This section emphasizes on the Virtual IPs section in the FortiGate. I’ve learnt something which is not obvious behaviour and one of those ‘remind me later’ moments that I’ve encountered.
VIPs are essentially Destination Network Address Translation (DNAT) objects. For sessions matching the VIP, the destination address is translated. Let us go through some examples
In the above diagram, all connections going out from 10.10.10.10 will use 203.0.113.22 and not 203.0.113.10 address.
Now, this is where it gets a bit tricky and deviate from default firewall behaviour. In the below firewall policy we would assume that no connections will be allowed to the LAN(internal_network) but VIPs can live up to their name (very important IP) and get users to access the web server even though the deny policy is at the top of the list.