Technical Tip: Avoiding all traffic getting SNAT'ed to VIP extip when 'set nat-source-vip enable' is configured with central-snat enabled

sagha · ‎04-18-2025

Description

This article describes how it can be avoided to SNAT all traffic to VIP extip with 'set snat-source-vip enabled' and central-snat is enabled on the FortiGate.

Scope

FortiOS.

Solution

As explained in this article, Technical Tip: How to use VIP's External IP Address for Source NAT when Central NAT is Enabled, it is possible to use the VIP external IP address to SNAT traffic when central-snat is enabled.

In some cases, only specific traffic would be required to be SNAT'ed to VIPs extip instead of all the traffic.

Scenarios are explained below:

Traffic routed to the Internet using SNAT as extip.

Without set srcinf-filter + set nat-source-vip enable

config firewall vip

edit "TEST"

set extip 172.200.1.1

set mappedip "10.138.143.38"

set extintf "any"

set nat-source-vip enable

FGVM1 # diagnose sniffer packet any 'host 1.1.1.1 and icmp' 4 0

Using Original Sniffing Mode

interfaces=[any]

filters=[host 1.1.1.1 and icmp]

2025-04-18 12:01:58.484549 port4 in 10.138.143.38 -> 1.1.1.1: icmp: echo request

2025-04-18 12:01:58.484656 port1 out 172.200.1.1 -> 1.1.1.1: icmp: echo request

In the above packet capture, it can be seen that traffic towards the Internet going to IP address 1.1.1.1 is getting SNAT'ed to VIP extip 172.200.1.1 via port1. This may cause the packets to drop.

Traffic routed to the Internet via port1, not using SNAT as extip, using central-snat policy settings.

With set srcinf-filter + set nat-source-vip enable.

config firewall vip

edit "TEST"

set uuid a67b9446-1c40-51f0-862f-d799000ec59d

set extip 172.200.1.1

set mappedip "10.138.143.38"

set extintf "any"

set nat-source-vip enable

set srcintf-filter "port2"

FGVM1 # diagnose sniffer packet any 'host 1.1.1.1 and icmp' 4 0

Using Original Sniffing Mode

interfaces=[any]

filters=[host 1.1.1.1 and icmp]

2025-04-18 12:01:09.164784 port4 in 10.138.143.38 -> 1.1.1.1: icmp: echo request

2025-04-18 12:01:09.164883 port1 out 10.191.36.230 -> 1.1.1.1: icmp: echo request

2025-04-18 12:01:09.167383 port1 in 1.1.1.1 -> 10.191.36.230: icmp: echo reply

2025-04-18 12:01:09.167412 port4 out 1.1.1.1 -> 10.138.143.38: icmp: echo reply

In the above sniffer, instead of using VIP extip to SNAT traffic, the traffic checks the central-snat policy, which uses the port1 IP address to SNAT traffic. This is because in the VIP, there is now a 'set srcintf-filter' enabled.

config firewall central-snat-map

edit 1

set uuid 4549f544-1c42-51f0-f81b-d4793e4e2b9e

set status enable

set type ipv4

set srcintf "port2"

set dstintf "port1"

set orig-addr "all"

set dst-addr "all"

set protocol 0

set orig-port 0

set nat enable

set nat46 disable

set comments ''

Traffic from source 10.138.143.38 would be SNATed to VIP extIP if it is going via port2.

With set srcinf-filter + set nat-source-vip enable

config firewall vip

edit "TEST"

set uuid a67b9446-1c40-51f0-862f-d799000ec59d

set extip 172.200.1.1

set mappedip "10.138.143.38"

set extintf "any"

set nat-source-vip enable

set srcintf-filter "port2"

FGVM1 #diagnose sniffer packet any 'icmp' 4 0

Using Original Sniffing Mode

interfaces=[any]

filters=[icmp]

2025-04-18 12:23:38.269385 port4 in 10.138.143.38 -> 192.168.100.1: icmp: echo request

2025-04-18 12:23:38.269688 port2 out 172.200.1.1 -> 192.168.100.1: icmp: echo request

2025-04-18 12:23:38.275839 port2 in 192.168.100.1 -> 172.200.1.1: icmp: echo reply

2025-04-18 12:23:38.275900 port4 out 192.168.100.1 -> 10.138.143.38: icmp: echo reply

Traffic from source 10.138.143.38 gets SNAT'ed to VIP extIP 172.200.1.1.

Technical Tip: Avoiding all traffic getting SNAT'ed to VIP extip when 'set nat-source-vip enable' is configured with central-snat enabled

You are leaving our website