Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
shahv
Staff
Staff

Created on ‎11-10-2017 07:07 PM Edited on ‎02-05-2025 09:06 PM By Community Manager

Article Id 189738

Technical Tip: How to associate a NAT pool (IP pool) to a physical interface of an SD-WAN

Description


This article explains how to avoid unintended NAT when custom NAT is required for one or more SD-WAN members by associating appropriate IP pools to each SD-WAN member interface.

 

Scope

 

FortiGate.

 

Solution

 

Consider a simple SD-WAN configuration with two WAN links in a single SD-WAN zone. If traffic to the Internet should have source NAT applied but the default option 'Use Outgoing Interface Address' is not appropriate for one or more of the links, IP pools must be used. When two IP pools are configured on a firewall policy, by default the FortiGate will only use the first IP pool. This can cause connectivity issues for traffic egressing over the other interface since the FortiGate will use the IP Pool intended for WAN1 when sending packets over WAN2.

 

The solution is to configure an associated-interface for each IP pool.

 

IP Assignment: 

port1(WAN1) IP Pool: 10.47.4.104

port2(WAN2) IP Pool: 10.47.20.104

 

Sniffer output while running a ping test to 4.2.2.2 from LAN and using port2(WAN2) as the outgoing interface.

 

Sniffer.jpg

 

In this case the FortiGate's port2 gateway is dropping the echo request since it contains an unexpected source IP address.

 

Bind IP pool to specific interface:

 

1. Create both IP pool objects in Policy & Objects -> IP Pools.

0.PNG

2. Add these two IP pools to the firewall policy that gives user’s access to the Internet via the SD-WAN.

  • Go to Policy & Objects -> IPv4 Policy
  • Create or edit the corresponding policy and in the Firewall/Network Options enable NAT toggle.
  • In the IP Pool Configuration, select 'Use Dynamic IP Pool' and add the two IP Pools created previously.

1.png



3. Associate each of the IP Pools used in the firewall policy with their corresponding physical interface.

 

In FortiOS v7.4.1 and earlier, the default IP pool type 'overload' is the only type which allows associated-interface. In v7.4.2 and later, other types can be used.

 

config firewall ippool

edit ippool-WAN1_clients

set type overload

set startip 10.47.4.104
set endip 10.47.4.104

set associated-interface port1

next

edit ippool-WAN2_clients

set type overload

set startip 10.47.20.104
set endip 10.47.20.104

set associated-interface port2

next

end

 

After applying the changes above, each IP pool will only be used for traffic exiting over its own associated-interface.

 

Note that if required, an IP Pool can have an IP range that matches an existing interface IP. If the IP pool is matched, the NAT behavior is the same as if 'Use Outgoing Interface Address' was selected.

 

config system interface

edit "port2"

set vdom "root"
set ip 10.47.20.104 255.255.255.240
set type physical
set snmp-index 2

next

end

 

Related Article:

Technical Tip: Configuring Source NAT for specific SD-WAN members in v7.6.1 and later [Central NAT]

30146
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.