Using virtual IPs to configure port forwarding


This recipe demonstrates how to use Virtual IPs (VIPs) to configure port forwarding on a FortiGate unit. This configuration allows users on the Internet to connect to your server protected behind a FortiGate firewall, without knowing the server’s internal IP address and only through ports that you choose.

In this example, TCP ports 80 (HTTP), 21 (FTP), and 22 (SSH) are opened for remote users to communicate with a server behind the firewall. The external IP address used is and is mapped to by the VIP.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Creating three VIPs

Go to Policy & Objects > Virtual IPs > Create New > Virtual IP.

Enter the External IP Address/Range. Next, enter the Mapped IP Address/Range.

Enable Port Forwarding and add a VIP for TCP port 80, webserver-http.


Next, create a second VIP for TCP port 21, webserver-ftp.

Finally, create a third a VIP for TCP port 22, webserver-ssh.

2. Adding VIPs to a VIP group

Go to Policy & Objects > Virtual IPs > Create New > Virtual IP Group.

Create a VIP group, in this example, webserver group. Under Members, include all three VIPs previously created.


3. Creating a security policy

Go to Policy & Objects > IPv4 Policy and create a security policy allowing access to a server behind the firewall.

Set Incoming Interface to your Internet-facing interface, Outgoing Interface to the interface connected to the server, and Destination Address to the VIP group (webserver group). Set Service to allow HTTP, FTP, and SSH traffic.

Use the appropriate Security Profiles to protect the servers.


4. Results

To ensure that TCP port 80 is open, connect to the web server from a remote connection on the other side of the firewall.


Next, ensure that TCP port 21 is open by using an FTP client to connect to the FTP server from a remote connection on the other side of the firewall.

Finally, ensure that TCP port 22 is open by connecting to the SSH server from a remote connection on the other side of the firewall.


For further reading, check out Virtual IPs in the FortiOS 5.4 Handbook.

Judith Haney

Judith Haney

Technical Writer at Fortinet
Judith Haney is a Technical Writer on the FortiOS technical documentation team. She graduated with honours from Algonquin College's Technical Writer program in September 2014. In a previous lifetime, Judith earned degrees in Mathematics (B.S.) and French literature (M.A.).
Judith Haney

Latest posts by Judith Haney (see all)

  • Was this helpful?
  • Yes   No
While this example maps port 80 to port 80, any valid External Service port can be mapped to any listening port on the destination computer.
If the FortiGate has Central NAT enabled, the VIP objects will not be available for selection in the policy editing window.
  • montstrid

    hi, is there anything special to do when you have 2 WANs working and what you want to publish is using the second WAN, ??? like static route or something ??? and speaking of WAN2 the connection there is made as a bridge using a dynamic public IP. Thank you in advance.

    • Kerrie Newton


      To give WAN2 preference you will have to configure distance for WAN2 to be a smaller number than WAN1. Note: if you have any policy route configured, that will take the preference.


  • StopTheOrangeCancer


  • Ferryanto Pakpahan

    its not work for me…the page going to fortigate login page…

  • Gilberto