Description |
This article describes SNAT network behavior when the primary and secondary interface IP address are on the same subnet. |
Scope | FortiGate. |
Solution |
When primary or secondary interface IP addresses have different subnets, FortiOS uses the address that has the same subnet as the gateway found on the route lookup for SNAT.
Firewall Policy using 'Use Outgoing Interface Address' for SNAT (port1 is part of 'virtual-wan-link'):
Checking the IP addresses using the CLI command 'diag ip address list', the Primary IP precedes the Secondary IP.
FortiOS will use the IP address that is on top of the list for SNAT.
Confirmation using debug flow:
Session table:
Technical Note: SNAT and primary versus secondary IP address. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.