I have a very simple setup. One foetigate with 2 interface lan - 192.168.2.1/24 and wan with ip for example - 172.34.1.1. For reaching internet from lan I have created the firewall policy with source nat. It works. I want to test it from foetigate's own ip. When I do - Execute ping-options source 192.168.2.1 Execute ping 8.8.8.8 I am getting no reply. From debug and packet capture seeing that source nat is not applied. Is it intended by design that foetigate's own ip is excluded from nat? Or I am missing something.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Not anyone can help me with this information.
No of course that's not intended.
I am puzzled as to what is causing this. Selecting the source IP address tells the FGT which interface to use and which route. Actually, I have no idea how SNAT is applied then but it works every time without special configuration.
Please double check that you specify the (LAN) interface IP as source IP.
I was under the impression that the source IP field populated the source IP (duh), and then attempted to get to whatever destination from that interface. Since the default gateway out is on another interface, I would believe that the traffic MAY flow out the 172.x.x.x interface, but not being translated and the bogon is dropped by the ISP. LAN traffic on the 192.168.x.x network is passing the policies and being NATted so they work. The FGT isn't using the policies, so PINGs fail. In my mind, works as expected.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
I agree - from my own testing from a "live" fgt in the field - monitoring the fgt wan connection from the other side of the gateway router, I see nothing coming through.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
hi,
i tested the same and i noticed if you selected the lan interface IP as source (192.168.2.1) for the ping, on the sniffer it shows this ip leaving from the wan interface.
quit interesting could be something by design.
FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.
Thanks for the reply. It is nice to know that you guys are also seeing to the same phenomenon. For me, sometimes it is required to test source NAT and I cannot access any client computer. And as fortigate exempts its own traffic from NAT, there is no way I can test.
VPN, SNAT with a policy, testing from the box fails, because the box is not applying ANY policy to its own traffic, which is stupid, because I have no option to test stuff from the box itsel even if i specify the source interface or IP.
Firewall checks my traffic: "Oh.. What is this... Traffic from this source IP, that has a FW policy with SNAT pool attached? Oh, i know, lets just blast it out of an interface that has the route to it, without hitting any policy, because why not?!"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.