This is a repost of a post from an old blog, made on December 28, 2011, that used to be on:
http://adminramble.com/fortigate-port-forwarding/
Original post:
On FortiGate devices Static NAT or Port Forwarding is made through the Virtual IP feature.
To map a port on an outside address to a internal ip you need to do two things:
- Create a Virtual IP entry
- Create a firewall policy for the virtual ip to allow traffic inside the network
HOW TO CREATE A VIRTUAL IP ENTRY THROUGH WEB INTERFACE ON FORTIGATE:
- Go to Firewall > Virtual IP > Virtual IP
- Click on Create New and make a new vip e.g. 10.10.10.10_rdp
- select external interface on which you will be receiving traffic, e.g. wan1
- if not set, set type to Static NAT, and put an external address (you can either put one of the public addresses you have by you ISP or, if you have dynamic or a single IP address, you can leave 0.0.0.0 as external address)
- set mapped ip address, in this case it’s 10.10.10.10, and tick port forwarding
- select TCP and on external service port put the port on which you are listening, e.g. 3389 for Remote Desktop access
- on Map to Port put the service port on the inside address, e.g. 3389 if you’re using standard RDP access, and press OK to make the Virtual IP
HOW TO CREATE FIREWALL POLICY FOR VIRTUAL IP ON FORTIGATE:
- Go to Firewall > Policy > Policy and select Create New
- Set Source Interface/Zone to listening interface, e.g. wan1
- set source address to all, and Destination interface to interface connected to the mapped ip network, e.g. internal
- set destination address to the Virtual IP name, e.g. 10.10.10.10_rdp
- leave schedule always (unless you only wanted to be accessible at certain times), service ANY and action ACCEPT
- click OK to make the firewall policy