Firewall Virtual IP
Firewall Virtual IP
How virtual IPs map connections through FortiGate units
Inbound connections
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/
•
Feedback
Virtual IP addresses (VIPs) can be used when configuring firewall policies to translate IP
addresses and ports of packets received by a network interface, including a modem
interface.
When the FortiGate unit receives inbound packets matching a firewall policy whose
Destination Address field is a virtual IP, the FortiGate unit applies NAT, replacing packets'
IP addresses with the virtual IP's mapped IP address.
IP pools, similarly to virtual IPs, can be used to configure aspects of NAT; however, IP
pools configure dynamic translation of packets' IP addresses based on the Destination
Interface/Zone, whereas virtual IPs configure dynamic or static translation of a packets' IP
addresses based upon the Source Interface/Zone.
To implement the translation configured in the virtual IP or IP pool, you must add it to a
NAT firewall policy. For details, see
Note: In Transparent mode from the FortiGate CLI you can configure NAT firewall policies
that include Virtual IPs and IP pools. See
on page
468.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall virtual IPs are
configured separately for each virtual domain. For details, see
page
159.
This section describes:
•
How virtual IPs map connections through FortiGate units
•
Viewing the virtual IP list
•
Configuring virtual IPs
•
Virtual IP Groups
•
Viewing the VIP group list
•
Configuring VIP groups
•
IP pools
•
Viewing the IP pool list
•
Configuring IP Pools
•
Double NAT: combining IP pool with virtual IP
•
Adding NAT firewall policies in transparent mode
Virtual IPs can specify translations of packets' port numbers and/or IP addresses for both
inbound and outbound connections. In Transparent mode, virtual IPs are available from
the FortiGate CLI.
Virtual IPs can be used in conjunction with firewall policies whose Action is not DENY to
apply bidirectional NAT, also known as inbound NAT.
How virtual IPs map connections through FortiGate units
"Configuring virtual IPs" on page
"Adding NAT firewall policies in transparent mode"
452.
"Using virtual domains" on
447