Fortigate 60 - mapping ports from a single public IP to multiple internal servers

caperionllc used Ask the Experts™
We have a single public IP connected to the WAN interface of a Fortigate 60 running OS 3.0.  We have successfully mapped multiple select ports to any single server within the office using a Virtual IP static map definition combined with a policy to route the selected ports.

The problem is that we would like to map another different set of ports to a second server (ex:  Server1 hosts email while Server2 is a Terminal Server).  In creating a second Virtual IP definition we receive the error "A duplicate entry already exists".

Please help, how do you host multiple internal server of different types behind a single public IP?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Go to Firewall | Virtual IP.
Edit the entry you already have for the first server.  It sounds as if you do not have the Port Forwarding box checked.  If that is the case, then that VIP is a 1-to-1 NAT/Mapping.  To convert this to just a port forward of specific ports, check the box and enter the external and internal ports (ie, if you are hosting a web server, you would most likely want 80 in both boxes.  You will need to create new VIPs in the same manner for as many services as you want to allow (check your policies to verify if you already are allowing multiple services in through the original VIP).
You should now be able to create the other VIP for the 2nd server in exactly the same way and then create the policy for it as well.


sounds logical... is it possible to specify more than one port (not straight range) within a single Virtual IP definition?  example:  Server1 is an email server and needs ports 25, 110, 143, etc forwarded, then Server2 is a web server that needs ports 80, 8080, 443, etc forwarded.

Would I have to create a seperate Virtual IP rule for each port forwarded to Server1?
I believe you need separate VIP entries for each service/port that isn't a range.  I would personally prefer to make separate entries even if it were possible to consolidate into 1 VIP entry because if you later wanted to split services off to different boxes, it is easier to pick out and modify the single entry for that particular service.
Kadoian ArmanIT consultant

I would like to explain my situation which is kind of similar:

Our company is upgrading it's IT system, so we have a public IP address, and 3 servers behind the firewall.

One server is web server the second server is exchange, the third one is DC. So I have configured my fortigate based on this guide 

So when some one surfs the web will use port 80 and then it's forwarded to internal server's IP address ex.
When someone sends mail will use port 25 to our internal exchange server ex.                                                  

I've configured the exchange so we can use OWA to access the emails from outside, so I have to configure port 443 to exchange.

My question is it possible that if I want to configure the firewall by using VIP so that the web server uses HTTPS i.e. port 443 in the future and OWA on port 443 as well to the same public ip address?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial