Configuring DNAT for a single port
Enable port-forwarding for Virtual IP, if you need to hide the internal server port number or need to map several internal servers to the same public IP address.
In the following example, all TCP packets arriving on the FortiExtender with a destination of 10.1.1.1:8080 will depart from the device with a destination of 192.168.200.100:80.
Create a VIP
config firewall vip
edit "Internal_HTTP_Service"
set comment ''
set extip 10.1.1.1
set mappedip 192.168.200.100
set extintf any
set portforward enable
set protocol tcp
set extport 8080
set mappedport 80
next
Apply the VIP to a firewall policy
config firewall policy
edit services_fwd
set srcintf wan
set dstintf lan
set srcaddr all
set action accept
set status enable
set service ALL
set nat enable
set dnat enable
set vip Internal_HTTP_Service
next
end