We have two policies for a source subnet, one for internal and external access with same source and destination interfaces in both policies.
There are virtual IP's created for some source address for internal access however these Nat address are overriding the PAT configured for external access and natting to specific virtual IP's instead of PAT. Which is creating access issues.
Is there way I can exclude this virtual IP's being considered for external policy.
Thanks,
Saven
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
You should be able to do that by running the following commands:
config firewall policy
edit [relevant policy]
set match-vip disable
end
Then test to verify results.
NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
Hi,
That is already disabled by default.
Thanks
any comments on this ?
Doesn't this work only as DNAT ? I see that even when traffic is initiating(source) from 100.5.2.5 it is resolving to 100.5.6.9? Cant we force it to be only a DNAT?
config firewall vip edit "some_nat set id 0 set comment '' set type static-nat set extip 100.5.6.9 set extintf "any" set arp-reply enable set nat-source-vip disable set portforward disable set gratuitous-arp-interval 0 set color 0 set mappedip "100.5.2.5" next end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.