Firewall Virtual IP
Firewall Virtual IP
Virtual IPs
How virtual IPs map connections through the FortiGate unit
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
This section describes FortiGate Virtual IPs and IP Pools and how to configure
and use them in firewall policies.
The following topics are included in this section:
•
Virtual IPs
•
Viewing the virtual IP list
•
Configuring virtual IPs
•
Virtual IP Groups
•
Viewing the VIP group list
•
Configuring VIP groups
•
IP pools
•
Viewing the IP pool list
•
Configuring IP Pools
Virtual IPs can be used to allow connections through a FortiGate unit using
network address translation (NAT) firewall policies. Virtual IPs use Proxy ARP so
that the FortiGate unit can respond to ARP requests on a network for a server that
is actually installed on another network. Proxy ARP is defined in RFC 1027.
For example, you can add a virtual IP to an external FortiGate unit interface so
that the external interface can respond to connection requests for users who are
actually connecting to a server on the DMZ or internal network.
An example use of static NAT virtual IP is to allow easy public access to a web
server on a private network protected by a FortiGate unit. Reduced to its basics,
this example involves only three parts, as shown in
a private network, the browsing computer on the Internet, and the FortiGate unit
connecting the two networks.
A client computer attempts to contact the server. The client computer sends data
packets and the FortiGate unit receives them. The addresses in the packets are
remapped, and they're forwarded to the server on the private network.
Figure 146:A simple static NAT virtual IP example.
Figure
146: the web server on
Virtual IPs
251