FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sferreira
Staff
Staff
Article Id 197829

Description

 

This article explains SNAT in a Policy with VIP in FortiOS v5.2
Each time a new Policy LAN to LAN (the same LAN) with Destination VIP is configured, Source NAT is also applied.


Scope

 

v5.2.X.

Solution

 

# config system interface

    edit "LAN"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https ssh http fgfm capwap
        set role lan
        set snmp-index 8
    next
end
 
# config firewall VIP
    edit "VIP"
        set extip 192.168.2.3
        set extintf "LAN"
        set mappedip 10.10.10.10
    next
end
 
# config firewall policy
    edit 1
        set srcintf "LAN"
        set dstintf "LAN"
        set srcaddr "ALL"
        set dstaddr "VIP"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

If IP 10.10.10.20 pings IP 192.168.2.3 in order to reach IP 10.10.10.10, a Source NAT is applied from 10.10.10.20 to 10.10.10.1 (the LAN's interface IP), even if NAT is not enabled on the Policy:
 
id=13 trace_id=29650 func=__ip_session_run_tuple line=2471 msg="SNAT 10.10.10.20->10.10.10.1"
 
From v5.2.x or downwards, no solution has been presented for this issue.
 
From v5.4 upwards it is possible to disable this behavior in the system settings, visit the following link: Technical Tip: How to disable source NAT to enable a hairpin policy or one-arm firewall.
Contributors