Is fortigate support this scenario when
1) Configured 2 WAN interface with SDWAN (Example WAN1 and WAN2)
2) Still having NAT incoming (VIP) on WAN1
Absolutely! You can even have VIP on WAN2 as well.
For a security policy that allow NAT, what is the source should be? virtual-wan-link or physical port
You have to reference the virtual-wan-link in the security policy.
But for VIPs you reference the individual interfaces.
The VIPs go into the FW policy that references the virtual-wan-link.
you do not neccessarily need to reference an interface in a vip. You can just reference the ingress and egress address (and port(s)).
Keep in mind that this will only work if you have a public ip directly on your wan interface. If the wan is behind a router and does not have a public ip the vip will be useless.
sdwan doesn't matter for vip.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
@nattapong-isec : Yes this is possible and will absoulely work. You have to take care of auxiliary session. Aux session means reply should go out via the same interface on which it was received as per VIP.
Auxiliary sessions enabled.
# config system settings
set auxiliary-session enable
end
The reply to the client egresses on the best route in the routing table:
- If the best route is WAN1, then reply traffic will egress on WAN1.
- If the best route is WAN2, then reply traffic will egress on WAN2.
For more details you can check below link.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1109 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.