Technical Tip: Configuring Source NAT for specific SD-WAN members in v7.6.1 and later [Central NAT]
| Description | In FortiOS v7.6.1 and later, it is not possible to configure an individual SD-WAN member in Central SNAT policy. If members of the same SD-WAN zone require different custom source NAT, an IP pool with associated-interface must be configured. |
| Scope | FortiGate v7.6.1 or later and Central NAT enabled. |
| Solution | It is sometimes necessary to configure custom Source NAT for individual members of the same SD-WAN zone. In earlier firmware versions, this could be done by enabling Central NAT and configuring a Central SNAT policy for each SD-WAN member with the desired IP pool.
In FortiOS v7.6.1 and later, it is no longer possible to configure an SD-WAN member as a source or destination interface in a Central SNAT policy. To configure customized Source NAT for different members of the same SD-WAN zone, reference the SD-WAN zone in a Central SNAT policy and specify the intended SD-WAN member for each IP pool using 'set associated-interface <SD-WAN member>'. This configuration is similar to the solution used when no Central NAT is in use, see the article 'Technical Tip: How to use one certain IP pool per a SD-WAN member'.
v7.6.0:
config firewall central-snat-map edit 1 next end
config firewall ippool edit "ISP1 external IP" set startip 172.18.108.33 set endip 172.18.108.33 set arp-reply disable set associated-interface "ISP1_tunnel" next edit "ISP2 external IP" set startip 10.255.144.33 set endip 10.255.144.33 set arp-reply disable set associated-interface "ISP2_tunnel" next end
config firewall central-snat-map edit 1 set srcintf "LAN" set dstintf "INET" set orig-addr "LAN" set dst-addr "all" set nat-ippool "ISP1 external IP" "ISP2 external IP" next end
A single SD-WAN zone with a mix of member interfaces requiring source NAT and no source NAT is not supported.
config firewall ippool edit "ISP1 external IP" set startip 172.18.108.33 set endip 172.18.108.33 set arp-reply disable set associated-interface "ISP1_tunnel" next end
With the above configuration, Source NAT will be performed for data traffic matching the Central SNAT policy and egressing on ISP2_tunnel. The new source IP address will be the ISP2_tunnel interface IP address. If ISP2_tunnel has no configured IP address, Source NAT is still performed to a different IP address: see the article 'Technical Tip: Implement Source-NAT for IPsec interface'.
If the SD-WAN deployment uses redundant interfaces with the same external IP address, a separate SD-WAN zone must be configured for each grouping of redundant interfaces, since IP pools do not permit multiple interfaces in 'set associated-interface'. For example, the following requires separate SD-WAN zones for ISP1 and ISP2 in v7.6.1.
ISP1_zone contains redundant interfaces for ISP1. ISP2_zone contains redundant interfaces for ISP1.
Since each IP pool is used for multiple interfaces, 'associated-interface' must be blank.
config firewall ippool edit "ISP1 external IP" set type overload set startip 172.18.108.33 set endip 172.18.108.33 set arp-reply disable set associated-interface '' set comments '' set nat64 disable next end
Configuring appropriate custom Source NAT for the network environment ensures configured SD-WAN members are available for use.
Note: When upgrading to v7.6.1, interfaces that are members of an SD-WAN zone will be removed from Local-in, MultiCast, DoS, and Central NAT policies, see v7.6.1 Release Notes: Policies that use an interface show missing or empty values after an upgrade'. The article 'Technical Tip: Changes to Central-SNAT after upgrade to 7.6.1+' describes effect of upgrade on Central SNAT policy in more detail. |
