Configurations:

1. Layer-7 TCP or UDP Virtual Server does not have the option to enable NAT Source Pool from the Virtual Server configuration. It is possible to perform NAT source routing using Stream Scripting. In the example of a Layer-7 UDP Virtual Server, which is being used for remote Syslog server routing.

2. The Virtual Server has no option to enable NAT Source Pool like the Layer-7 HTTP/HTTPS Virtual Server.

3. Navigate to the Stream Scripting page and create a new Stream Script. Insert the script sample below into the text box, whereby the script performs NAT source IP using the IP 10.10.0.101:

when STREAM_CLIENT_INIT {

    UDP:set_snat_ip("10.10.0.101")

}

4. Navigate back to the Virtual Server page and enable the Stream Scripting setting. Select the NAT Source Stream script from the list.

5. For FortiADC v7.6.1 or lower, the UDP NAT source pool script may not be working properly and may cause the Layer-7 UDP Virtual Server to fail. Running the sniffer in FortiADC resulted in the FortiADC Virtual Server IP receiving the incoming traffic, but the traffic was not being forwarded to the destination real server.

6. Run the debug command in FortiADC to debug the Layer-7 UDP Virtual Server Stream scripting process. The errors are pointing to the script command 'UDP':

diagnose debug module fnginx scripting set

diagnose debug enable

7. The Stream script command 'UDP' failed on FortiADC v7.6.1 and below, and it is fixed in v7.6.2. The workaround for the old version will be using the script command 'TCP' instead. The script will work for both Layer-7 TCP and UDP Virtual Servers:

when STREAM_CLIENT_INIT {

    TCP:set_snat_ip("10.10.0.101")

}

8. Upgrade to FortiADC v7.6.2 to resolve the Stream script command 'UDP' issue. After completing the configurations, run a packet sniffer or the debug commands in FortiADC to verify.

Related document: