We have a pair of FTG's that are using central SNAT policy that's managed by FMG. We've have several VIP entries that are working and tried to create another one today; however, when we go to install, it says there's nothing to install. We checked the source and destination IPs and intefaces, and we've even tried to clone a VIP entry that has everything identical but the last octet on the global and private NAT IPs. Still, the FMG says there is nothing to install. We have a firewall policy that's configured to use this new IP - actually, we modified the rule for the one that's working and added the new IP, which doesn't help.
I'm at a loss. Can anyone think of something to try? Thank you.
Solved! Go to Solution.
We finally found an answer yesterday, and I forgot to update this post. We were trying to make DNAT changes under Policy & Objects > Object Configurations > Firewall Objects > Virtual IPs. That doesn't work as we were expecting.
To actually get DNAT to apply where we wanted it to, we had to enable Central DNAT in the GUI. This is for FortiManager running 7.2.2 - it's a bit different for earlier versions. Select Tools > Feature Visibility > and check Central DNAT. Now under Policy & Objects > Policy Packages > [specific firewall], Central DNAT now shows up under Central SNAT. Configure the DNAT there while making sure to enable "nat-source-vip" in the Advanced Options, everything was good.
Traffic is now flowing as required.
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
I already found a post who is giving some advice.
https://www.reddit.com/r/fortinet/comments/rvn6io/can_no_longer_use_vips_in_fortigate_policies_with/
Could you please tell me if it is helping you?
Regards,
We finally found an answer yesterday, and I forgot to update this post. We were trying to make DNAT changes under Policy & Objects > Object Configurations > Firewall Objects > Virtual IPs. That doesn't work as we were expecting.
To actually get DNAT to apply where we wanted it to, we had to enable Central DNAT in the GUI. This is for FortiManager running 7.2.2 - it's a bit different for earlier versions. Select Tools > Feature Visibility > and check Central DNAT. Now under Policy & Objects > Policy Packages > [specific firewall], Central DNAT now shows up under Central SNAT. Configure the DNAT there while making sure to enable "nat-source-vip" in the Advanced Options, everything was good.
Traffic is now flowing as required.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.