Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anoushiravan
Staff
Staff

Created on ‎12-23-2022 12:10 AM Edited on ‎12-25-2022 08:49 AM By Community Manager

Article Id 240694

Technical Tip: How to use one certain IP pool per a SD-WAN member

 

Description

This article explains how to use one certain IP pool per SD-WAN member. In order to reach this goal, use feature 'associated-interface' in IPPOOL to map the traffic to the right IPPOOL.

 

Generally, when an IPPOOL is enabled on firewall policy, traffic routed via all SDWAN members is SNATed using the same enabled IPPOOL on the firewall policy.
Scope FortiGate.
Solution

- Configure SD-WAN members and SD-WAN rules, these rules will specify which SD-WAN member will forward the traffic:

 

# config system sdwan
    set status enable
config zone
    edit "virtual-wan-link"
    next
end

config members
    edit 1
        set interface "port9"
        set gateway 10.109.31.254
    next
    edit 2
        set interface "port10"
    next
end

config service
    edit 1
        set name "rule-1"
        set dst "8.8.8.8/32"
        set src "all"
        set priority-members 1
    next
    edit 2
        set name "rule-2"
        set dst "4.2.2.2/32"
        set src "all"
        set priority-members 2
    next
end
end

 

Notes:
- Traffic toward dst IP 8.8.8.8 will be forwarded via port9.
- Traffic toward dst IP 4.2.2.2 will be forwarded via port10.


- Configure firewall policy:

 

# config firewall policy
    edit 7
        set name "INTERNET"
        set srcintf "port12"
        set dstintf "virtual-wan-link"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set ippool enable
        set poolname "ippool-port10" "ippool-port9"
        set nat enable
    next
end

 

- Configure one IPPOOL per SD-WAN member and specify the SD-WAN member in each IPPOOL :

 

# config firewall ippool
    edit "ippool-port9"
        set startip 10.109.20.69
        set endip 10.109.20.69
        set associated-interface "port9"  <-
    next
    edit "ippool-port10"
        set startip 10.109.19.113
        set endip 10.109.19.113
        set associated-interface "port10" <-
    next
end

 

Notes:
- Traffic forwarded via port9 will be SNATed using ip 10.109.20.69.
- Traffic forwarded via port10 will be SNATed using ip 10.109.19.113.

 

Result:

Traffic going via port9 is SNATed to 10.109.20.69:

 

2022-12-22 21:33:26 id=20085 trace_id=50 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.116.4.69:1->8.8.8.8:2048) from port12. type=8, code=0, id=1, seq=25."
2022-12-22 21:33:26 id=20085 trace_id=50 func=init_ip_session_common line=5995 msg="allocate a new session-04208191"
2022-12-22 21:33:26 id=20085 trace_id=50 func=vf_ip_route_input_common line=2589 msg="Match policy routing id=2132738049: to 8.8.8.8 via ifindex-10"
2022-12-22 21:33:26 id=20085 trace_id=50 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-10.109.31.254 via port9" <-
2022-12-22 21:33:26 id=20085 trace_id=50 func=fw_forward_handler line=811 msg="Allowed by Policy-7: SNAT"
2022-12-22 21:33:26 id=20085 trace_id=50 func=__ip_session_run_tuple line=3519 msg="SNAT 10.116.4.69->10.109.20.69:60417" <-
2022-12-22 21:33:26 id=20085 trace_id=50 func=ipd_post_route_handler line=490 msg="out port9 vwl_zone_id 1, state2 0x1, quality 1."


Traffic going via port10 is SNATed to 10.109.19.113:

 

2022-12-22 21:36:33 id=20085 trace_id=52 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.116.4.69:1->4.2.2.2:2048) from port12. type=8, code=0, id=1, seq=37."
2022-12-22 21:36:33 id=20085 trace_id=52 func=init_ip_session_common line=5995 msg="allocate a new session-04208904"
2022-12-22 21:36:33 id=20085 trace_id=52 func=vf_ip_route_input_common line=2589 msg="Match policy routing id=2132738050: to 4.2.2.2 via ifindex-9"
2022-12-22 21:36:33 id=20085 trace_id=52 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-10.109.95.254 via port10" <-
2022-12-22 21:36:33 id=20085 trace_id=52 func=fw_forward_handler line=811 msg="Allowed by Policy-7: SNAT"
2022-12-22 21:36:33 id=20085 trace_id=52 func=__ip_session_run_tuple line=3519 msg="SNAT 10.116.4.69->10.109.19.113:60417" <-
2022-12-22 21:36:33 id=20085 trace_id=52 func=ipd_post_route_handler line=490 msg="out port10 vwl_zone_id 1, state2 0x1, quality 1."

 

Related articles:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SNAT-with-IP-pool/ta-p/19...
https://docs.fortinet.com/document/fortigate/7.0.0/cli-reference/296620/config-firewall-ippool
2531
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.