It's so nice and cool, but can you do video on the Group of the VIPs ? No one talks about this.. In addition it seems that the groups are (for some reason) not displayed in the 'source' selector - and hoe to resolve this ??
Nice video ;-) I want to create a VIP for two Active/Passive servers but the problem is the console of this App (Dollar Universe) works with specific 4170 port... Do you know how could I specify to my VIP that works with this port or redirect to this IP_servers:4170 ports???
IHi Fortinet Guru. I wanted to portfoward a particular VM to access a particular application from outside for our users. Correct me if I'm wrong. In FortiGate VIP I give the external IP Address and the" Internal IP Address of the VM" with port number ext:20443 to internal 433? Hope I'm rite?
Thanks for this video! Could you explain, is it possible on fortigate (v.5.4.1) to do simualteniously SNAT and DNAT (i need to change IP of source and IP od destination at hte same time) in one rule by combine IP Pools and VIPs?
Guru, do you know if there is way to make the virtual IP take the WAN IP, vs a static IP, so that my dynamic IP can be used with my DDNS provider? Where the WAN IP can be autolearned.
Hi, I was wondering if you could help me. I have 2 services running on a server, one running on port 18802, and one on port 22609. The first policy works fine, but the second one doesn't work, it says the the port is closed. Do you have any ideas on what could be causing this?... Thanks
sir is that possible that you help me to setup a portforward kemp loadmaster at was. i mean port forward the virtual IP. so kemp loadmaster can use the public IP address as a domain. and when we put that IP address at DNS cloudlafre it will go to that virtual IP inside the virtual network of the instant. i will pay for your service
Thanks friend. Need help for my dvr. Got dsl modem 192.168.1.1 subnet and connects fortinet via wan as 192.168.1.100 ip. Fortinet ip is 192.168.2.1. So my DVR local ip is 192.168.2.65 and i have to port forward 81 and 8001 ports for DVR. How can i do that? I added 8001 and when i tried to add 81 it gives error.
VIPs are destination NAT. With parameters set they will be utilized when that device goes out as well. Fortinet uses the term "IP Pool" for their source NAT. Terminology is different between vendors but for the most part things operate the same.
Your device (that is being NAT'd) have a default gateway etc? Usually, if turning off NAT stops traffic from coming in it is because the device does not know how to return packets.
If you have 6 usable IPs then your ISP routes them to your outside interface or to your router / modem. You just use VIPs to define them. You can use IP Pools to go out to the internet as those IPs as well.
Figured this out. Use the 0.0.0.0 IP for the external source and it will allow traffic from any outside source. Unless you know the IP address scheme that your ISP uses for the dynamic range then you can set a range for that. That might change with your ISP over time. The best way to go is to use the 0.0.0.0 IP.
Hey, I want to route all traffic from one specific public IP to one of my customers vdoms. I tried "policy routes" already but didnt get it to work. Outgoing traffic is working, have made it with a vdom link. Did you have any idea ? Policy at the customers vdom is already created, but not on the root one, is it necessary? Thanks !
How are the VDOMs connected? Do you have a root VDOM that passes all traffic to sub VDOMs or does each customer VDOM have direct internet connectivity?
@@FortinetGuru Yes axactly, I have a root vdom, which is the base (didn't know a different way) and it will route the traffic to the customers vdom. So the customers vdom is has a policy which allowes traffic to the vdom-link which is going to root. There is another policy which allowes outgoing traffic to the "internet". This works. But incomming traffic did not work yet.
@@FlorianZevedei Situations like that I normally route the external IP via VIP and standard "Internet to customer interface" policy for them. This policy would exist on the root VDOM and the client VDOM would just have policy to allow the translated traffic. You handle the DNAT and SNAT on the Root VDOM though.
@@FortinetGuru Ok, so your not using "policy routes" right ? Then I will try the different approach. I just wanted to "cleanup" the root vdom, cause some stuff is in there which need to be splitted up.
@@FortinetGuru The question is, how did you manage that only connections to one IP of the IP circle gets the policies to the customers vdom ? Thats the main issue at the moment
Great video! I have 4 fixed public IP, e.g. x.x.x.20 to 23/255.255.255.192, how can I map each public IP to internal 4 individual server? I tried to set 4 VIPs and setup policy but doesn't work still..... appreciate your advise.
this is something that i was looking for for virtual servers when using one WAN link is easy but no one seems to know how to map two ISP when they are used
You’re videos are great, I pick up so much from them. In this instance I use VIP’s on a daily basis 👍🏻😬
Thanks for the kind words and awesome to hear!
Agreed. We're deploying some FortiGate firewalls(coming from Cisco ASAs), and his videos have helped me quite a bit!
It's so nice and cool, but can you do video on the Group of the VIPs ? No one talks about this..
In addition it seems that the groups are (for some reason) not displayed in the 'source' selector - and hoe to resolve this ??
Nice vid!
Great video. Easy to understand. Thanks.
Nice video ;-) I want to create a VIP for two Active/Passive servers but the problem is the console of this App (Dollar Universe) works with specific 4170 port... Do you know how could I specify to my VIP that works with this port or redirect to this IP_servers:4170 ports???
Great video, helped me a ton, thank you
IHi Fortinet Guru.
I wanted to portfoward a particular VM to access a particular application from outside for our users. Correct me if I'm wrong. In FortiGate VIP I give the external IP Address and the" Internal IP Address of the VM" with port number ext:20443 to internal 433? Hope I'm rite?
You are correct Shaun
yes this is a nice vdeo..but please make needed one vdeo how to configured IPS in fortigate firewall in fortiOS 6.2 30E sep by step..
Thanks for this video!
Could you explain, is it possible on fortigate (v.5.4.1) to do simualteniously SNAT and DNAT (i need to change IP of source and IP od destination at hte same time) in one rule by combine IP Pools and VIPs?
Guru, do you know if there is way to make the virtual IP take the WAN IP, vs a static IP, so that my dynamic IP can be used with my DDNS provider? Where the WAN IP can be autolearned.
Hi, I was wondering if you could help me. I have 2 services running on a server, one running on port 18802, and one on port 22609. The first policy works fine, but the second one doesn't work, it says the the port is closed. Do you have any ideas on what could be causing this?... Thanks
sir is that possible that you help me to setup a portforward kemp loadmaster at was. i mean port forward the virtual IP. so kemp loadmaster can use the public IP address as a domain. and when we put that IP address at DNS cloudlafre it will go to that virtual IP inside the virtual network of the instant. i will pay for your service
You can port forward to whatever you like. I have clients that have a VIP that translates to an "outside" interface of a KEMP load balancer.
How to whitelist an outside company only one IP address to access my server only port 3306
Thanks friend. Need help for my dvr. Got dsl modem 192.168.1.1 subnet and connects fortinet via wan as 192.168.1.100 ip. Fortinet ip is 192.168.2.1. So my DVR local ip is 192.168.2.65 and i have to port forward 81 and 8001 ports for DVR. How can i do that? I added 8001 and when i tried to add 81 it gives error.
How to do pprtforwarding for SNMP port 161 &162
I have an Oracle Cloud Public Ip I want it to communicate with my internal Network how can I solve this?
Just curious is it static pat in terms of Cisco. I mean does this work when traffic goes from inside to outside.
VIPs are destination NAT. With parameters set they will be utilized when that device goes out as well. Fortinet uses the term "IP Pool" for their source NAT. Terminology is different between vendors but for the most part things operate the same.
So which is the difference between Virtual IP and Destination NAT?
Tomato / Tah-mah-toe
Hi , when i disable NAT it doesn't work any reason?
Your device (that is being NAT'd) have a default gateway etc? Usually, if turning off NAT stops traffic from coming in it is because the device does not know how to return packets.
Does it support 1 to many with around robin and tracking like LB? thank u :)
Fortigates do have rudimentary load bama int capabilities via virtual / real servers
hi Guru, i have 6 IP's usable from my isp, how i can use other ip's for forwarding which hasn't in my wan port
If you have 6 usable IPs then your ISP routes them to your outside interface or to your router / modem. You just use VIPs to define them. You can use IP Pools to go out to the internet as those IPs as well.
How to do port forwarding in dyndns
I would love to know this as well.
Figured this out. Use the 0.0.0.0 IP for the external source and it will allow traffic from any outside source. Unless you know the IP address scheme that your ISP uses for the dynamic range then you can set a range for that. That might change with your ISP over time. The best way to go is to use the 0.0.0.0 IP.
Hey,
I want to route all traffic from one specific public IP to one of my customers vdoms. I tried "policy routes" already but didnt get it to work. Outgoing traffic is working, have made it with a vdom link. Did you have any idea ? Policy at the customers vdom is already created, but not on the root one, is it necessary?
Thanks !
How are the VDOMs connected? Do you have a root VDOM that passes all traffic to sub VDOMs or does each customer VDOM have direct internet connectivity?
@@FortinetGuru Yes axactly, I have a root vdom, which is the base (didn't know a different way) and it will route the traffic to the customers vdom. So the customers vdom is has a policy which allowes traffic to the vdom-link which is going to root. There is another policy which allowes outgoing traffic to the "internet". This works. But incomming traffic did not work yet.
@@FlorianZevedei Situations like that I normally route the external IP via VIP and standard "Internet to customer interface" policy for them. This policy would exist on the root VDOM and the client VDOM would just have policy to allow the translated traffic. You handle the DNAT and SNAT on the Root VDOM though.
@@FortinetGuru Ok, so your not using "policy routes" right ? Then I will try the different approach. I just wanted to "cleanup" the root vdom, cause some stuff is in there which need to be splitted up.
@@FortinetGuru The question is, how did you manage that only connections to one IP of the IP circle gets the policies to the customers vdom ? Thats the main issue at the moment
Great video! I have 4 fixed public IP, e.g. x.x.x.20 to 23/255.255.255.192, how can I map each public IP to internal 4 individual server? I tried to set 4 VIPs and setup policy but doesn't work still..... appreciate your advise.
this is something that i was looking for for virtual servers when using one WAN link is easy but no one seems to know how to map two ISP when they are used