Description
This article describes the behavior of VIP configured with 'Any' interface.
Solution
When using VIPs configured with 'Any' interface, the default behavior for outgoing internal initiated traffic is to use the External IP address mentioned in the VIP configuration.
This behavior is confirmed From CLI:
enable: Force the source NAT mapped IP to the external IP for all traffic.
By default, this is set to disabled.
# config firewall vipdisable: Force only the source NAT mapped IP to the external IP for traffic egressing the external interface of the VIP.
edit <VIPname>
set nat-source-vip ?
enable: Force the source NAT mapped IP to the external IP for all traffic.
By default, this is set to disabled.
So the behavior will be 'Force only the source NAT mapped IP to the external IP for traffic egressing the external interface of the VIP.'.
As the VIP is configured with < 'Any'>, all the traffic will be matched.
This behavior can only be overridden with an IP pool in the firewall policy matching the outgoing traffic.
As a general rule SNAT is happening on the following order:
1) reverse SNAT according to the VIP if 'nat-source-vip' enabled; otherwise.
2) 'ippool' specified in the policy.
3) reverse SNAT according to the VIP if 'nat-source-vip' is disable - for traffic egressing the external interface configured on the VIP.
4) IP of the outgoing interface.
As a general rule SNAT is happening on the following order:
1) reverse SNAT according to the VIP if 'nat-source-vip' enabled; otherwise.
2) 'ippool' specified in the policy.
3) reverse SNAT according to the VIP if 'nat-source-vip' is disable - for traffic egressing the external interface configured on the VIP.
4) IP of the outgoing interface.
