Firewall Virtual IP
Configuring virtual IPs
FortiGate Version 4.0 Administration Guide
01-400-89802-20090424
371
•
To configure a virtual IP
1
Go to
Firewall > Virtual IP > Virtual IP
.
2
Select
Create New
.
3
Configure the virtual IP by entering the virtual IP address, if any, that will be bound to
the network interface, and selecting the mapping type and mapped IP address(es)
and/or port(s). For configuration examples of each type, see:
•
“Adding a static NAT virtual IP for a single IP address” on page 372
•
“Adding a static NAT virtual IP for an IP address range” on page 373
•
“Adding static NAT port forwarding for a single IP address and a single port” on
•
“Adding static NAT port forwarding for an IP address range and a port range” on
•
“Adding dynamic virtual IPs” on page 378
•
“Adding a virtual IP with port translation only” on page 379
Protocol
Select the protocol of the forwarded packets.
This option appears only if Port Forwarding is enabled.
External Service
Port
Enter the external interface port number for which you want to configure port
forwarding.
This option appears only if Port Forwarding is enabled.
Map to Port
Enter the port number on the destination network to which the external port
number is mapped.
You can also enter a port number range to forward packets to multiple ports on
the destination network.
For a virtual IP with static NAT, if you add a map to port range the FortiGate unit
calculates the external port number range and adds the port number range to
the External Service port field.
This option appears only if Port Forwarding is enabled.
SSL Offloading
Select to accelerate clients’ SSL connections to the server by using the
FortiGate unit to perform SSL operations, then select which segments of the
connection will receive SSL offloading.
•
Client <-> FortiGate
Select to apply hardware accelerated SSL only to the part of the connection
between the client and the FortiGate unit. The segment between the
FortiGate unit and the server will use clear text communications. This
results in best performance, but cannot be used in failover configurations
where the failover path does not have an SSL accelerator.
•
Client <-> FortiGate <-> Server
Select to apply hardware accelerated SSL to both parts of the connection:
the segment between client and the FortiGate unit, and the segment
between the FortiGate unit and the server. The segment between the
FortiGate unit and the server will use encrypted communications, but the
handshakes will be abbreviated. This results in performance which is less
than the other option, but still improved over communications without SSL
acceleration, and can be used in failover configurations where the failover
path does not have an SSL accelerator. If the server is already configured
to use SSL, this also enables SSL acceleration without requiring changes to
the server’s configuration.
SSL 3.0, TLS 1.0, and TLS 1.1 are supported.
This option appears only if Port Forwarding is selected, and only on FortiGate
models whose hardware support SSL acceleration, such as FortiGate-3600A.
Note
: Additional SSL Offloading options are available in the CLI. For details,
see the
Certificate
Select which SSL certificate to use with SSL Offloading.
This option appears only if Port Forwarding is selected, and is available only if
SSL Offloading is selected.
Summary of Contents for Gate 60D
Page 705: ...www fortinet com...
Page 706: ...www fortinet com...