DescriptionOutgoing SNAT is not based purely on primary or secondary interface IP address but also depends on the gateway found in route lookup, if no IPPOOL is used.
SolutionIn order to force SNAT to any different IP than what the one chosen by the FortiGate, use IPPOOL.
1) In the case below any traffic from "port3" to "port2" will have SNAT with "192.168.1.1":
config system interface
edit "port2"
set vdom "root"
set ip 10.10.10.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 2
set secondary-IP enable
config secondaryip
edit 1
set ip 192.168.1.1 255.255.255.0
next
end
next
end
config router static
edit 1
set gateway 192.168.1.2
set device "port2"
next
end
config firewall policy
edit 1
set srcintf "port3"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
See the debug flow:
id=20085 trace_id=101 func=print_pkt_detail line=4717 msg="vd-root received a packet(proto=1, 20.20.20.2:1280->192.168.1.2:8) from port3. code=8, type=0, id=1280, seq=0."
id=20085 trace_id=101 func=init_ip_session_common line=4868 msg="allocate a new session-00000229"
id=20085 trace_id=101 func=vf_ip_route_input_common line=2584 msg="find a route: flag=04000000 gw-192.168.1.2 via port2"
id=20085 trace_id=101 func=fw_forward_handler line=698 msg="Allowed by Policy-1: SNAT"
id=20085 trace_id=101 func=__ip_session_run_tuple line=2755 msg="SNAT 20.20.20.2->192.168.1.1:60418"
2) In order for the outgoing traffic to have SNAT the primary IP "10.10.10.1" then apply IPPOOL:
config firewall ippool
edit "POOL_10"
set startip 10.10.10.1
set endip 10.10.10.1
next
end
config firewall policy
edit 1
set srcintf "port3"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
set ippool enable
set poolname "POOL_10"
next
end
and debug flow will look like this:
id=20085 trace_id=111 func=print_pkt_detail line=4717 msg="vd-root received a packet(proto=1, 20.20.20.2:1792->192.168.1.2:8) from port3. code=8, type=0, id=1792, seq=0."
id=20085 trace_id=111 func=init_ip_session_common line=4868 msg="allocate a new session-00000291"
id=20085 trace_id=111 func=vf_ip_route_input_common line=2584 msg="find a route: flag=04000000 gw-192.168.1.2 via port2"
id=20085 trace_id=111 func=fw_forward_handler line=698 msg="Allowed by Policy-1: SNAT"
id=20085 trace_id=111 func=__ip_session_run_tuple line=2755 msg="SNAT 20.20.20.2->10.10.10.1:62464"