FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes the issue, Internet is not working with one of the SD-WAN member when IP pool is called in the policy.
Solution User may face the issue while accessing internet when there is aoutgoing interface as SD-WAN with more than one WAN interface, such as WAN1 and WAN2 in the same firewall policy and uses the IP pool to do SNAT.
# config system interface edit "wan1" set alias to_ISP1 set mode dhcp next edit "wan2" set alias to_ISP2 set ip 1.1.10. 255.255.255.248 next end
# config system sdwan set status enable # config members edit 1 set interface "wan1" next edit 2 set interface "wan2" set gateway 22.214.171.124 next end end
# config firewall ippool edit "126.96.36.199" set startip 188.8.131.52 set endip 184.108.40.206 next end
# config firewall policy edit 1 set srcintf "port2" set dstintf "sdwan" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set logtraffic-start enable set ippool enable set poolname "220.127.116.11" set nat enable next
In this case, if traffic goes via WAN1 with SNAT as 18.104.22.168, internet will not work.
To overcome the issue, it is necessary to set 'associated-interface' in the IP pool.
# config firewall ippool edit "22.214.171.124" set type overload set startip 126.96.36.199 set endip 188.8.131.52 set associated-interface 'wan2' set comments '' next end
With this, IP pool will be applied only when traffic is going via WAN2 interface. Traffic going via WAN1 will use WAN1 interface IP for SNAT.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.