FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmreddy
Staff
Staff
Article Id 354744
Description This article describes how traffic flows when NAT is enabled in the IPv4 policy.
Scope FortiGate.
Solution

When NAT is enabled in the IPV4 policy, the traffic will get NATted to the IP of the destination interface and will be forwarded to the destination.

 

Here, the port1 interface IP is 10.5.25.71, so when NAT is enabled in the policy, traffic will get NATted to 10.5.25.71 and forwarded to the server.

 

NAT2.PNG

 

NAT.PNG

 

diagnose sniffer packet any "host 8.8.8.8 and icmp" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 8.8.8.8 and icmp]
2024-11-01 00:44:44.356807 port2 in 172.31.137.26 -> 8.8.8.8: icmp: echo request
2024-11-01 00:44:44.357132 port1 out 10.5.25.71 -> 8.8.8.8: icmp: echo request
2024-11-01 00:44:44.361608 port1 in 8.8.8.8 -> 10.5.25.71: icmp: echo reply
2024-11-01 00:44:44.361688 port2 out 8.8.8.8 -> 172.31.137.26: icmp: echo reply
2024-11-01 00:44:45.377414 port2 in 172.31.137.26 -> 8.8.8.8: icmp: echo request
2024-11-01 00:44:45.377512 port1 out 10.5.25.71 -> 8.8.8.8: icmp: echo request
2024-11-01 00:44:45.381906 port1 in 8.8.8.8 -> 10.5.25.71: icmp: echo reply
2024-11-01 00:44:45.381941 port2 out 8.8.8.8 -> 172.31.137.26: icmp: echo reply

 

id=65308 trace_id=3 func=print_pkt_detail line=5920 msg="vd-root:0 received a packet(proto=1, 172.31.137.26:1->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=11."
id=65308 trace_id=3 func=init_ip_session_common line=6110 msg="allocate a new session-001d514d"
id=65308 trace_id=3 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=00000000 gw-10.5.31.254 via port1"
id=65308 trace_id=3 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=2"
id=65308 trace_id=3 func=get_new_addr line=1274 msg="find SNAT: IP-10.5.25.71(from IPPOOL), port-60418"
id=65308 trace_id=3 func=fw_forward_handler line=998 msg="Allowed by Policy-1: SNAT"
id=65308 trace_id=3 func=ip_session_confirm_final line=3128 msg="npu_state=0x100, hook=4"
id=65308 trace_id=3 func=__ip_session_run_tuple line=3461 msg="SNAT 172.31.137.26->10.5.25.71:60418"
id=65308 trace_id=4 func=print_pkt_detail line=5920 msg="vd-root:0 received a packet(proto=1, 8.8.8.8:60418->10.5.25.71:0) tun_id=0.0.0.0 from port1. type=0, code=0, id=60418, seq=11."

 

In the above logs, the traffic is getting NATted to the 10.5.25.71 IP as NAT is enabled in the policy.


Now when NAT is disabled, with the original source IP, the traffic is will be forwarded to the destination.

 

NAT1.PNG

 

2024-11-01 00:46:21.783824 port2 in 172.31.137.26 -> 8.8.8.8: icmp: echo request
2024-11-01 00:46:21.784099 port1 out 172.31.137.26 -> 8.8.8.8: icmp: echo request
2024-11-01 00:46:22.790529 port2 in 172.31.137.26 -> 8.8.8.8: icmp: echo request
2024-11-01 00:46:22.790665 port1 out 172.31.137.26 -> 8.8.8.8: icmp: echo request
2024-11-01 00:46:23.815000 port2 in 172.31.137.26 -> 8.8.8.8: icmp: echo request
2024-11-01 00:46:23.815198 port1 out 172.31.137.26 -> 8.8.8.8: icmp: echo request
2024-11-01 00:46:24.837444 port2 in 172.31.137.26 -> 8.8.8.8: icmp: echo request
2024-11-01 00:46:24.837542 port1 out 172.31.137.26 -> 8.8.8.8: icmp: echo request

 

id=65308 trace_id=11 func=print_pkt_detail line=5920 msg="vd-root:0 received a packet(proto=1, 172.31.137.26:1->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=15."
id=65308 trace_id=11 func=init_ip_session_common line=6110 msg="allocate a new session-001d52fa"
id=65308 trace_id=11 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=00000000 gw-10.5.31.254 via port1"
id=65308 trace_id=11 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=2"
id=65308 trace_id=11 func=fw_forward_handler line=998 msg="Allowed by Policy-1:"

 

Here, without performing NAT, the traffic is being forwarded to the destination i.e. with the actual source IP.

 

  1. This scenario is applicable for all kinds of traffic, such as VPN and internet.
  2. In VPN traffic, if the server wants to see the original source IP request, it is necessary to disable NAT in the IPV4 policy. However, by disabling NAT if there is no response, it is necessary to check in the server why there is no response with the original source. Check by disabling windows firewall and configuring a NAT rule in the server.
Contributors