When a virtual IP (VIP) is configured on the FortiGate and used in an inbound firewall policy, the configured IP will be used for any egressing traffic. If the configured device initiates traffic and hits an outbound firewall policy with SNAT configured to use the outgoing interface, the external IP of the VIP will be used to translate the source IP.

In this example, the VIP interface is port1, the external IP is 1.2.3.4, and the internal IP is 10.109.0.100.

On the CLI:

config firewall vip

    edit "test-VIP"

        set extip 1.2.3.4

        set mappedip "10.109.0.100"

        set extintf "port1"

    next

end

For a VIP to work, it must be included in an inbound firewall policy as the destination.

On the CLI:

config firewall policy

    edit 2

        set name "test-VIP-policy"

        set srcintf "port1"

        set dstintf "port10"

        set action accept

        set srcaddr "all"

        set dstaddr "test-VIP"

        set schedule "always"

        set service "ALL"

    next

end

The outbound firewall policy allowing Internet access is configured to use Source NAT (SNAT) with the outgoing interface IP address.

On the CLI:

config firewall policy

    edit 1

        set name "Internet”

        set srcintf "port10"

        set dstintf "port1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set logtraffic all

        set nat enable

    next

end

The result is outbound network traffic from the VIP will be translated to the configured external IP address.  This is the default behavior for a VIP when the firewall policy is configured to use SNAT with the IP of the outgoing interface. This can be verified in the sniffer. When the pings from the VIP egress through port1, the source IP is translated to IP 1.2.3.4.  (There is no reply in this example due to the IP being 1.2.3.4.)

To change this behavior, an IP pool can be used in the outbound policy to change the translated address of the VIP. In this example, the IP 10.9.10.131 is used for the outgoing IP address.

On the CLI:

config firewall ippool

    edit "test-IP-Pool"

        set startip 10.9.10.131

        set endip 10.9.10.131

    next

end

The IP pool must be configured in the outbound firewall policy, instead of using the IP of the outgoing interface for SNAT.

In the CLI:

config firewall policy

    edit 1

        set name "Internet"

        set srcintf "port10"

        set dstintf "port1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set logtraffic all

        set nat enable

        set ippool enable

        set poolname "test-IP-Pool"

    next

end

The result is that the IP pool is now used to perform SNAT instead of the VIP’s external IP address. This can be verified with the sniffer. When the packets egress through port1, the source address is translated to the IP pool 10.9.10.131.

For more information on configuring VIP, see the documentation: Configuring the VIP to access the remote servers

For more information on configuring IP pools, see the documentation: Dynamic SNAT

Related articles:

Technical Tip: Virtual IP (VIP) port forwarding configuration

Technical Tip: How to configure SNAT with IP pool