is for company use only. The company’s public facing webserver already used port 80 and there is only one IP external IP address so the traffic for this server is being listened for on port 8080 of the external interface and being sent to port 80 on the internal host.

Field Value
VIP Type IPv4
Name Internal_Webserver
Comments Webserver with Colaboration tools for Corporate employees
Interface Any
External IP Address/Range 172.13.100.27 <this would normally be a public IP address>
Mapped IP Address/Range 192.168.34.150
Source Address Filter <list of IP addresses of remote users>
Port Forwarding enabled
Protocol TCP
External Service Port 8080 - 8080
Map to Port 80 - 80

Dynamic VIP according to DNS translation

When a dynamic virtual IP is used in a policy, the dynamic DNS translation table is installed along with the dynamic NAT translation table into the kernel. All matched DNS responses will be translated and recorded regardless if they hit the policy. When a client request hits the policy, dynamic NAT translation will occur if it matches a record, otherwise the traffic will be blocked.

Syntax

config firewall vip

edit "1"

set type dns-translation

set extip 192.168.0.1-192.168.0.100

set extintf "dmz"

set dns-mapping-ttl 604800

set mappedip "3.3.3.0/24" "4.0.0.0/24"

end

end