Virtual IP groups
Just like other address, Virtual IP addresses can be organized into groups for ease of administration. If you have multiple virtual IPs that are likely to be associated to common firewall policies rather than add them individually to each of the policies you can add the instead. That way, if the members of the group change then any changes made to the group will propagate to all of the policies using that group.
When using a Virtual IP address group the firewall policy will take into account all of the configured parameters of the Virtual IPs: IP addresses, Ports and port types.
Creating a virtual IP group
- Go to Policy & Objects > Virtual IPs.
- Select Create New. A drop down menu is displayed. Select Virtual IP Group.
- Select the Type for VIP group you wish to create. The options available are:
l IPv4 – IPv4 on both sides of the FortiGate Unit. l IPv6 – IPv6 on both sides of the FortiGate Unit. l NAT46 – Going from an IPv4 Network to an IPv6 Network. l NAT64 – Going from an IPv6 Network to an IPv4 Network.
Which is chosen will depend on which of the IP version networks is on the external interface of the FortiGate unit and which is on the internal interface. The options will be:
- Enter a unique identifier for the group in the Name
- Enter any additional information in the Comments
- If you wish, use the Change link to change the Color of icons in the GUI. There are 32 color options.
- If the Type is IPv4, the Interface field will be available. Use the drop-down menu to select the interface if all of the VIPs are on the same interface. If any of the VIPS are on different interfaces or if any of them are associated with the “any” option, choose the any option for the group.
- Select anywhere in the Members field to bring forth the pane of potential members for selection to the group.
- Press