A VIP is a front-facing IP address that receives traffic and forwards it to a backend. Called a VIP on FortiGate, Virtual Server on F5.
FortiGate — VIP
Maps an external IP (or IP:port) to an internal server via DNAT.
Client → External VIP → FortiGate rewrites dst → Internal server
- VIPs need a firewall policy referencing them to actually permit traffic
- Can map all ports or just a specific port
- In session output:
act=dnatmeans a VIP is being hit
VIP vs IP Pool
| VIP | IP Pool | |
|---|---|---|
| Direction | Inbound DNAT | Outbound SNAT |
| Purpose | Expose internal server externally | Give internal hosts an outbound IP |
F5 — Virtual Server
The IP:port clients connect to. F5 forwards traffic to a pool of backend servers and rewrites the source to a SNAT IP so backends see the F5, not the client.
Client → Virtual Server → F5 picks pool member → Backend
| Component | Description |
|---|---|
| Pool | Group of backend servers |
| Pool member | Individual backend (IP:port) |
| SNAT pool | IP F5 uses as source toward backends |
| Monitor | Health check per pool member |
list ltm virtual
show ltm virtual <name>
show ltm pool <pool> members detail