FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Stelios_FTNT
Staff
Staff
Article Id 194283

Description

 
This article describes how to disable source NAT when a policy allows traffic between two subnets on the same interface.
 
In this scenario, the traffic enters and leaves FortiGate via the same interface. This causes FortiOS to automatically perform SNAT, even if NAT is not configured in the firewall policy.
 
It is useful if the client uses a router/next hop to send traffic to the FortiGate.
 
SNAT is done to make sure that this router sends the packets to the FortiGate and receives these packets when it egress or is forwarded by the firewall. So it does not have the same source IP as when it was sent to the FortiGate (which could cause an anti-spoofing rule to be applied by the router).
 
Another important fact is that not doing SNAT may cause the reply traffic from the server to be sent directly to the client instead of the router and FortiGate.


Scope

 

All FortiGates or VDOMs running in NAT/Route Mode and where a hairpin policy is involved.

Solution

 

If necessary, the application of source NAT by the hairpin policy can be disabled by the below per-vdom setting:

 

# config system setting

    set snat-hairpin-traffic disable

end

 

After this configuration is applied, Source NAT is not applied to the hairpin firewall policy.

 

Related article:

Troubleshooting Tip: SNAT in a Policy with VIP