Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
QuentinR
New Contributor

FortiGate - Multiple VIP with same port forward and IP

I have an on-premise Microsoft Exchange email server on my LAN behind a FortiGate 51E and I also have a SonicWall Virtual Email Security Appliance on the LAN.

 

Currently there are 2 VIP's that are port forwarding port 25 and 587 to my SonicWall Virtual Email Security Appliance. There is also an IPv4 Policy allowing this traffic from any source address.

 

I want to create 2 more VIP's that would port forward port 25 and 587 to my Microsoft Exchange email server, using the same public facing WAN IP address as my other 2 VIP's that are going to the SonicWall Virtual Email Security Appliance. However, I have an IPv4 Policy that is looking for specific source IP addresses that would allow the traffic to the 2 new VIP's that I want to create. 

 

Essentially, I want specific traffic coming in on port 25 and 587 to go to my Microsoft Exchange email server, and all other traffic coming in on port 25 and 587 to go to my SonicWall Virtual Email Security Appliance. These would both be using the same WAN IP address.

 

Is there a way I can do this? From what I have researched it is not possible unless I use a separate WAN IP address, but since there's an IPv4 Policy in place, wouldn't the FortiGate know which VIP to use? When I try to create the new VIP's I get the error "A duplicate entry already exists.".

2 REPLIES 2
orani
Contributor II

You can not do that. You have to use another VIP.

 

No device can know by itself the "kind" of traffic. The kind of traffic is specified by the port. Different kind of traffic should use different port. I.e. port 25 is smtp, it shouldn't be used for http for example.

 

When you say specific traffic you mean from a specific source? You might be able to configure that throw sonicwall appliance but i am not sure. At all vendors you cannot do port forward from same ip and port to different destinations. It is not logically right.

 

You might be able to do what you are trying by using policy routes

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
FortiUserX

Such needs can be achieved through ADC not NGFW

ADC can match based on more then port No# ( URI , Host Name ... etc )

Labels
Top Kudoed Authors