It is sometimes necessary to configure custom Source NAT for individual members of the same SD-WAN zone. In earlier firmware versions, this could be done by enabling Central NAT and configuring a Central SNAT policy for each SD-WAN member with the desired IP pool.

In FortiOS v7.6.1 and later, it is no longer possible to configure an SD-WAN member as a source or destination interface in a Central SNAT policy. To configure customized Source NAT for different members of the same SD-WAN zone, reference the SD-WAN zone in a Central SNAT policy and specify the intended SD-WAN member for each IP pool using 'set associated-interface <SD-WAN member>'. This configuration is similar to the solution used when no Central NAT is in use, see the article 'Technical Tip: How to use one certain IP pool per a SD-WAN member'.

v7.6.0:

v7.6.1 or later:

Note: In FortiOS v7.6.1, SD-WAN zones are not selectable as source or destination interfaces in Central SNAT policy GUI, only CLI can be used. This issue will be resolved in a future v7.6 version.

Example configuration:

config firewall central-snat-map

    edit 1
        unset nat-ippool  <- IP pool must be removed from all existing SNAT policies before modification.

    next

end

config firewall ippool

    edit "ISP1 external IP"

        set startip 172.18.108.33

        set endip 172.18.108.33

        set arp-reply disable

        set associated-interface "ISP1_tunnel"

    next

    edit "ISP2 external IP"

        set startip 10.255.144.33

        set endip 10.255.144.33

        set arp-reply disable

        set associated-interface "ISP2_tunnel"

    next

end

config firewall central-snat-map

    edit 1

        set srcintf "LAN"

        set dstintf "INET"

        set orig-addr "LAN"

        set dst-addr "all"

        set nat-ippool "ISP1 external IP" "ISP2 external IP"

    next

end

A single SD-WAN zone with a mix of member interfaces requiring source NAT and no source NAT is not supported.

config firewall ippool

    edit "ISP1 external IP"

        set startip 172.18.108.33

        set endip 172.18.108.33

        set arp-reply disable

        set associated-interface "ISP1_tunnel"

    next

end

With the above configuration, Source NAT will be performed for data traffic matching the Central SNAT policy and egressing on ISP2_tunnel. The new source IP address will be the ISP2_tunnel interface IP address. If ISP2_tunnel has no configured IP address, Source NAT is still performed to a different IP address: see the article 'Technical Tip: Implement Source-NAT for IPsec interface'.

Multiple interfaces with same IP pool:

If the SD-WAN deployment uses redundant interfaces with the same external IP address, a separate SD-WAN zone must be configured for each grouping of redundant interfaces, since IP pools do not permit multiple interfaces in 'set associated-interface'. For example, the following requires separate SD-WAN zones for ISP1 and ISP2 in v7.6.1.

v7.6.0


v7.6.1

ISP1_zone contains redundant interfaces for ISP1. ISP2_zone contains redundant interfaces for ISP1. 

Since each IP pool is used for multiple interfaces, 'associated-interface' must be blank.

config firewall ippool

    edit "ISP1 external IP"

        set type overload

        set startip 172.18.108.33

        set endip 172.18.108.33

        set arp-reply disable

        set associated-interface ''

        set comments ''

        set nat64 disable

    next

end

Configuring appropriate custom Source NAT for the network environment ensures configured SD-WAN members are available for use.

Note: When upgrading to v7.6.1, interfaces that are members of an SD-WAN zone will be removed from Local-in, MultiCast, DoS, and Central NAT policies, see v7.6.1 Release Notes: Policies that use an interface show missing or empty values after an upgrade'.  The article 'Technical Tip: Changes to Central-SNAT after upgrade to 7.6.1+' describes effect of upgrade on Central SNAT policy in more detail.