Connect Fortigate Firewall to Web Server (VIP Port Forwarding)

This guide demonstrates a real-world scenario of connecting a Fortigate firewall to a web server. Specifically, we will perform VIP (Virtual IP) port forwarding to redirect traffic from the WAN interface to an internal web server (running on a Raspberry Pi).

Part 1: Lab Setup and Prerequisites

In this scenario, we are using a Fortigate 60E firewall. The goal is to configure a Virtual IP with port forwarding to allow external access via WAN1 to an internal web server connected to LAN2.

Firewall: Fortigate 60E
Web Server: Raspberry Pi 5 (running Nginx/Apache)
Connection: The Raspberry Pi is connected to the hardware switch on Port 2.

1. Addressing Port Conflicts

Before beginning, it is important to ensure the management interface ports do not conflict with the services you intend to forward. In this lab, we have administrative HTTPS access on the WAN port. To prevent conflicts with the web server traffic, ensure the administrative redirect settings do not snag Port 80.

It is generally recommended to change the admin settings to use HTTPS only, or specific custom ports, leaving Port 80 free for the Virtual IP forwarding.

2. Identify the Internal Server IP

First, we need to determine the IP address assigned to the internal web server. You can do this through the Fortigate dashboard.

Navigate to Network > DHCP or use the DHCP monitor widget on the dashboard. Locate the device (Raspberry Pi 5) and note its IP address.

Server Internal IP: 192.168.1.x (Example used: 192.168.1.10)

Part 2: Creating the Virtual IP (VIP) Object

The core of port forwarding on a Fortigate is the Virtual IP object. This object defines how traffic hitting the WAN interface is translated to the internal network.

1. Configure the VIP

Navigate to Policy & Objects > Virtual IPs and click Create New.

Name: Give it a descriptive name (e.g., VIP-WAN-to-RP5).
Interface: Select the incoming interface (WAN1).
External IP Address/Range: Enter the WAN IP address you are connecting to.
Mapped IP Address/Range: Enter the internal IP address of the server (e.g., 192.168.1.10).

2. Enable Port Forwarding

To forward only specific traffic (like HTTP), enable the Port Forwarding toggle.

Protocol: TCP
External Service Port: 80
Map to Port: 80

Note: If you map every protocol without port forwarding while pointing the WAN IP directly to the internal server, you risk losing administrative access to the firewall itself.

Part 3: Creating the Firewall Policy

A Virtual IP object alone does not allow traffic to pass; you must create a firewall policy to permit the flow.

1. Configure the Policy

Navigate to Policy & Objects > Firewall Policy and click Create New.

Name: VIP-WAN-to-RP5
Incoming Interface: WAN1 (The external interface).
Outgoing Interface: Internal/LAN2 (The interface connecting to the server).
Source: Select all.
Destination: Select the VIP Object you created in the previous step. Do not select the direct internal IP address object; the VIP object handles the translation.
Service: HTTP (or the specific service you are forwarding).
NAT: Disable NAT. Since the translation is handled by the VIP object, NAT is not required on the policy level.

Part 4: Testing and Advanced Configuration

1. Verifying the Connection

Once the policy is saved, open a web browser on an external device. Navigate to the WAN IP address (e.g., http://10.60.80.101). If configured correctly, the request will be forwarded to the internal Raspberry Pi, and you will see the web server's welcome page.

2. Scenario: Full 1-to-1 NAT (Static IP Mapping)

If you have multiple public IP addresses available, you may want to map a specific secondary IP directly to an internal server for all ports, allowing services like SSH, HTTPS, and HTTP simultaneously without defining individual ports.

To do this, create a new Virtual IP using a secondary WAN IP address (e.g., ending in .123):

External IP: 10.60.80.123
Mapped IP:   192.168.1.10
Port Forwarding: Disabled (Maps all ports)

By saving this and updating the firewall policy (or creating a new one) to use this new VIP object, you can access the server using the secondary IP address. This effectively makes the internal device appear as if it is directly on the internet with that specific public IP.

Pro Tip: While you can filter Source IPs and Services directly inside the VIP object, it is generally cleaner to keep the VIP definition simple (IP to IP) and handle the filtering (Restricting Source IPs, specific Services) within the Firewall Policy list. This provides a better "bird's eye view" of your security rules.

← Back to Guides Homepage