Troubleshooting Tip: Behavior of the FortiGate when redundant VIP is detected

When the FortiGate detects redundant VIP objects, only the VIP object from the top list will be triggered.

For example:

As the example given above, VIP1 and VIP2 have the same configuration, but a different listening interface of 'any' and 'port1'.

10.47.1.180 belongs to the external interface of port1 therefore, both VIPs are correct in terms of configuration.

However, from the FortiGate perspective, there is no reason to consider another VIP object when it is already matched with one.

If there is a connection that tries to connect to 10.47.1.180:4444 as above, it will most likely hit VIP1 because it is at the top of the list. This is a default behavior of FortiOS. Changing the sequence from the GUI might not be available but it does take effect on the VIP objects.

If matching VIP2 is required, it can only be done via one of the following solutions:

1. Delete VIP1.
2. Move VIP2 to be above VIP1 using command:

config firewall vip

move VIP2 before VIP1

end

Once VIP2 is above VIP1, it will take effect whenever any new traffic is generated:

 Important Notes (referring to the example given above):

• This is not a bug issue. This is an expected behavior of FortiOS.
• Always check why there is a redundant VIP object and if there is any requirement to perform VIP other than the 'port1 'interface. If yes, the VIP with 'any' should be preserved for hairpin NAT configuration. Remove the VIP using 'port1' as it no longer serves any purpose.