Technical Tip: Changes to Central-SNAT after upgrade to 7.6.1+
| Description | This article describes how the traffic flow is affected in Central-SNAT after the upgrade to v7.6.1. |
| Scope | FortiOS v7.6.1 and above. |
| Solution | Starting from FortiOS v7.6.1, Central SNAT policies no longer support individual SD-WAN members as selectable interfaces (only SD-WAN zones and non-SD-WAN interfaces may be selected going forward). When upgrading to v7.6.1, SD-WAN members are removed from Central SNAT polices. See also: 'FortiOS 7.6.1 Release Notes: Policies that use an interface show missing or empty values after an upgrade'.
In FortiOS 7.6.0:
It is possible to emulate the pre-upgrade Central SNAT behavior when using IP Pools. To do this, configure the IP Pool in the CLI and set the associated-interface parameter to the SD-WAN member interface that is associated with the IP Pool, then add IP Pools to the Central SNAT mapping for the SD-WAN Zone. This ensures that traffic will only be Source NAT'd to a given IP Pool address if it is egressing over the associated SD-WAN member interface:
config firewall ippool edit "ISP1 external IP" set associated-interface "ISP1_Tunnel" next edit "ISP2 external IP" set associated-interface "ISP2_Tunnel" next end
config firewall central-snat-map edit 1 set srcintf "LAN" set dstintf "INET" set orig-addr "LAN" set dst-addr "all" set nat-pool "ISP1 external IP" "ISP2 external IP" next end
Note: in FortiOS v7.6.1 and 7.6.2, there is a GUI issue which causes SD-WAN Zones not to be visible/available on the Central SNAT configuration menu. The workaround is to perform the configuration changes using the CLI commands above (do not edit/modify the configuration afterwards via GUI). After making the above changes:
The GUI issue is tracked by internal issue ID 1107003 and is resolved in FortiOS v7.6.3 and later, see FortiOS v7.6.3 Release Notes.
Related article: Technical Tip: How to associate a NAT pool (IP pool) to a physical interface of an SD-WAN |
