Skip to main content
albaker1
albaker1
New Member
April 10, 2023
Solved

Problem with VIP not installing when using Central SNAT policy on FortiManager

  • April 10, 2023
  • 2 replies
  • 3002 views

We have a pair of FTG's that are using central SNAT policy that's managed by FMG. We've have several VIP entries that are working and tried to create another one today; however, when we go to install, it says there's nothing to install. We checked the source and destination IPs and intefaces, and we've even tried to clone a VIP entry that has everything identical but the last octet on the global and private NAT IPs. Still, the FMG says there is nothing to install. We have a firewall policy that's configured to use this new IP - actually, we modified the rule for the one that's working and added the new IP, which doesn't help.

 

I'm at a loss. Can anyone think of something to try? Thank you.

Best answer by albaker1

We finally found an answer yesterday, and I forgot to update this post. We were trying to make DNAT changes under Policy & Objects > Object Configurations > Firewall Objects > Virtual IPs. That doesn't work as we were expecting. 

 

To actually get DNAT to apply where we wanted it to, we had to enable Central DNAT in the GUI. This is for FortiManager running 7.2.2 - it's a bit different for earlier versions. Select Tools > Feature Visibility > and check Central DNAT. Now under Policy & Objects > Policy Packages > [specific firewall], Central DNAT now shows up under Central SNAT. Configure the DNAT there while making sure to enable "nat-source-vip" in the Advanced Options, everything was good. 

 

Traffic is now flowing as required.

2 replies

Anthony_E
Staff
Anthony_E
Staff
April 13, 2023

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
April 13, 2023

I already found a post who is giving some advice.

 

https://www.reddit.com/r/fortinet/comments/rvn6io/can_no_longer_use_vips_in_fortigate_policies_with/

 

Could you please tell me if it is helping you?

 

Regards,

Best Regards
albaker1
albaker1AuthorAnswer
New Member
April 13, 2023

We finally found an answer yesterday, and I forgot to update this post. We were trying to make DNAT changes under Policy & Objects > Object Configurations > Firewall Objects > Virtual IPs. That doesn't work as we were expecting. 

 

To actually get DNAT to apply where we wanted it to, we had to enable Central DNAT in the GUI. This is for FortiManager running 7.2.2 - it's a bit different for earlier versions. Select Tools > Feature Visibility > and check Central DNAT. Now under Policy & Objects > Policy Packages > [specific firewall], Central DNAT now shows up under Central SNAT. Configure the DNAT there while making sure to enable "nat-source-vip" in the Advanced Options, everything was good. 

 

Traffic is now flowing as required.

    Terms & ConditionsAccessibility statement