Configuring Hair-pinning on a FortiGate

Posted: August 19, 2018 in fortigate

Hair-pinning (NAT loopback) is the technique where a machine accesses another machine on the LAN via an external network.

Traffic goes through LAN interface to the Internet,traffic then goes back to the same interface,connecting to it’s External IP. Traffic is then forwarded by Fortigate through virtual IP to local destination.

In this example, windows machine on LAN network hosts web server.From LAN machines, it can only be accessed by internal IP. If trying accessing Web server by public  IP (from machines on local network, it will fail


Create Virtual IP which will map Public IP to local IP of Web Server

Policy & Objects-Create new-Virtual IP

External IP range:Public IP

Mapped address range:Web Server local IP

Enable port forwarding

External Service port:Port from which traffic will be mapped

Map to port:Port to which traffic will be mapped

In this case traffic from Public IP on port 80 will be forwarded to same port on internal address



Creating IPV4 policy

Incoming and outgoing Interface:LAN interface


destination:Virtual IP created in previous step

NAT disabled



Now, from machines on LAN, web site should be accessible using Public IP



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s