Description
This article describes how to disable source NAT when a policy allows traffic between two subnets on the same interface.
In this scenario, the traffic enters and leaves FortiGate via the same interface. This causes FortiOS to automatically perform SNAT, even if NAT is not configured in the firewall policy.
It is useful if the client uses a router/next hop to send traffic to the FortiGate.
SNAT is done to make sure that this router sends the packets to the FortiGate and receives these packets when it egress or is forwarded by the firewall. So it does not have the same source IP as when it was sent to the FortiGate (which could cause an anti-spoofing rule to be applied by the router).
Another important fact is that not doing SNAT may cause the reply traffic from the server to be sent directly to the client instead of the router and FortiGate.
Scope
All FortiGates or VDOMs running in NAT/Route Mode and where a hairpin policy is involved.
Solution
If necessary, the application of source NAT by the hairpin policy can be disabled by the below per-vdom setting:
# config system setting
set snat-hairpin-traffic disable
end
After this configuration is applied, Source NAT is not applied to the hairpin firewall policy.
Check this related article as well that provides an example of this scenario with Central NAT enabled:
Other Related Article:
Troubleshooting Tip: SNAT in a Policy with VIP
