[FortiGate] Port forwarding configuration example [Destination NAPT]

Firewall (UTM)

Work environment

  • FortiGate-VM
    • version 7.0.5

Port forwarding example [Destination NAPT]

As shown in the figure below, configure the FortiGate so that when you access port 20022 from a client that exists beyond port1, port forwarding is performed to port 22 (SSH) that exists beyond port2.

Create Virtual IP

For port forwarding (destination NAPT) with FortiGate, create and use a virtual IP.

You can create one on the [Policy & Objects > Virtual IPs] screen.

In the case of this configuration example, configure as shown in the image below.

  • External IP address/range
    • Destination IP address before translation
  • Map to IPv4 address/range
    • Destination IP address after conversion
  • External service port
    • Destination port before translation
  • Map to IPv4 port
    • Translated destination port

Configure Firewall Policy with Virtual IP

Configure a firewall policy to allow port-forwarded traffic.

Specify the Virtual IP created in advance for Destination as shown below. For Service, specify the converted port. (SSH (port 22) in this example.)

Operation test

Make SSH access to from the client and check if you can SSH access to the server (

Then, I was able to confirm that SSH access is possible as follows.

[root@Client ~]# ssh -l root -p 20022
root@'s password:
Last login: Sun Oct  2 16:37:15 2022 from
[root@MAIL-SV ~]#

If you then check the FortiGate traffic logs, you will see that the destination has been translated.


Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

Copied title and URL