Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pathik_mehta
Staff
Staff

Created on ‎04-17-2025 02:04 AM Edited on ‎04-17-2025 02:17 AM

Article Id 387993

Troubleshooting Tip: Firewall is performing SNAT even though no NAT configured in the policy

Description This article describes a scenario where the firewall performs SNAT even though no NAT is configured in the firewall policy.
Scope All FortiGate.
Solution

Setup:

source: 10.64.56.147 --- Core interface --- Virtual server profile 'LoadBalance-HTTPS-4444' 10.64.9.11:4444 ===> 10.64.10.68:4444, 10.64.10.87:4444 --- Traffic exiting to the actual server via Core interface.

 

In this setup, the firewall is receiving the traffic via the Core interface from the source 10.64.56.147, and after performing DNAT, the route for the DNAT IP is also via the same Core interface.

 

Route details:

 

Core # get router info routing-table details 10.64.56.147
Routing table for VRF=0
Routing entry for 10.64.0.0/16
Known via "static", distance 10, metric 0, best
* vrf 0 10.64.50.2, via Core

Core # get router info routing-table details 10.64.9.11
Routing table for VRF=0
Routing entry for 10.64.0.0/16
Known via "static", distance 10, metric 0, best
* vrf 0 10.64.50.2, via Core

Core # get router info routing-table details 10.64.10.68
Routing table for VRF=0
Routing entry for 10.64.0.0/16
Known via "static", distance 10, metric 0, best
* vrf 0 10.64.50.2, via Core
Core #

 

Debug logs:

 

2025-04-17 08:59:48 id=65308 trace_id=3231 func=print_pkt_detail line=5862 msg="vd-root:0 received a packet(proto=6, 10.64.56.147:51952->10.64.9.11:4444) tun_id=0.0.0.0 from Core. flag [S], seq 4263811835, ack 0, win 64260"
2025-04-17 08:59:48 id=65308 trace_id=3231 func=init_ip_session_common line=6047 msg="allocate a new session-66a5ee07"
2025-04-17 08:59:48 id=65308 trace_id=3231 func=iprope_dnat_check line=5281 msg="in-[Core], out-[]"
2025-04-17 08:59:48 id=65308 trace_id=3231 func=iprope_dnat_tree_check line=824 msg="len=1"
2025-04-17 08:59:48 id=65308 trace_id=3231 func=__iprope_check_one_dnat_policy line=5146 msg="checking gnum-100000 policy-8"
2025-04-17 08:59:48 id=65308 trace_id=3231 func=__iprope_check_one_dnat_policy line=5191 msg="match vip-LoadBalance-HTTPS-4444, naddr=10.64.10.87, nport=4444"
2025-04-17 08:59:48 id=65308 trace_id=3231 func=__iprope_check_one_dnat_policy line=5236 msg="matched policy-8, act=accept, vip=8, flag=100, sflag=2000400"
2025-04-17 08:59:48 id=65308 trace_id=3231 func=iprope_dnat_check line=5293 msg="result: skb_flags-02000400, vid-8, ret-matched, act-accept, flag-00000100"
2025-04-17 08:59:48 id=65308 trace_id=3231 func=fw_pre_route_handler line=184 msg="VIP-10.64.10.87:4444, outdev-unknown"
2025-04-17 08:59:48 id=65308 trace_id=3231 func=__ip_session_run_tuple line=3455 msg="DNAT 10.64.9.11:4444->10.64.10.87:4444"
2025-04-17 08:59:48 id=65308 trace_id=3231 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-10.64.50.2 via Core"
2025-04-17 08:59:48 id=65308 trace_id=3231 func=iprope_fwd_check line=768 msg="in-[Core], out-[Core], skb_flags-020004c0, vid-8, app_id: 0, url_cat_id: 0"


2025-04-17 08:59:48 id=65308 trace_id=3231 func=__iprope_check_one_policy line=2251 msg="policy-598 is matched, act-accept"
2025-04-17 08:59:48 id=65308 trace_id=3231 func=iprope_fwd_check line=805 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-598"

 

2025-04-17 08:59:48 id=65308 trace_id=3231 func=iprope_shaping_check line=914 msg="in-[Core], out-[Core], skb_flags-020004c0, vid-8"
2025-04-17 08:59:48 id=65308 trace_id=3231 func=fw_forward_handler line=990 msg="Allowed by Policy-598: AV SNAT"

 

Reason

In this scenario, traffic enters and exits the FortiGate through the same interface. As a result, FortiOS automatically applies Source NAT (SNAT), even though NAT is not explicitly configured in the firewall policy.

 

This behavior ensures that the router forwards return traffic through the FortiGate, as the source IP address is replaced with one that belongs to the FortiGate. Without SNAT, the original source IP would be preserved, which might trigger anti-spoofing mechanisms on the router.

 

Additionally, bypassing SNAT could cause reply traffic from the server to be sent directly to the client, bypassing both the router and FortiGate, which could lead to asymmetric routing or security policy violations.

 

If needed, the automatic application of source NAT by the hairpin policy can be disabled using the following per-VDOM setting:

 

config system setting

    set snat-hairpin-traffic disable

end

 

654
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.