Jeff Roback
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
Regards, Chris McMullan Fortinet Ottawa
I " arrived" to this topic from another one where I had overlapping questions (thank you, ede ). To Jeff Roback: Thank you for bringing this subject to our attention! I' ve been using outbound firewall policies combined with IP pools to define servers' public IP addresses for outgoing traffic for years but didn' t know that there was a simpler and " cleaner" alternative to achieve reverse (source) IP NAT-ting through the very same VIPs. And reading through the posts I realized that I am far from being alone in this. By default it is disabled but could be enabled for a particular VIP with a single " set nat-source-vip enable" CLI statement. I don' t think that a VIP source NAT should be enabled by default - for majority of your publicly available servers you do not really need it. But it is great to know that you could easily turn SNAT on for those servers which require that. I agree with you and others though that Fortinet' s documentation misrepresents default status of VIP SNAT. To Christopher McMullan_FTNT: There is no need " to open a ticket to request this as a New Feature Request" . VIP SNAT has been readily available in FortiOS at least from v3.0.X. Some of us simply overlooked and didn' t use that feature. It would be nice though if there was a global option to change the default status of VIP SNAT to make " everyone happy" : those who are OK with default SNAT disabled - would keep it that way, and those who want it otherwise were able to change it. To MBR:
i hope Fortinet would add this setting to the GUI some day.Yes, it would be nice to have a checkbox in GUI to enable/disable SNAT when you configure a VIP. But again, CLI has so many configuration options for every single object (which is awesome!) so it becomes a real challenge for FortiOS developers - what to include and what not into GUI while keeping it functional, yet tidy and uncluttered. I love this TMX1' s quote from Features that you would like to see topic:
I would like to see less " Features" and more of fixing the existing bugs! OH and stop changing/renaming stuff around for no reason.
Hi
Thanks for the explainations, the solution was very simple when I understood my misunderstanding that was the reason for this not working as expected.
By binding the VIP to the guest network interface it started to work just as expected without disturbing the traffic from the printer in the administrative network out to the outside, so now everything is working just peachy.
Best regards
Peter
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1531 | |
1028 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.