Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
montyadams
Staff
Staff

Created on ‎07-22-2025 06:15 AM Edited on ‎07-23-2025 06:38 AM By Moderator

Article Id 402808

Technical Tip: SD-WAN Zone Support in Central SNAT

Description This article describes the ability to use SD-WAN zones as interface entries within Central SNAT configuration. The feature is available starting from FortiOS version 7.6.1, and has also been backported to FortiOS versions 7.4.8 and 7.2.11 (CLI only). This enhancement improves policy flexibility and routing consistency in SD-WAN-enabled environments.
Scope FortiGate devices running FortiOS v7.6.1 and later, as well as FortiOS versions 7.4.8 and 7.2.11 (CLI-based support). Applies to Central SNAT, Local-In, DoS, TTL, and multicast policies referencing SD-WAN zones.
Solution

Use Case.

Previously, Central SNAT policies only supported specifying physical interfaces. Beginning with FortiOS v7.6.1, and backported to versions 7.4.8 and 7.2.11 (CLI only), SD-WAN zones can be used as destination interfaces in Central SNAT policies. This simplifies NAT rule configuration in SD-WAN deployments.

 

Example Configuration (Central SNAT Using SD-WAN Zone).

 

config firewall central-snat-map
    edit 1
        set src-addr "internal_subnet"
        set dst-addr "all"
        set protocol 6
        set srcintf "LAN"
        set dstintf "SDWAN_ZONE"
        set orig-ports 0-65535
        set mappedip "203.0.113.100"
        set mapped-ports 0-65535
    next
end

 

In this example:

  • SDWAN_ZONE refers to the SD-WAN zone name defined under config system sdwan.
  • The mapped IP is applied when egress traffic exits via any interface in that zone.

 

Feature Availability.

  • Available in FortiOS v7.6.1 and later via both GUI and CLI.
  • Available in FortiOS v7.4.8 and v7.2.11 via CLI only.

 

Additional Policy Types Supporting SD-WAN Zones.

  • Local-In policies.
  • DoS policies.
  • Multicast policies.
  • TTL policies.

 

Operational Considerations.

  • Ensure that the SD-WAN zone used in Central SNAT matches the zone configured in config system sdwan.
  • Using zones instead of specific interfaces allows broader and more resilient rule application across all member interfaces.
  • This capability enhances maintainability in dynamic WAN environments.
544
Suggest New Article
Article Feedback
Comments
mcisneros
Staff
Staff
‎07-22-2025 09:33 AM

Thanks Monty!

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.