Fortinet FortiGate Series Administration Manual page 453

Firewall Virtual IP
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Protocol Select the protocol of the forwarded packets.
This option appears only if Port Forwarding is enabled.
External Service Enter the external interface port number for which you want to configure port
forwarding.
Port
This option appears only if Port Forwarding is enabled.
Map to Port Enter the port number on the destination network to which the external port
number is mapped.
You can also enter a port number range to forward packets to multiple ports on
the destination network.
For a virtual IP with static NAT, if you add a map to port range the FortiGate unit
calculates the external port number range and adds the port number range to
the External Service port field.
This option appears only if Port Forwarding is enabled.
SSL Offloading Select to accelerate clients' SSL connections to the server by using the
FortiGate unit to perform SSL operations, then select which segments of the
connection will receive SSL offloading.
• Client <-> FortiGate
Select to apply hardware accelerated SSL only to the part of the connection
between the client and the FortiGate unit. The segment between the
FortiGate unit and the server will use clear text communications. This
results in best performance, but cannot be used in failover configurations
where the failover path does not have an SSL accelerator.
• Client <-> FortiGate <-> Server
Select to apply hardware accelerated SSL to both parts of the connection:
the segment between client and the FortiGate unit, and the segment
between the FortiGate unit and the server. The segment between the
FortiGate unit and the server will use encrypted communications, but the
handshakes will be abbreviated. This results in performance which is less
than the other option, but still improved over communications without SSL
acceleration, and can be used in failover configurations where the failover
path does not have an SSL accelerator. If the server is already configured
to use SSL, this also enables SSL acceleration without requiring changes to
the server's configuration.
SSL 3.0, TLS 1.0, and TLS 1.1 are supported.
This option appears only if Port Forwarding is selected, and only on FortiGate
models whose hardware support SSL acceleration.
Note: Additional SSL Offloading options are available in the CLI. For details,
see the
Certificate Select which SSL certificate to use with SSL Offloading.
This option appears only if Port Forwarding is selected, and is available only if
SSL Offloading is selected.
To configure a virtual IP
1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Configure the virtual IP by entering the virtual IP address, if any, that will be bound to
the network interface, and selecting the mapping type and mapped IP address(es)
and/or port(s). For configuration examples of each type, see:
• "Adding a static NAT virtual IP for a single IP address" on page 454
• "Adding a static NAT virtual IP for an IP address range" on page 455
• "Adding static NAT port forwarding for a single IP address and a single port" on
page 457
• "Adding static NAT port forwarding for an IP address range and a port range" on
page 459
• "Adding dynamic virtual IPs" on page 460
• "Adding a virtual IP with port translation only" on page 461
FortiGate CLI Reference.
Configuring virtual IPs
453