Howto: Fortinet Port Forwarding

Fortinet Fortigate Family of Products
Fortinet Fortigate Family of Products

**This is a legacy article which does not meet some of our quality standards. While it may contain useful information, is retained here for legacy reasons only.

There are different ways to set up Fortinet port forwarding, (using a DMZ for example), this article covers off the most basic example and can be applied to a DMZ setup later.

  1. Create a VIP first
  2. Go to firewall objects tab, virtual IP / Virtual IP
  3. Click create new
  4. Name: <Name of server you’re forwarding to>
  5. External Interface <Your external interface (in my case Chorus UFB)
  6. Type Static NAT
  7. External IP / Address Range: The IP address of your WAN supplied by your ISP (In both boxes if you only have one IP)
  8. Mapped IP / Address Range: The internal address of the server you’re forwarding to in the first box (the second box should auto populate).
  9. Port Forwarding: Leave unticked
  10. Second create a policy in your firewall
  11. On the policy tab, choose policy / policy
  12. Click Create New
  13. Source Interface / Zone (Your WAN connection) in my case Chorus UFB
  14. Source Address All
  15. Destination Address: <The Name you just gave your VIP connection>
  16. Schedule Always
  17. Service: Any single or multiple service that you wish to be forwarded to this IP address internally.
  18. You must enable NAT (although fortinet says you shouldn’t but I can’t get it to work otherwise).
  19. Do enable any logs, utm, shaping etc as you wish. (suggest a specific UTM profile for the specific ports that are opened in order to improve performance i.e. protect web, protect ssh etc.s

From the fortinet support page:

Test destination NAT by browsing to from the Internet. The session passes through the FortiGate unit to the web server which sends a response. Use the following packet sniffer command to see the results.

diagnose sniffer packet any ‘port 80’ 4 4


filters=[port 80]

6.150356 wan1 in -> syn 15893888

6.150637 internal out -> syn 15893888

6.150803 internal in -> syn 553485227 ack 15893889

6.150974 wan1 out -> syn 553485227 ack 15893889

The first output line shows a packet from a client device with IP address was received by the wan1 interface with destination address and destination port 80.

The second output line shows that when the packet exits the internal interface the destination address is changed to and the destination port is still 80.

The third output line shows the response from the web server.

The fourth output line shows the response from the web server being returned to the client device. The source address has been changed back to

In this example, the source port is not changed.

Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic.

Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active sessions for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for the policy to view the top sessions by source address, destination address, or destination port/service.

The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage.