|
If configuring 'srcintf' on policy with the IP-empty interface like IPSEC interface or Zone, SNAT is not applied as desired.
Because the interface with the lowest index is applied for the SNAT:
diagnose ip address list
IP=3.3.3.3->3.3.3.3/255.255.255.255 index=6 devname=mgmt < The lowest index
IP=4.4.4.1->4.4.4.1/255.255.255.252 index=9 devname=ha1
IP=192.168.11.85->192.168.11.85/255.255.255.0 index=12 devname=port2
IP=2.2.2.2->2.2.2.2/255.255.255.0 index=13 devname=port3
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=30 devname=root
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=34 devname=MGMT
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=38 devname=Loopback100
IP=1.1.1.1->1.1.1.1/255.255.255.255 index=38 devname=Loopback100
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=40 devname=vsys_ha
IP=169.254.0.1->169.254.0.1/255.255.255.192 index=41 devname=port_ha
IP=192.168.11.85->192.168.11.85/255.255.255.0 index=42 devname=root.b
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=43 devname=vsys_fgfm
IP=169.254.0.65->169.254.0.65/255.255.255.192 index=44 devname=havdlink0
IP=169.254.0.66->169.254.0.66/255.255.255.192 index=45 devname=havdlink1
IP=169.254.0.2->169.254.0.2/255.255.0.0 index=46 devname=tun_fgfm
diagnose sniffer packet any 'host 10.0.1.100' 4 0 l
2023-11-01 11:52:36.641795 port3 in 2.2.2.222 -> 10.0.1.100: icmp: echo request
2023-11-01 11:52:36.641848 To_61_IPSEC out 3.3.3.3 -> 10.0.1.100: icmp: echo request <----- 'mgmt' interface is applied for SNAT.
config system ha
set group-id 100
set group-name "test"
set mode a-p
set hbdev "ha1" 50
set session-pickup enable
set session-pickup-connectionless enable
set override enable
set priority 250
end
Related details and workarounds so far are described in:
Technical Tip: Implement Source-NAT for IPSEC interface.
If there are FortiGates that use the mgmt and HA interface and configured ha-mgmt-interfaces, The 'mgmt' interface is omitted from the SNAT process:
diagnose ip address list
IP=3.3.3.3->3.3.3.3/255.255.255.255 index=6 devname=mgmt < Mgmt interface is omitted from SNAT if configured ha-mgmt-interfaces
IP=4.4.4.1->4.4.4.1/255.255.255.252 index=9 devname=ha1
IP=192.168.11.85->192.168.11.85/255.255.255.0 index=12 devname=port2
IP=2.2.2.2->2.2.2.2/255.255.255.0 index=13 devname=port3
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=30 devname=root
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=34 devname=MGMT
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=38 devname=Loopback100
IP=1.1.1.1->1.1.1.1/255.255.255.255 index=38 devname=Loopback100
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=40 devname=vsys_ha
IP=169.254.0.1->169.254.0.1/255.255.255.192 index=41 devname=port_ha
IP=192.168.11.85->192.168.11.85/255.255.255.0 index=42 devname=root.b
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=43 devname=vsys_fgfm
IP=169.254.0.65->169.254.0.65/255.255.255.192 index=44 devname=havdlink0
IP=169.254.0.66->169.254.0.66/255.255.255.192 index=45 devname=havdlink1
IP=169.254.0.2->169.254.0.2/255.255.0.0 index=46 devname=tun_fgfm
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=47 devname=vsys_hamgmt
diagnose sniffer packet any 'host 10.0.1.100' 4 0 l
2023-11-01 11:59:09.632662 port3 in 2.2.2.222 -> 10.0.1.100: icmp: echo request
2023-11-01 11:59:09.632711 To_61_IPSEC out 4.4.4.1 -> 10.0.1.100: icmp: echo request < ha1 interface is applied for SNAT because it has the second lowest index
get system session list | grep 2.2.2.22
icmp 59 2.2.2.222:1 4.4.4.1:60417 10.0.1.100:8 -
config system ha
set group-id 100
set group-name "test"
set mode a-p
set hbdev "ha1" 50
set session-pickup enable
set session-pickup-connectionless enable
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "mgmt"
set gateway 192.168.11.1
next
end
set override enable
set priority 250
end
If the FortiGate uses Source-NAT for the IPSEC interface on the HA environment with enabled mgmt and ha interface and if configuring ha-mgmt-interfaces to be an mgmt interface, the mgmt interface that has the lowest index is omitted from SNAT.
|
