FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tpatel
Staff
Staff
Article Id 358508
Description

This article describes how to troubleshoot issues where traffic is getting denied by an SNAT IP pool check.

Scope FortiGate.
Solution

Central SNAT is enabled on FortiGate. All traffic passing from FortiGate is source NAT using central SNAT policy and an IP Pool which is used in the SNAT policy.

 

Configuration:

 

The policy is created from the LAN to WAN interface with the action set to 'allow'.

 

config firewall policy
    edit 3
        set name "lan"
        set uuid ba9294ca-a5b7-51ef-9c27-81b1ea3003ec
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

 

Central SNAT configuration:

 

config firewall central-snat-map
    edit 1
        set uuid f069762c-a5b7-51ef-7018-9cbe0a90b9d2
        set srcintf "port2"
        set dstintf "port1"
        set orig-addr "all"
        set dst-addr "all"
        set nat-ippool "10.9.11.103"
    next
end

 

Only one internal IP address can reach the Internet and all other internal sources cannot reach the Internet.

Run a debug flow with the source IP address which cannot reach the internet. Follow step 5 in this article for the debug flow command.

 

The following error shows in debug flow.

 

id=20085 trace_id=976 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.111.4:5->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=5, seq=44."
id=20085 trace_id=976 func=init_ip_session_common line=6046 msg="allocate a new session-003339d6, tun_id=0.0.0.0"
id=20085 trace_id=976 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.9.15.254 via port1"
id=20085 trace_id=976 func=fw_forward_handler line=861 msg="Denied by snat ip pool check"

 

Check IP-Pools configuration which is used in Central SNat policy.

 

config firewall ippool
    edit "10.9.11.103"
        set type one-to-one
        set startip 10.9.11.103
        set endip 10.9.11.103
    next
end

 

A one-to-one IP pool means that the internal IP address and the external (translated) IP address match one-to-one. For example, if a one-to-one IP pool type is defined with one external IP address (10.9.11.103 – 10.9.11.103), then this IP pool can only handle one internal IP address, and all internal source traffic is denied by an SNAT IP pool check.
To resolve this, use the 'overload' IP Pool type if only one public is available.

 

config firewall ippool
    edit "10.9.11.103"
        set type overload
        set startip 10.9.11.103
        set endip 10.9.11.103
    next
end

 

Reference article for IP Pools:
Dynamic SNAT - FortiGate administration guide

Contributors