How do I configure a Virtual IP

About virtual IPs

Virtual IP (VIP) addresses enable users from outside a private network to access services inside that network. Under normal circumstances, this is not possible because Internet routers generally do not connect to private IP addresses. For example, a user from the Internet is not able to access an internal page on a company network. However, the FortiGate unit can be configured to allow an employee of a company to access an internal web page on a private network from the Internet.

FortiGate must be in NAT/Route mode to add VIPs.

Creating a static VIP

Static NAT virtual IP for a single IP address is the simplest virtual IP configuration. A single IP address on one network is mapped to another IP address on a second network. The FortiGate unit connects the two networks and allows communication between them.

To create a static VIP

Go to Firewall > Virtual IP.

Select Create New.

Enter a name for the Virtual IP you will create.

Select the interface the new Virtual IP will be entering from.

Select Static NAT.

Enter the address for the virtual IP in External IP Address/Range.
This is the address visible to users outside the network.

Enter the internal IP address in Map to IP Address/Range.
This address is invisible to users outside the network. It is the address for the page linked to the external IP.

Select OK

Creating a VIP with port forwarding

With port forwarding, a port or a range of ports on computers outside the network can be linked to a port or range of ports inside the network.

To create a VIP with port forwarding

Go to Firewall > Virtual IP.

Select Create New.

Enter a name for the Virtual IP you will create.

Select the interface the new Virtual IP will be entering from.

Select Port Forwarding.

Enter the address for the virtual IP in External IP Address/Range.
This is the address visible to users outside the network.

Enter the internal IP address in Map to IP Address/Range.
This address is invisible to users outside the network. It is the address for the page linked to the external IP.

Select OK

Configuring the Firewall

You must create a firewall service and a firewall policy for the Virtual IP address to function, and to allow traffic to flow between the VIP and the network.

To create a firewall service

Go to Firewall > Service > Custom.

Select Create New

Enter a name for the new service.

Select the protocol for the new VIP.

Leave the default settings for Source Port.

Enter the destination port numbers for the new service.

Select OK.

To create a firewall policy

Go to Firewall > Policy.

Select Create New

Select the external port connected to the internet for Source Interface/Zone.

Select all for Source Address Name.

Select the internal port connected to the network for Destination Interface/Zone.

Select the virtual IP you created for Destination Address Name.

Select the service you just created from the Service options.

Select OK.