Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bbae
Staff
Staff

Created on ‎11-07-2023 01:36 AM Edited on ‎12-20-2023 09:19 PM By Community Manager

Article Id 283168

Technical Tip: For HA environment with enabled mgmt and ha interface, how Source-NAT works for IPSEC Interface

Description This article describes how Source-NAT for IPSEC interface on HA environment with enabled mgmt and ha interface works.
Scope FortiGate v6.4, FortiGate v7.0, IPSEC VPN, SNAT.
Solution

If configuring 'srcintf' on policy with the IP-empty interface like IPSEC interface or Zone, SNAT is not applied as desired.

 

Because the interface with the lowest index is applied for the SNAT:

 

diagnose ip address list
IP=3.3.3.3->3.3.3.3/255.255.255.255 index=6 devname=mgmt  < The lowest index
IP=4.4.4.1->4.4.4.1/255.255.255.252 index=9 devname=ha1
IP=192.168.11.85->192.168.11.85/255.255.255.0 index=12 devname=port2
IP=2.2.2.2->2.2.2.2/255.255.255.0 index=13 devname=port3
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=30 devname=root
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=34 devname=MGMT
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=38 devname=Loopback100
IP=1.1.1.1->1.1.1.1/255.255.255.255 index=38 devname=Loopback100
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=40 devname=vsys_ha
IP=169.254.0.1->169.254.0.1/255.255.255.192 index=41 devname=port_ha
IP=192.168.11.85->192.168.11.85/255.255.255.0 index=42 devname=root.b
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=43 devname=vsys_fgfm
IP=169.254.0.65->169.254.0.65/255.255.255.192 index=44 devname=havdlink0
IP=169.254.0.66->169.254.0.66/255.255.255.192 index=45 devname=havdlink1
IP=169.254.0.2->169.254.0.2/255.255.0.0 index=46 devname=tun_fgfm

 

diagnose sniffer packet any 'host 10.0.1.100' 4 0 l
2023-11-01 11:52:36.641795 port3 in 2.2.2.222 -> 10.0.1.100: icmp: echo request
2023-11-01 11:52:36.641848 To_61_IPSEC out 3.3.3.3 -> 10.0.1.100: icmp: echo request  <----- 'mgmt' interface is applied for SNAT.

 

config system ha
    set group-id 100
    set group-name "test"
    set mode a-p
    set hbdev "ha1" 50
    set session-pickup enable
    set session-pickup-connectionless enable
    set override enable
    set priority 250
end

 

Related details and workarounds so far are described in:

Technical Tip: Implement Source-NAT for IPSEC interface.

 

If there are FortiGates that use the mgmt and HA interface and configured ha-mgmt-interfaces, The 'mgmt' interface is omitted from the SNAT process:

 

diagnose ip address list
IP=3.3.3.3->3.3.3.3/255.255.255.255 index=6 devname=mgmt  < Mgmt interface is omitted from SNAT if configured ha-mgmt-interfaces
IP=4.4.4.1->4.4.4.1/255.255.255.252 index=9 devname=ha1  
IP=192.168.11.85->192.168.11.85/255.255.255.0 index=12 devname=port2
IP=2.2.2.2->2.2.2.2/255.255.255.0 index=13 devname=port3
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=30 devname=root
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=34 devname=MGMT
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=38 devname=Loopback100
IP=1.1.1.1->1.1.1.1/255.255.255.255 index=38 devname=Loopback100
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=40 devname=vsys_ha
IP=169.254.0.1->169.254.0.1/255.255.255.192 index=41 devname=port_ha
IP=192.168.11.85->192.168.11.85/255.255.255.0 index=42 devname=root.b
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=43 devname=vsys_fgfm
IP=169.254.0.65->169.254.0.65/255.255.255.192 index=44 devname=havdlink0
IP=169.254.0.66->169.254.0.66/255.255.255.192 index=45 devname=havdlink1
IP=169.254.0.2->169.254.0.2/255.255.0.0 index=46 devname=tun_fgfm
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=47 devname=vsys_hamgmt

 

diagnose sniffer packet any 'host 10.0.1.100' 4 0 l
2023-11-01 11:59:09.632662 port3 in 2.2.2.222 -> 10.0.1.100: icmp: echo request
2023-11-01 11:59:09.632711 To_61_IPSEC out 4.4.4.1 -> 10.0.1.100: icmp: echo request < ha1 interface is applied for SNAT because it has the second lowest index

 

get system session list | grep 2.2.2.22
icmp 59 2.2.2.222:1 4.4.4.1:60417 10.0.1.100:8 -

 

config system ha

    set group-id 100
    set group-name "test"
    set mode a-p
    set hbdev "ha1" 50
    set session-pickup enable
    set session-pickup-connectionless enable
    set ha-mgmt-status enable
        config ha-mgmt-interfaces
            edit 1
                set interface "mgmt"
                set gateway 192.168.11.1
            next
        end
            set override enable
            set priority 250

        end

 

If the FortiGate uses Source-NAT for the IPSEC interface on the HA environment with enabled mgmt and ha interface and if configuring ha-mgmt-interfaces to be an mgmt interface, the mgmt interface that has the lowest index is omitted from SNAT.
853
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.