**ADDITION, please see the following illustration: click here **
Ok, maybe I' m missing the obvious here but here is the story:
SITUATION
====================
Two DNS servers sit behind the Fortinet unit. All servers run in the private network and all have 192.168.1.x addresses assigned to them. No DMZ is being used at this time, just internal (my servers) / external (the internet).
The two DNS servers act as public nameservers for the websites I host.
One of the DNS servers is a primary (with internal IP 192.168.1.6) and the other a secondary (with internal IP 192.168.1.7). All of the DNS entries have public IP' s the records they host as they serve up sites on the public internet. This includes the nameserver records NS1.myhost.com (69.90.x.1) and NS2.myhost.com (69.90.x.2).
The primary nameserver is set to push updates (MSDNS) to the secondary nameserver (MSDNS). It is by default set to only allow transfers to listed nameservers, which should be fine because the external ip of ns2.myhost.com is listed in each primary zone.
I have VIP' s set on the Fortinet...
(ns1.myhost.com) VIP set 69.90.x.1 -> 192.168.1.6
(ns2.myhost.com) VIP set 69.90.x.2 -> 192.168.1.7
------------------------------------
The Problem
====================
After a new secondary zone is created on the secondary server, it seems that it doesn' t actually go out on 69.90.x.2 and come in on 69.90.x.1 to get the update from the primary. It just goes internally using 192.168.1.1
Thus the request to update gets denied. 
I am using the EXACT same configuration as I had working with a Netscreen unit (don' t get me wrong, I like Fortinet a LOT better). Why doesn' t the traffic get routed out on the correct IP... why does it use the Fortinet box internal IP?
------------------------------------
Sorry for the long winded post, I didn' t want to leave out any details and would really appreciate any thoughts people could give this.
Thanks so much,
Chris
I am using the EXACT same configuration as I had working with a Netscreen unit (don' t get me wrong, I like Fortinet a LOT better). Why doesn' t the traffic get routed out on the correct IP... why does it use the Fortinet box internal IP?
------------------------------------
Sorry for the long winded post, I didn' t want to leave out any details and would really appreciate any thoughts people could give this.
Thanks so much,
Chris
johns99,
the tests i did here, was with two Nats configured, and i still had the problem.
Could you explain what your setup was like, and what was happening ?
In case its another bug .... 
Sorry, didn' t get the question 
Have you tried with separate IN-EXT Firewall policies for each server using IP Pool NAT (probably not even NAT from a Firewall Policy for each server at the top of the rulebase, I' ve never tried that before), because the First email server will try to see the other one through the Firewall but it will also NAT back to the VIP of the second one right?
If you try to go to www.whatismyip.com from each server you must see the VIP IP address you configured for each one of them. Note that' s INTERNAL to EXTERNAL traffic. If you' re not seeing it matching address then there' s something wrong somewhere...
However I think that will be ok and the NAT Pool or No Nat will assign the right external address.
My .5 cents..
Have you tried with separate IN-EXT Firewall policies for each server using IP Pool NAT (probably not even NAT from a Firewall Policy for each server at the top of the rulebase, I' ve never tried that before), because the First email server will try to see the other one through the Firewall but it will also NAT back to the VIP of the second one right?
If you try to go to www.whatismyip.com from each server you must see the VIP IP address you configured for each one of them. Note that' s INTERNAL to EXTERNAL traffic. If you' re not seeing it matching address then there' s something wrong somewhere...
However I think that will be ok and the NAT Pool or No Nat will assign the right external address.
My .5 cents..
