Creating a virtual IP

Creating a virtual IP

  1. Go to Policy & Objects > Virtual IPs.
  2. Select Create New. A drop down menu is displayed. Select Virtual IP.
  3. From the VIP Type options, choose an applicable type based on the IP addressing involved. Which is chosen will depend on which of the IP version networks is on the external interface of the FortiGate unit and which is on the internal interface.

The available options are:

  • IPv4 – IPv4 on both sides of the FortiGate Unit. l IPv6 – IPv6 on both sides of the FortiGate Unit. l NAT46 – Going from an IPv4 Network to an IPv6 Network.
  • NAT64 – Going from an IPv6 Network to an IPv4 Network.
  1. In the Name field, input a unique identifier for the Virtual IP.
  2. Input any additional information in the Comments
  3. The Color of the icons that represent the object in the GUI can be changed by clicking on the [Change] link and choosing from the 32 colors.

Because the configuration differs slightly for each type the next steps will be under a separate heading based on the type of the VIP

Configuring a VIP for IPv4

In the Network section:

  1. If an IPv4 type of Virtual IP, select the Interface

Using the drop down menu for the Interface Field, choose the incoming interface for the traffic.

The IPv4 VIP Type is the only one that uses this field. This is a legacy function from previous versions so that they can be upgraded without complicated reconfiguration. The External IP address, which is a required field, tells the unit which interface to use so it is perfectly acceptable to choose “any” as the interface. In some configurations, if the Interface field is not set to “any” the Virtual IP object will not one of the displayed options when choosing a destination address.

  1. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. The format of the address will depend on the VIP Type option that was selected.

  1. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields. The format of the address will depend on the VIP Type option that was selected. In the Optional Filters

  1. Disable/Enable the Optional Filters.

If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, enable the Optional Filters.

  1. To specify an allowed address enter the value in the field labeled Source Address. The value can be formatted in three different ways.

l Source IP – Use the standard format for a single IP address l Range – Enter the first and last members of the range l Subnet – Enter the IP address of the broadcast address for the subnet.

To add additional addresses, click on the “+” below the last field with an address. To subtract an address, click on the “X” next to the field you wish to delete.

  1. To specify an allowed Service, toggle the Services option to enabled. Set the Services parameter by selecting the field with the “+” in the field. This will slide a window out from the right. Single or multiple options can be selected by highlighting the services wanted, unless the ALL option is chosen, in which case it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  2. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
  3. Select the Protocol from l TCP l UDP l SCTP l ICMP
  4. Configure the External Service Port. This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  5. Configure the setting Map to Port.This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  6. Press

Example

This example is for a VIP that is being used to direct traffic from the external IP address to a web server on the internal network. The web server is for company use only. The company’s public facing web server already used port 80 and there is only one IP external IP address so the traffic for this server is being listened for on port 8080 of the external interface and being sent to port 80 on the internal host.

Field Value
VIP Type IPv4
Name Internal_Webserver
Comments Web server with Collaboration tools for Corporate employees
Interface Any
External IP

Address/Range

172.13.100.27 <this would normally be a public IP address>
Mapped IP

Address/Range

192.168.34.150
Optional Filters enabled
Source Address

Filter

<list of IP addresses of remote users>
Services enabled with HTTP in the list
Port Forwarding enabled
Map to Port 80 – 80

Configuring a VIP for IPv6

In the Network section:

  1. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. Enter the address in the standard IPv6 format.

  1. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields. Enter the address in the standard IPv6 format.

In the Optional Filters

  1. Disable/Enable the Optional Filters.

If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, enable the Optional Filters.

  1. To specify an allowed address enter the value in the field labeled Source Address. The value can be formatted in three different ways.

l Source IP – Use the standard format for a single IP address l Range – Enter the first and last members of the range l Subnet – Enter the IP address of the broadcast address for the subnet.

To add additional addresses, click on the “+” below the last field with an address. To subtract an address, click on the “X” next to the field you wish to delete.

  1. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
  2. Select the Protocol from l TCP l UDP l SCTP
  3. Configure the External Service Port. This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  4. Configure the setting Map to Port.This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  5. Press

Configuring a VIP for NAT46

In the Network section:

  1. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. Enter the address in the standard IPv4 format.

  1. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields. Enter the address in the standard IPv6 format.

In the Optional Filters

  1. Disable/Enable the Optional Filters.

If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, enable the Optional Filters.

  1. To specify an allowed address enter the value in the field labeled Source Address. The value can be formatted in three different ways.

l Source IP – Use the standard format for a single IP address l Range – Enter the first and last members of the range l Subnet – Enter the IP address of the broadcast address for the subnet.

To add additional addresses, click on the “+” below the last field with an address. To subtract an address, click on the “X” next to the field you wish to delete.

  1. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
  2. Select the Protocol from l TCP l UDP
  3. Configure the External Service Port. This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  4. Configure the setting Map to Port.This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.

Configuring a VIP for NAT64

In the Network section:

  1. Configure the External IP Address/Range.

There are two fields. If there is a single IP address, use that address in both fields. This will be the address on the outside of the network that is usually the public address of the server. Enter the address in the standard IPv6 format.

  1. Configure the Mapped IP Address/Range. This will be the address that the traffic is being directed to.

There are two fields. If there is a single IP address, use that address in both fields. Enter the address in the standard IPv4 format.

In the Optional Filters

  1. Disable/Enable the Optional Filters.

If only specific IP addresses and/or services are allowed to be the source for traffic using the VIP, enable the Optional Filters.

  1. To specify an allowed address enter the value in the field labeled Source Address. The value can be formatted in three different ways.

l Source IP – Use the standard format for a single IP address l Range – Enter the first and last members of the range l Subnet – Enter the IP address of the broadcast address for the subnet.

To add additional addresses, click on the “+” below the last field with an address. To subtract an address, click on the “X” next to the field you wish to delete.

  1. Disable/Enable Port Forwarding. If only the traffic for a specific port or port range is being forwarded, enable this setting.
  2. Select the Protocol from l TCP l UDP
  3. Configure the External Service Port. This is the port(s) on the external interface of the FortiGate (the destination port in the header of the packets). The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  4. Configure the setting Map to Port.This will be the listening port on the device located on the internal side of the network. It does not have to be the same as the External Service Port. The first field is for the first port in the range the second is for the last port in the range. As you enter a value in the first field, the second field will auto populate with the same number, working on the premise that a single port is common. Just edit the second field to extend the range.
  5. Press

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Creating a virtual IP

  1. Jan-Pieter

    Hi Mike,
    Thanks for the interesting info. I created a VIP which is working perfect. I also allowed traffic from the inside to the external VIP IP. Works also perfect.
    Only 1 thing is not working, whatever I try: I cannot connect to the VIP using a IPsec VPN to the Fortinet.
    The IPsec ipspace is part of one of the internal ip spaces. I can ping and connect to all hosts and the ftg from the VPN normally. But connecting to the VIP (on the WAN1 interface) from the ipsec VPN always fails. Whatever firewall rule I create. The other IP’s on the same subnet can normally connect to the VIP using the wan1 public IP normally…

    Any clue??

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.