FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sakuraju
Staff
Staff
Article Id 362778
Description This article describes how the traffic flow is affected in Central-SNAT after the upgrade to v7.6.1.
Scope FortiGate v7.6.1 and above.
Solution

Starting from FortiGate v7.6.1, Central SNAT policies support SD-WAN zone as interface and do not support SD-WAN members as interface. When upgrading to v7.6.1, SD-WAN members are removed from Central SNAT polices. See 'v7.6.1 Release Notes: Policies that use an interface show missing or empty values after an upgrade'.

 

v7.6.0:

76 SDWAN.PNG

 

760 Central SNAT page1.PNG


v7.6.1 - SD-WAN members are removed from existing Central SNAT policies.

 

761 Central SNAT 1.PNG

 

To restore the Central SNAT behavior after the upgrade and keep using the IP Pools, configure via CLI, the associated-interface parameter to the corresponding WAN interface under each IP Pool configuration and add the pools under the Central SNAT configuration for the SD-WAN Zone: 

 

config firewall ippool

    edit "ISP1 external IP"

        set associated-interface "ISP1_Tunnel" 

    next

    edit "ISP2 external IP"

        set associated-interface "ISP2_Tunnel" 

    next

end

 

config firewall central-snat-map

    edit 1

        set srcintf "LAN"

        set dstintf "INET"

        set orig-addr "LAN"

        set dst-addr "all"

        set nat-pool "ISP1 external IP" "ISP2 external IP"

    next

end

 

Note: Due to a GUI issue which is expected to be fixed in firmware version 7.6.3, the SD-WAN Zones are not visible/available on the Central SNAT configuration menu. The workaround is to perform the configuration using the CLI commands above (do not edit/modify the configuration afterwards via GUI).

 

After making the above changes:

761 Central SNAT 2.PNG

 

Related article:

Technical Tip: How to associate a NAT pool (IP pool) to a physical interface of an SD-WAN