FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sferreira
Staff
Staff

Description
This article explains SNAT in a Policy with VIP in FortiOS v5.2
Each time a new Policy LAN to LAN (the same LAN) with Destination VIP is configured, Source NAT is also applied.


Scope
v5.2.X

Solution

config system interface
    edit "LAN"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https ssh http fgfm capwap
        set role lan
        set snmp-index 8
    next
end
 
config firewall vip
 edit "VIP"
        set extip 192.168.2.3
        set extintf "LAN"
        set mappedip 10.10.10.10
    next
end
 
config firewall policy
   edit 1
        set srcintf "LAN"
        set dstintf "LAN"
        set srcaddr "ALL"
        set dstaddr "VIP"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

If IP 10.10.10.20 pings IP 192.168.2.3 in order to reach IP 10.10.10.10, a Source NAT is applied from 10.10.10.20 to 10.10.10.1 (the LAN's interface IP), even if NAT is not enabled on the Policy:
id=13 trace_id=29650 func=__ip_session_run_tuple line=2471 msg="SNAT 10.10.10.20->10.10.10.1"
No solution has been presented for this issue in v5.2.X. It is necessary to upgrade to v5.4.X. 



Contributors