FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
omontanez
Staff
Staff
Article Id 194521
Description
This article explains how to configure a VIP using a loopback interface.

Scope
FortiOS v5.2

Solution
This article provides configuration steps for the scenario to reach an internal IP using an external IP through a VIP but by reaching it from different source interfaces and subnetworks.

Scenario

      VIP

       Internal <-> loopback

        loopback
               Internal  __|___  wan1/wan2/vpn 
         -------- |______|---------

1)  Add a loopback interface.
    edit "testl0"
        set vdom "root"
        set ip 172.16.33.1 255.255.255.255  (IP_loopback)
        set allowaccess ping https ssh http
        set type loopback
        set snmp-index 10
    next
end

2) Add a VIP.
config firewall vip
    edit "test_VIP"
        set extip 172.16.33.1        (External IP)
        set extintf "any"
        set mappedip "10.10.10.2"    (Internal IP)
    next
end

3) Create a firewall policy to permit traffic from incoming interface to the loopback interface.
config firewall policy
    edit A
        set srcintf "wan2"
        set dstintf "loopback"
        set srcaddr "all"
        set dstaddr "IP_loopback"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat disable

4) Create a Firewall policy to permit traffic from the loopback interface to the outgoing interface and add VIP as dstaddr.
config firewall policy
    edit A
        set srcintf "loopback"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "VIP"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat disable

Both of these firewall policies can be closed as required.

Contributors