Skip to main content
kmak
Staff
kmak
Staff
March 30, 2026

Troubelshooting Tip: Understand the behavior of FortiADC Firewall Policy dropping Link Load Balance outbound traffic with SNAT rule applied

  • March 30, 2026
  • 0 replies
  • 47 views
Description This article describes the possible issue with Firewall Policy dropping Link Load Balance outbound traffic.
Scope FortiADC.
Solution

Scenario:

The user encountered issues with some private IP addresses seen in the FortiADC outbound traffic, as the private IP addresses are not being Source-NATed.

Firewall policy is added to block the private IP addresses seen in the outbound Gateway interface port.

The outcome of the new firewall policy is blocking all other legitimate outbound traffic which were Source-NATed.

 

Normal traffic before the firewall policy was added.

  1. ICMP Ping test from a test machine with the FortiADC IP acting as the outgoing gateway IP address.

Test Machine IP: 10.55.4.84.

Source-NAT IP: 10.47.4.214.

Destination IP: 8.8.4.4.

 

kmak_0-1774849401033.jpeg

 

  1. FortiADC with sniffer running to capture the related traffic. The sniffer shows that the incoming traffic from the Test-Machine using Private IP 10.55.4.84 and then Source-NATed to IP 10.47.4.214 in the Egress Interface.

Ingress Interface (Private LAN Interface): Port4.

Egress Interface (Public WAN Interface): Port1.

 

kmak_1-1774849401036.jpeg

 

  1. The FortiADC debug flow shows the Link-Load-Balance routing match.
                                           
kmak_2-1774849401045.jpeg

 

FortiADC firewall policy to block private IP on the egress interface.

Adding a new Firewall Policy in FortiADC to block any Private IP addresses seen in the Egress Interface source address, intended to block any traffic without Source-NAT.

 

kmak_3-1774849401049.jpeg

 

Traffic behavior after the Firewall Policy is added.

  1. It is observed that the traffic from the Test Machine is no longer passing through.
                                                     
kmak_4-1774849401049.jpeg

 

  1. FortiADC sniffer sees only Ingress traffic from Test-Machine, but without Egress Source-NATed packet.
                                                                     
kmak_5-1774849401050.jpeg

 

  1. Running the debug flow in FortiADC to capture the traffic sent from the Test-Machine. The debug flow shows that the traffic would be dropped by the Firewall Policy.
                                                                         
kmak_6-1774849401055.jpeg

 

Explanation:

The traffic source address is expected to be Source-NATed to a WAN IP address when transmitting the egress interface, which is not supposed to match the Firewall Policy rule and is dropped by the policy.

 

However, the Source-NAT rule is working as POST-Routing NAT, which is only translating the IP address after the routing decision has been made and when the packet is leaving the network interface.

 

In this scenario, the Firewall Policy would be kicked in and drop the packets before the Source-NAT rule is applied.

 

Related documents:

Configuring source NAT

Configuring an IPv4 firewall policy 
Terms & ConditionsAccessibility statement