1. It doesn't matter which interface I use in vip config (extintf) the traffic works anyway no matter if it makes sense or not. Why is that and how should I do it the right way?
2. Configuring "set srcintf-filter dmz" as mentioned in the linked KB results in it not working anymore...
Even more confusing is the fact that this worked a few days ago and yes I did clear the nat cache multiple times in between (diagnose sys session clear).
For my understanding coming from cisco a destination nat should contain source interface (incoming traffic), source network, destination interface and destination network.
For testing purposes I deleted all other nat rules except the default SNAT for outgoing traffic. Currently the configuration looks like this. Incoming and outgoing traffic via the public ip 126.96.36.199 works with this but I'm afraid that this changes somehow when I go live with the firewalls as it already did earlier.
fortigate # sh firewall vip webserver config firewall vip edit "webserver" set extip 188.8.131.52 set mappedip "10.9.11.254" set extintf "port1" set nat-source-vip enable next end
fortigate # sh firewall ippool SNAT_184.108.40.206 config firewall ippool edit "SNAT_220.127.116.11" set type one-to-one set startip 18.104.22.168 set endip 22.214.171.124 next end
fortigate # sh firewall central-snat-map config firewall central-snat-map edit 1 set srcintf "dmz_zone" set dstintf "port1" set orig-addr "SH_webserver-10.9.11.254" set dst-addr "all" set nat-ippool "SNAT_126.96.36.199" next
Our network partner and some fortigate engineers recommended us to enable central snat so we can more easily migrate our current cisco configuration. For our migration scripts we use the api. The configuration includes about 660 vpns, 140 nat and 800 policy rules, so we do it with api scripts.
I'm not 100% sure but in Central NAT i don't believe the VIP ext-intf has any bearing on the NAT functionality. It is used for policy applicaiton only.
That would explain a lot but can we somehow verify the assumption?
Per the documentation, "ext-intf" setting on VIP is defined as "The external interface that the firewall policy source interface must match." So in this case under Central NAT where VIPs are not assigned to a firewall policy I think it's fair to say the ext-intf setting has no bearing.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.