Skip to main content
CollabraIT
CollabraIT
New Member
March 17, 2017
Solved

Limited transparency

  • March 17, 2017
  • 1 reply
  • 5630 views

We have 1 FortiGate that handles the routing of our internal networks as well as the outside world. I'm looking for a way to allow server A on network A to know who server B on network B is when they communicate. With NAT on, when this communication happens, server A sees the communication as coming from the FortiGate instead of from server B. I need to be a to set something like an X-Forwarded-For header on the traffic, or be able to to NAT just the external traffic and set the inside networks to transparency. My understanding is that since we just have the single device which handles inside and outside, I have to have NAT but the FortiGate seems to only allow yes or no when it comes to NAT. 

Can anyone shed some light on this issue? 

    Best answer by ede_pfau

    Maybe you can post a small diagram of where the subnets are attached to the FGT. Until then, I can only guess.

     

    NAT is done on a per-policy base. If you can split the traffic so that source net A and source net B go across different policies you can omit the NAT setting in one.

    Again, to decide if you need NAT I'll have to have more infos.

     

    1 reply

    ede_pfau
    SuperUser
    ede_pfauAnswer
    SuperUser
    March 17, 2017

    Maybe you can post a small diagram of where the subnets are attached to the FGT. Until then, I can only guess.

     

    NAT is done on a per-policy base. If you can split the traffic so that source net A and source net B go across different policies you can omit the NAT setting in one.

    Again, to decide if you need NAT I'll have to have more infos.

     

    CollabraIT
    CollabraITAuthor
    New Member
    March 17, 2017

    Internal networks are going to to individual physical interfaces with external access on a WAN interface.

    Kenundrum
    Kenundrum
    New Member
    March 17, 2017

    Ede is correct- just disable NAT on appropriate rules.

     

    Consider the following setup:

    internet    public IP         wan1

    network 1 10.10.10.0/24 port1 FGT address 10.10.10.1

    network 2 10.10.20.0/24 port2 FGT address 10.10.20.1

     

    What you want is something like network 2 -> network 1 no NAT (original source addresses appear), network 1 or network 2-> internet NAT

    All you need to do is disable NAT on the policies that go from port1->port2 and vice versa. The FGT will be able to handle routing between the subnets because it is attached to both. Traffic destined for 10.10.10.12 from 10.10.20.22 will hit the Fortigate and go to port1, the source address will remain as 10.10.20.22 when it arrives. This also assumes your devices have their default gateway as the Fortigate.

    Terms & ConditionsAccessibility statement