- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Policy based routing and NAT
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy based routing and NAT
Hi,
I have a situation with two Internet providers and I am using a policy route to force the traffic of a specific DMZ into the wan2 provider.
Doing that i have internet connection, but it' s natting the outgoing traffic by default with the ip of the interface.
Due to the requirements of an application, i need to nat some servers to specific ips, but with policy routing it seems standard policies are skipped and its not applying those rules.
Can someone explain me how to implement static natting with PBR?
P.D: this is the current firmware version of my firewall: v4.0,build0656,130211 (MR3 Patch 12)
Thanks in advance,
David
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Irrespective of PBR, you' ve got two main choices for how your DMZ server will present itself when initiating flows to the WAN ports you direct it/them to.
Either
1. If you have a Virtual-IP or Load-Balancer installed on the firewall, then as long as this covers all protocol ports, you' ll get this IP presented.
2. Using Virtual-IP-Pool you' ll get this IP presented (if the right Firewall-Policy rule is hit first). However if you' ve set anything in regards to Virtual-IP NAT or LoadBalancer then this takes precedence over any stated pool address/es. (A pool can be a singular IP).
The session table (or diag sniff pack or diag debug flow) should confirm the NAT behaviour.
If the above doesn' t help. Please state the direction of flow initiation in your requirement for NAT. This is important for what you might have to do beyond the above.
Note, in the strictest sense, PBR on Fortinet (and many other platforms) will only engage if there is also a valid forwarding route statement that encompasses the destination address (for flows initiated by DMZ host). Such a route needn' t be the only statement nor the route of the highest worth. The default route also counts. If flows are initiated by the remote end, then ECMP will normally be relied on rather than PBR and return traffic (of that same flow) by the same interface that it came in by. I add this in case you' ve got a multi-homed (e.g. BGP announced) set of addresses shared across each ISP link. The ambiguity over this part of your original question may have been a factor of why it took longer for you to get a reply. :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Firstly the NAT part is configured in Firewall Policy and not Routing Policy. As Richard rightly said that you need to configure an IP-Pool under Firewall Objects and create a firewall rule separate for the specific servers you are talking about. In that firewall rule configure " NAT to IP-Pool" instead of " NAT to Interface" . The destination Interface in FW policy will be wan1 or wan2 as configured in Policy Route.
The Firewall Rule should be kept above the other generic firewall rules.
The Policy Route will determine the outgoing Interface and accordingly the Firewall Policy shall be triggered.
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Related Posts
- Implementing FGSP with OSPF ECMP based... 102 Views
- FORTIWEB HTTP-CONTENT-ROUTING - X509 certificate 103 Views
- Understanding the application control 325 Views
- are excessive tcp reset errors related... 215 Views
- Internet data not passing from firewall 193 Views
Labels
-
FortiGate
6,676 -
FortiClient
1,330 -
5.2
801 -
5.4
639 -
FortiManager
577 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
272 -
FortiMail
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
79 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
SD-WAN
30 -
Firewall policy
29 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Authentication
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.