VIP mapping

Normally, Virtual IP (VIP) objects map to a single interface, or ANY, just as with FortiOS. In the special case where the interface that the VIP is bound to belongs to a zone, FortiManager handles importing and installing the object in a unique way.

When importing a policy package, the VIP is bound to the zone instead of the interface. If per-device mapping is enabled for the VIP, FortiManager automatically adds dynamic mapping for that device that maps the VIP to the specific interface. To use the VIP on another FortiGate, you can add an interface mapping entry for the other FortiGate. The zone acts as filter, limiting the interfaces that can be selected. That is, you can only select an external interface that is a member of the selected zone.

FortiManager binds the VIP to a zone because it needs to know which policies the VIP could be applied to. FortiGate devices use different logic because they already know the zone membership.

In FortiOS, VIPs can only by bound to an interface, and not a zone. Consequently, if there is no matching per-device mapping, FortiManager will convert the binding to ANY when installing configuration changes to FortiGate. Depending on the circumstance, this can be avoided by:

  • Leaving per-device mapping enabled on the VIP at the ADOM, and letting FortiManager add the required per-device mappings.
  • If you are configuring FortiManager to start using the VIP on other FortiGates, adding the per-device mappings manually.