there is requirement for enabling Source NAT on a response packet when asymmetric routing is enabled.
Can I use fortigate as a stateless firewall ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
As per my understanding, when enabling asymmetric traffic, FG will act as stateless firewall for the response traffic for which it doesn't have session, and also it doesn't perform UTM on it.
However, doing NAT on these response packets doesn't make sense to me.
I think the natural way to do NAT would be on the load balancer in front of you FortiGates.
Hi @vijayduhan
Thank you for posting your query.
When asymmetric routing is enabled, the firewall will globally behave as follows.
For TCP packets
1) If the packet is a SYN, the FortiGate creates the session, checks the firewall policies and applies the configuration of the matching policy (UTM inspection, NAT, Traffic shaping, etc.).
The subsequent packets of the session can be offloaded (exactly as when asymmetric routing is disabled).
2) If the packet is not a SYN but the session already exists on the firewall, then the FortiGate lets the traffic pass through (exactly as it would do when asymmetric routing is disabled).
3) If the packet is not a SYN and the session doesn't exist (asymmetric routing), then all packets are passed to the CPU and the FortiGate doesn't lookup for matching firewall policies.
Since no policy is matched, the packet is simply forwarded based on the routing table and the Firewall acts as a router which only makes routing decision. No security inspection will be performed:
53.147018 wan in 1.1.1.2.80 -> 10.255.130.210.18929: syn 2874238539 ack 2874127433
53.147237 dmz out 1.1.1.2.80 -> 10.255.130.210.18929: syn 2874238539 ack 2874127433
id=20085 trace_id=6 func=print_pkt_detail line=4471 msg="vd-root received a packet(proto=6, 1.1.1.2:80->10.255.130.210:18929) from wan. flag [S.], seq 2874238539, ack 2874127433, win 32768"
id=20085 trace_id=6 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.255.130.210 via dmz"
53.155221 wan in 1.1.1.2.80 -> 10.255.130.210.18929: psh 2874238540 ack 2874127673
53.155364 dmz out 1.1.1.2.80 -> 10.255.130.210.18929: psh 2874238540 ack 2874127673
As FGT is only taking route decision SNAT in reply packet will not make sense here.
Please check the below link for your referece of assymmetric routing section:-
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/139692/routing-concepts#Asym...
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution
Thanks for the replies
In the topology the black color is for syn request packet and orange color Syn+ack packet. From client the request is send to router over the internet and then GRE encapsulation is done on the router and then send the packet to the fortigate via GRE tunnel. The fortigate decapsulate the GRE packet and the send the packet to the application via LAN port. Now the response packet should be send directly from lan to wan over the internet with source NAT of WAN IP.
I have enabled the asymmetric routing due to which the response packet (syn+ack) is going from LAN to WAN by checking static route only but without any source nat of WAN port IP and its taking source as the application IP due to which its not going to the internet.
Thank you for the reply but that is the organization requirement so can not change the Architecture. Please help me to know how can i put a source NAT on the SYN+ ACK packet
Thanks for the replies
In the topology the black color is for syn request packet and orange color Syn+ack packet. From client the request is send to router over the internet and then GRE encapsulation is done on the router and then send the packet to the fortigate via GRE tunnel. The fortigate decapsulate the GRE packet and the send the packet to the application via LAN port. Now the response packet should be send directly from lan to wan over the internet with source NAT of WAN IP.
I have enabled the asymmetric routing due to which the response packet (syn+ack) is going from LAN to WAN by checking static route only but without any source nat of WAN port IP and its taking source as the application IP due to which its not going to the internet.
Hello
In my opinion you should correct a bit your architecture and disable asymmetric on FG.
Thank you for the reply but that is the organization requirement so can not change the Architecture. Please help me to know how can i put a source NAT on the SYN+ ACK packet ?
Personally I don't see a way to do that with your FortiGate. The last chance you may have is to find a way to make your application server send the reply packets with you desired public IP as source address.
thank you for reply. Please share some documents where its mention that we can not to do with fortigate
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1663 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.