Fortinet 100 Virtual IPs

160 Fortinet Inc.

Adding static NAT virtual IPs Firewall configuration

For example, to use a one-time schedule to deny access to a policy, add a policy that

matches the policy to be denied in every way. Choose the one-time schedule that you

added and set Action to DENY. Then place the policy containing the one-time

schedule in the policy list above the policy to be denied.

Virtual IPs

Use virtual IPs to access IP addresses on a destination network that are hidden from

the source network by NAT security policies. To allow connections between these

networks, you must create a mapping between an address on the source network and

the real address on the destination network. This mapping is called a virtual IP.

For example, if the computer hosting your web server is located on your DMZ

network, it could have a private IP address such as 10.10.10.3. To get packets from

the Internet to the web server, you must have an external address for the web server

on the Internet. You must then add a virtual IP to the firewall that maps the external IP

address of the web server to the actual address of the web server on the DMZ

network. To allow connections from the Internet to the web server, you must then add

an Ext->DMZ firewall policy and set Destination to the virtual IP.

You can create two types of virtual IPs:

This section describes:

•Adding static NAT virtual IPs

•Adding port forwarding virtual IPs

•Adding policies with virtual IPs

1Go to Firewall > Virtual IP.

2Select New to add a virtual IP.

3Enter a Name for the virtual IP.

The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and

the special characters - and _. Other special characters and spaces are not allowed.

4Select the virtual IP External Interface:

The External Interface is the interface connected to the source network that receives

the packets to be forwarded to the destination network.

5Make sure Type is set to Static NAT.

Static NAT Used in to translate an address on a source network to a hidden address on

a destination network. Static NAT translates the source address of return

packets to the address on the source network.

Port Forwarding Used to translate an address and a port number on a source network to a

hidden address and, optionally, a different port number on a destination

network. Using port forwarding you can also route packets with a specific

port number and a destination address that matches the IP address of the

interface that receives the packets. This technique is called port forwarding

or port address translation (PAT). You can also use port forwarding to change

the destination port of the forwarded packets.