Firewall Virtual IP How virtual IPs map connections through FortiGate units
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903 447
http://docs.fortinet.com/ • Feedback
Firewall Virtual IP
Virtual IP addresses (VIPs) can be used when configuring firewall policies to translate IP
addresses and ports of packets received by a network interface, including a modem
interface.
When the FortiGate unit receives inbound packets matching a firewall policy whose
Destination Address field is a virtual IP, the FortiGate unit applies NAT, replacing packets’
IP addresses with the virtual IP’s mapped IP address.
IP pools, similarly to virtual IPs, can be used to configure aspects of NAT; however, IP
pools configure dynamic translation of packets’ IP addresses based on the Destination
Interface/Zone, whereas virtual IPs configure dynamic or static translation of a packets’ IP
addresses based upon the Source Interface/Zone.
To implement the translation configured in the virtual IP or IP pool, you must add it to a
NAT firewall policy. For details, see “Configuring virtual IPs” on page 452.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall virtual IPs are
configured separately for each virtual domain. For details, see “Using virtual domains” on
page 159.
This section describes:
• How virtual IPs map connections through FortiGate units
• Viewing the virtual IP list
• Configuring virtual IPs
• Virtual IP Groups
• Viewing the VIP group list
• Configuring VIP groups
• IP pools
• Viewing the IP pool list
• Configuring IP Pools
• Double NAT: combining IP pool with virtual IP
• Adding NAT firewall policies in transparent mode
How virtual IPs map connections through FortiGate units
Virtual IPs can specify translations of packets’ port numbers and/or IP addresses for both
inbound and outbound connections. In Transparent mode, virtual IPs are available from
the FortiGate CLI.
Inbound connections
Virtual IPs can be used in conjunction with firewall policies whose Action is not DENY to
apply bidirectional NAT, also known as inbound NAT.
Note: In Transparent mode from the FortiGate CLI you can configure NAT firewall policies
that include Virtual IPs and IP pools. See “Adding NAT firewall policies in transparent mode”
on page 468.
To Next Page
Loading...
Need help?
General
