Technical Tip: How to disable source NAT to enable a hairpin policy or one-arm firewall

Stelios_FTNT · ‎12-28-2018

Description

This article describes how to disable source NAT when a policy allows traffic between two subnets on the same interface.

In this scenario, the traffic enters and leaves FortiGate via the same interface. This causes FortiOS to automatically perform SNAT, even if NAT is not configured in the firewall policy.

It is useful if the client uses a router/next hop to send traffic to the FortiGate.

SNAT is done to make sure that this router sends the packets to the FortiGate and receives these packets when it egress or is forwarded by the firewall. So it does not have the same source IP as when it was sent to the FortiGate (which could cause an anti-spoofing rule to be applied by the router).

Another important fact is that not doing SNAT may cause the reply traffic from the server to be sent directly to the client instead of the router and FortiGate.

Scope

All FortiGates or VDOMs running in NAT/Route Mode and where a hairpin policy is involved.

Solution

If necessary, the application of source NAT by the hairpin policy can be disabled by the below per-vdom setting:

# config system setting

set snat-hairpin-traffic disable

end

After this configuration is applied, Source NAT is not applied to the hairpin firewall policy.

Check this related article as well that provides an example of this scenario with Central NAT enabled:

Other Related Article:

Troubleshooting Tip: SNAT in a Policy with VIP

Technical Tip: How to disable source NAT to enable a hairpin policy or one-arm firewall

You are leaving our website