Description

This article describes how Virtual IPs (VIPs) impact outgoing Source NAT (SNAT) for traffic coming from the Mapped Address host.

Scope

FortiGate, Virtual IPs, IP Pools, Source NAT.

Solution

While VIPs are primarily used for incoming Destination NAT (e.g. translating from a public external IP address to a private mapped internal address), they can also perform outgoing Source NAT if the traffic matches the VIP's Mapped Address and port/protocol settings.

This behavior occurs even if the VIP is not placed in an outbound Firewall Policy, though it does require the VIP to be added to at least one Firewall Policy (such as a WAN-to-LAN inbound policy). If Central SNAT is being utilized then the VIP does not need to be added to any Firewall Policies to take effect.

As a quick primer for Source NAT behavior on the FortiGate:

• When Source NAT is enabled, the default setting within a Firewall Policy (or Central SNAT Policy) is 'Use Outgoing Interface Address'. This results in the FortiGate Source NAT'ing traffic to the FortiGate IP address assigned to the outgoing interface.
• However, if Virtual IPs are configured then traffic can be Source NAT'd to the External Address of the VIP.
  • This is a helpful feature, as it allows both incoming and outgoing traffic to be symmetric from an IP addressing/NAT'ing standpoint (i.e. traffic from X host is consistently Source NAT'd to Y external address for a given network flow).
• IP Pools can also be used for Source NAT, though this will be discussed further below.

Using Virtual IP External Addresses for Source NAT.

For the Virtual IP External Address to be used when performing outgoing Source NAT, certain conditions must be met:

• The Source of the traffic must match the Mapped IP Address configured on the VIP.
• Traffic must be egressing via the listening Interface configured on the VIP.
  • If the VIP is set to a specific interface then the SNAT will only apply when leaving this interface.
  • If the VIP is set to 'any' then SNAT can potentially apply when egressing any interface.
• An outbound Firewall Policy must exist that allows this traffic and also has Source NAT enabled in general.
• If there are any Port Forwarding or Optional Filters -> Services settings applied (used to focus the VIP so that it only DNATs specific incoming connections) then the Source Ports/Protocols must also match the services set here.
  If no filters are applied here then all ports/protocols will be eligible to match the VIP.

Example: consider a VIP that is set with a listening Interface of wan1, an External address of 100.65.0.100, a Mapped Address of 192.168.0.100, and Optional Filters -> Services set to the 'All_TCP' Service object.

• In this scenario, any TCP traffic sourced from 192.168.0.100 and going out via wan1 will be SNAT'd to 100.65.0.100 since it matches the Mapped Address (192.168.0.100), the ports/protocols ('All_TCP'), and the outgoing Interface (wan1) settings for the VIP.
• On the other hand, ICMP or UDP traffic sourced from 192.168.0.100 will not be SNAT'd to 100.65.0.100, and instead, it will be Source NAT'd to the FortiGate's Outgoing Interface Address.
• Likewise, TCP traffic sourced from 192.168.0.100 but going out via a different interface (such as DMZ) will not be SNAT'd to 100.65.0.100.

VIPs, IP Pools, and the 'nat-source-vip' Option.

When configuring Source NAT in Firewall Policies, it is possible to create and apply IP Pools instead of using the Outgoing Interface Address option. These IP Pools will override the Virtual IP Source NAT behavior described above by default, though this is configurable. Depending on the use case, it may be preferable to have the Virtual IP External address used instead of the IP Pool.

To control this behavior, modify the nat-source-vip CLI option within the Virtual IP config:

config firewall vip
    edit <VIP>

        set nat-source-vip [ enable | disable ] << Default: disable

end

With that in mind, the following is the order of preference that the FortiGate uses when determining which IP address (IP Pool, VIP, Outgoing Interface Address) to use when Source NAT'ing traffic. Note that this list assumes that traffic could already potentially match any three of the options:

1. VIP External Address (when nat-source-vip -> enable)**
2. IP Pool assigned to Firewall Policy.
3. VIP External Address (when nat-source-vip -> disable; default setting)
4. Outgoing Interface IP.

Note:

When nat-source-vip is enabled, the VIP external address will be used for all traffic from the mapped-host that is being Source NAT'd, even if traffic is egressing from a different interface than the VIP is configured for (and even if other VIPs match that mapped-host). Use this option with caution.