Hello all,
we have configured a DNAT policy, that matches a wide /16 external IP-range to an internal IP-range. On this policy "nat-sourcer-vip" is also enabled, so that bidirectional initiation of Extranet communication is possible. One of the Hosts out of the internal range needs a seperate specific Source-NAT address for outgoing communication only. Therefore I configured a more specific Central SNAT Policy for this specific communication. But when analyzing the logs, the firewall still maps the external address of the DNAT policy to the traffic.
My question is, which policy has precedence for outgoing source-natted traffic, the DNAT policy with nat-source-vip enabled or the SNAT policy?
What other factors play a role in the selection of the SNAT address, either by SNAT or DNAT + nat-source-vip? Is there a documentation available?
FG3900E, Central NAT, Version 5.6.11
Many thanks in advance / Best regards! Hakan
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.