Thanks Patterson, but did not not answer my question yet. Why the traffic goes in port9 can activate the DNAT'ed(VIP)? Then the traffic goes to port9, why "Allowed by policy-2 SNAT"? I did not see any ’NAT enabled' at policy-2.
Got it, thanks Patterson. I reviewed the traffic working process:
When the data packet enters FGT from port9, 10.10.10.2 accesses 22.214.171.124 and pre-routing triggers DNAT (VIP).
DNAT:126.96.36.199-->10.10.10.100, now 10.10.10.2-->10.10.10.100,Then view the route and match Policy-2, but how to explain matching "Allowed by policy-2 "? The srcintf(port10)、dstaddr (VIP-FTP-Server-Port10) of policy-2 looks not the same as the traffic 10.10.10.2(port9)-->10.10.10.100.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.