Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Welcome 2026 Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Central NAT Mode breaking Traffic Flow - Palo ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Central NAT Mode breaking Traffic Flow - Palo Conversion
Hi, Was hoping someone may have seen this or knows what is happening, I will do my best to explain:
I am in the process of converting legacy firewalls to a VDOM 400F, all has gone successful except for one conversion from a palo to an Internal VDOM. I used Forti convertor for all the conversions of objects policies etc and put the VDOM into Central NAT to make it easier, (I did some ASA conversions and it converted better this way)
My last conversion Palo > FGT, all worked except, 1 very important traffic flow, so had to "backout" and reintroduce the Palo, so I cant even do live troubleshooting untill I attempt it again.
Traffic flow is: Azure Cloud Exchange (51.x.x.x) > External VDOM Firewall destination Public Firewall address (60.60.60.1 as an example)
DNAT on External firewall changes 60.60.60.1 to 192.168.1.1 which is located off the INTERNAL VDOM, This all works fine, and at the moment the traffic passed to the PALO and goes on its merry way. as it leaves the External VDOM, there is a source NAT also (Central Nat) that changes the public source 51.x.x.x to the exit interface, so the Palo sees the source as 10.10.10.1 as an example,
This flow breaks when I convert to the INTERNAL VDOM firewall from the Palo, it hits the external VDOM as normal, but when it arrives on the Internal VDOM, its instantly dropped despite there being a rule to allow it (its above the deny, and the RULE is 100% correct) it drops with this in the diag debug:
INTERAL-FW (Internal) # diag debug flow trace start
INTERAL-FW (Internal) # id=65308 trace_id=47 func=print_pkt_detail line=6005 msg="vd-Internal:0 received a packet(proto=6, 10.10.10.1:54 m PORT1. flag [S], seq 2471198223, ack 0, win 65535"
id=65308 trace_id=47 func=init_ip_session_common line=6206 msg="allocate a new session-1f7a1fed"
id=65308 trace_id=47 func=iprope_dnat_check line=5487 msg="in-[PORT1], out-[]"
id=65308 trace_id=47 func=iprope_dnat_tree_check line-824 msg="len=0"
id=65308 trace_id=47 func=iprope_dnat_check line=5512 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=47 func=__vf_ip_route_input_rcu line=1989 msg="find a route: flag-80000000 gw-0.0.0.0 via Internal"
id=65308 trace_id=47 func=iprope_access_proxy_check line=457 msg="in-[PORT1T], out-[], skb_flags-02000000, vid-0"
id=65308 trace_id=47 func=__iprope_check line=2410 msg="gnum-100017, check-ffffffffa002c240"
id=65308 trace_id=47 func=iprope_policy_group_check line-4909 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=65308 trace_id=47 func=iprope_in_check line-495 msg="in-[PORT1], out-[], skb_flags-02000000, vid-0"
id=65308 trace_id=47 func=__iprope_check line=2410 msg="gnum-100011, check-ffffffffa002cc70"
id=65308 trace_id=47 func=iprope_policy_group_check line-4909 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000" id=65308 trace_id=47 func=__iprope_check line=2410 msg="gnum-100001, check-ffffffffa002c240"
id=65308 trace_id=47 func=iprope_policy_group_check line-4909 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=65308 trace_id=47 func=__iprope_check line=2410 msg="gnum-10000e, check-ffffffffa002c240"
id=65308 trace_id=47 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept" id=65308 trace_id=47 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept" id=65308 trace_id=47 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept" id=65308 trace_id=47 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept" id=65308 trace_id=47 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000e policy-4294967295, ret-matched, act-accept" id=65308 trace_id=47 func=__iprope_check_one_policy line=2380 msg="policy-4294967295 is matched, act-drop"
id=65308 trace_id=47 func=__iprope_check line=2427 msg="gnum-10000e check result: ret-matched, act-drop, flag-00000000, flag2-00000000" id=65308 trace_id=47 func=iprope_policy_group_check line-4909 msg="after check: ret-matched, act-drop, flag-00000000, flag2-00000000" id=65308 trace_id=47 func=__iprope_check line=2410 msg="gnum-10000f, check-ffffffffa002c240"
id=65308 trace_id=47 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept" id=65308 trace_id=47 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept" id=65308 trace_id=47 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept" id=65308 trace_id=47 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept" id=65308 trace_id=47 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000f policy-4294967295, ret-matched, act-accept" id=65308 trace_id=47 func=__iprope_check_one_policy line-2380 msg="policy-4294967295 is matched, act-drop"
id=65308 trace_id=47 func=__iprope_check line=2427 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000800, flag2-00000000" id=65308 trace_id=47 func=iprope_policy_group_check line-4909 msg="after check: ret-matched, act-drop, flag-00000800, flag2-00000000" id=65308 trace_id=47 func=fw_local_in_handler line=620 msg="iprope_in_check() check failed on policy 0, drop"
This line:
id=65308 trace_id=47 func=iprope_dnat_check line=5487 msg="in-[PORT1], out-[]"
doesn't show an exit interface? which I think is causing it, the out interface is an EMAC VLAN , and is definitely correct as other traffic is received. My colleague is suggesting the Internal VDOM sees this traffic as local to itself, so drops it? I dont know why! On the External VDOM, as I said there is a Source NAT which is working as I see the "vd-Internal:0 received a packet(proto=6, 10.10.10.1:54 )" which is the source NAT, now the destination 192.168.1.1 has a DNAT on the External as I said, and it had "set source-nat-vip enable" which I think may be the issue? but dont really understand whats happening.
I hope this makes sense, and would love to resolve this
Thanks
Labels:
- Labels:
-
FortiGate
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When set source-nat-vip enable is configured on a VIP and SNAT occurs the VIP's external IP will be used for the SNAT. Check this article for the behavior.
Created on 01-24-2026 04:08 AM Edited on 01-24-2026 04:11 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Im not quite grasping it ;) as I have SNAT for the reversed traffic, should I disable source-nat-vip ? all other VIP traffic works except this VIP, there is bi-directional traffic here, so when its sourced from the internal VDOM going out, it works when cutover to the Fortigate, its just incoming that doesnt
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
id=65308 trace_id=47 func=__vf_ip_route_input_rcu line=1989 msg="find a route: flag-80000000 gw-0.0.0.0 via Internal"
This looks like it's routing to itself, it should show that it found a route via the outgoing interface. In your case it's routing via "Internal" which is the VDOM. I believe there must be an error in where the NAT is occurring.
id=65308 trace_id=47 func=print_pkt_detail line=6005 msg="vd-Internal:0 received a packet(proto=6, 10.10.10.1:54 m PORT1. flag [S], seq 2471198223, ack 0, win 65535"
This doesn't show the destination, it should show something like this example:
id=65308 trace_id=571 func=print_pkt_detail line=5942 msg="vd-root:0 received a packet(proto=6, 192.168.20.2:63611->63.137.229.1:443) tun_id=0.0.0.0 from port6. flag [S], seq 3839416144, ack 0, win 64240"
What does the flow trace look like when it leaves the External VDOM?
Created on 01-24-2026 07:16 AM Edited on 01-24-2026 07:19 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Many thanks for responding, so I cant so any traces at the moment, as I had to cut back to the older firewall (Palo) which is a huge pain! but yes, it looks like its routing to itself, when it shouldnt as other traffic works just fine, to add a little more! the exit interface, after its done its DNAT to 192.168.1.1 ,
The route is from External VDOM to Internal VDOM, but not via a VDOM link, its an EMAC VLAN,
so the exit interface is (for example) EMAC-EXT 10.10.10.1 and the Internal VDOM has enter interface as EMAC-INT 10.10.10.2. and thats the routing on the External VDOM, to get to 192.168.1.1 (Post DNAT address) > Next Hop 10.10.10.2 via Interface EMAC-EXT (10.10.10.1)
This seems to happen as there are logs, but then the Internal VDOM drops it immediately. I can see the REAL EXTERNAL IP being hit, then the DNAT to 192.168.1.1 then as it travels to the Internal VDOM its Source NATs to 10.10.10.1 which is what I want, so, is the internal VDOM seeing the source 10.10.10.1 and says ,"thats my interface" and drops it? why?
the rule on the internal VDOM says "source 10.10.10.1 > 192.168.1.1 on port 443 = Allow" then it should go off on its merry way! its frustrating, as I need to fix this or at least know how to fix it before I cut over again,
P.S Internal is the name of the Internal VDOM, thats why it says that I guess.
the traffic log says "TRAN DISPLAY snat+dnat" when logging the rule on the External, so its doing what I expect
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see I think, I understand the traffic flow a bit better now.
Basically:
51.x.x.x --> 60.60.60.1 --> (DNAT 192.168.1.1)[External VDOM](EMAC-EXT SNAT 10.10.10.1)-->(EMAC-INT 10.10.10.2)[Internal VDOM]
In the Internal VDOM is there any VIP, IP pool, or loopback interface that might cover the IP 10.10.10.1? I'm trying to think of reasons why it might route to itself. On a FortiGate VIPs and IP pools are considered local to the device even if they are not used.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well! another Fortinet chap did point out that IPPOOLs would cause this behaviour, on my Internal firewall, there is a POOL, that covers 10.10.10.1 (this is needed for the reverse traffic being initiated, and it has ARP-REPLY enabled, I think this is the smoking gun? when traffic arrives at the internal VDOM, it doesnt forward it, as the ippool is telling the gate, I have this address dont forward it?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If there is an IP pool covering that IP address, then the FortiGate will consider that IP address local to itself, even if the IP pool is not referenced any where. The behaviour is the same with VIPs. I would recommend deleting it because it's very likely that is why the Internal VDOM routed the traffic to itself.
If 10.10.10.1 is the interface IP address of the EMAC-EXT intercase in the External VDOM why would it be needed for an IP pool in the Internal VDOM?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Destination 192.168.1.1 is in an IPPOOL, as traffic can be sourced outbound..so im guessing when its inbound, fortigate sees the pool with arp reply and drops it as local traffic..this would explain what I am seeing.
Labels
-
FortiGate
11,209 -
FortiClient
2,308 -
FortiManager
939 -
FortiAnalyzer
709 -
5.2
687 -
5.4
638 -
FortiClient EMS
621 -
FortiSwitch
619 -
FortiAP
586 -
IPsec
491 -
SSL-VPN
421 -
6.0
416 -
FortiMail
393 -
5.6
362 -
FortiNAC
327 -
FortiWeb
274 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
220 -
FortiAuthenticator
199 -
FortiGuard
169 -
FortiGate-VM
168 -
Firewall policy
155 -
5.0
152 -
6.4
128 -
FortiCloud Products
122 -
FortiSIEM
121 -
FortiToken
118 -
FortiGateCloud
113 -
Wireless Controller
99 -
High Availability
99 -
Customer Service
91 -
SAML
88 -
Routing
85 -
ZTNA
85 -
FortiProxy
81 -
Authentication
81 -
FortiADC
78 -
BGP
76 -
VLAN
76 -
Certificate
76 -
DNS
75 -
FortiEDR
74 -
Fortivoice
73 -
LDAP
71 -
RADIUS
69 -
FortiLink
65 -
SSO
63 -
NAT
59 -
FortiSandbox
58 -
Interface
57 -
Application control
55 -
FortiExtender
53 -
VDOM
53 -
4.0MR3
49 -
Virtual IP
49 -
Logging
45 -
FortiDNS
43 -
FortiPAM
42 -
SSL SSH inspection
42 -
Web profile
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
Automation
37 -
FortiConnect
36 -
FortiConverter
33 -
FortiWAN
32 -
API
32 -
Traffic shaping
29 -
FortiGate v5.2
28 -
FortiGate Cloud
28 -
Static route
28 -
SSID
27 -
SNMP
26 -
System settings
25 -
OSPF
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
WAN optimization
23 -
Web application firewall profile
23 -
FortiMonitor
21 -
Security profile
21 -
IP address management - IPAM
21 -
Web rating
20 -
FortiSOAR
19 -
FortiAP profile
18 -
Admin
17 -
Intrusion prevention
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
IPS signature
16 -
FortiManager v4.0
15 -
NAC policy
15 -
Users
15 -
Traffic shaping policy
15 -
Proxy policy
15 -
FortiManager v5.0
14 -
FortiCASB
14 -
DNS filter
13 -
FortiDeceptor
12 -
Fabric connector
12 -
Port policy
12 -
FortiWeb v5.0
11 -
FortiBridge
11 -
trunk
11 -
Traffic shaping profile
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiRecorder
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
Application signature
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Packet capture
8 -
Vulnerability Management
8 -
4.0
7 -
4.0MR2
7 -
FortiNDR
7 -
VoIP profile
7 -
FortiScan
6 -
FortiTester
6 -
DoS policy
6 -
FortiCarrier
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Service
5 -
Cloud Management Security
5 -
3.6
4 -
FortiHypervisor
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Multicast routing
4 -
FortiDB
3 -
FortiAI
3 -
Kerberos
3 -
Video Filter
3 -
File filter
3 -
Multicast policy
3 -
Zone
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Schedule
2 -
ICAP profile
2 -
Virtual wire pair
2 -
Lacework
2 -
FortiGuest
2 -
FortiEdge
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
FortiPresence
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2928 | |
| 1459 | |
| 864 | |
| 826 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2026 Fortinet, Inc. All Rights Reserved.