Description | This article describes how the traffic flow is affected in Central-SNAT after the upgrade to v7.6.1. |
Scope | FortiGate v7.6.1 and above. |
Solution |
Starting from FortiGate v7.6.1, Central SNAT policies support SD-WAN zone as interface and do not support SD-WAN members as interface. When upgrading to v7.6.1, SD-WAN members are removed from Central SNAT polices. See 'v7.6.1 Release Notes: Policies that use an interface show missing or empty values after an upgrade'.
v7.6.0:
To restore the Central SNAT behavior after the upgrade and keep using the IP Pools, configure via CLI, the associated-interface parameter to the corresponding WAN interface under each IP Pool configuration and add the pools under the Central SNAT configuration for the SD-WAN Zone:
config firewall ippool edit "ISP1 external IP" set associated-interface "ISP1_Tunnel" next edit "ISP2 external IP" set associated-interface "ISP2_Tunnel" next end
config firewall central-snat-map edit 1 set srcintf "LAN" set dstintf "INET" set orig-addr "LAN" set dst-addr "all" set nat-pool "ISP1 external IP" "ISP2 external IP" next end
Note: Due to a GUI issue which is expected to be fixed in firmware version 7.6.3, the SD-WAN Zones are not visible/available on the Central SNAT configuration menu. The workaround is to perform the configuration using the CLI commands above (do not edit/modify the configuration afterwards via GUI).
After making the above changes:
Related article: Technical Tip: How to associate a NAT pool (IP pool) to a physical interface of an SD-WAN |