FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
When setting up a Virtual IP on the FortiGate for a mail server, there can be issues with mail being sent outbound through the firewall when NAT is configured.
If you have a port translation on your external mail server IP address rather than full port translation, the mail coming back out will have the NAT translation of the firewall rather than the desired Virtual IP.
Scope
FortiGate units running FortiOS 2.8 or FortiOS 3.0
Solution
To enable proper address translation using the virtual IP, use an IP Pool.
First, create an address entry for the email server.
To create an address
Go to Firewall> Address.
Select Create New.
Add the IP for the email server with a netmask of 255.255.255.255.
Select OK.
Next, create an IP Pool with the email server address.
To create an IP Pool
In FortiOS 2.8, go to Firewall> IP Pool. In FortiOS 3.0, go to Firewall> Virtual IP> IP Pool.
Select Create New.
Enter a name for the IP Pool.
Set the interface to the external interface of the FortiGate unit.
Enter the IP address range. In this case, it will be a single address of the email server. Do not include the netmask.
Select OK.
Create a firewall policy for this NAT translation.
To create a firewall policy
Go to Firewall> Policy.
Select Create New and complete the following:
Source
Internal
Address Name
The address created for the mail server.
Destination
All
Address Name
All
Schedule
Always
Service
SMTP
Action
Accept
Select the NAT Checkbox and select Dynamic IP Pool.
Select the IP Pool you created from the drop-down list.
Select OK.
Ensure that the new rule is listed BEFORE the Internal to External Allow Any Rule for normal traffic to ensure that the FortiGate unit translates the email traffic before the normal Internet traffic.
See also the related article "How do I configure a Virtual IP?"
