FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the behavior of VIP configured with 'Any' interface.
When using VIPs configured with 'Any' interface, the default behavior for outgoing internal initiated traffic is to use the External IP address mentioned in the VIP configuration.
This behavior is confirmed From CLI:
# config firewall vip edit <VIPname> set nat-source-vip ?
disable: Force only the source NAT mapped IP to the external IP for traffic egressing the external interface of the VIP. enable: Force the source NAT mapped IP to the external IP for all traffic.
By default, this is set to disabled.
So the behavior will be 'Force only the source NAT mapped IP to the external IP for traffic egressing the external interface of the VIP.'.
As the VIP is configured with < 'Any'>, all the traffic will be matched.
This behavior can only be overridden with an IP pool in the firewall policy matching the outgoing traffic. As a general rule SNAT is happening on the following order:
1) reverse SNAT according to the VIP if 'nat-source-vip' enabled; otherwise. 2) 'ippool' specified in the policy. 3) reverse SNAT according to the VIP if 'nat-source-vip' is disable - for traffic egressing the external interface configured on the VIP. 4) IP of the outgoing interface.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.