Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hhasny
Staff
Staff

Created on ‎04-29-2024 10:26 PM Edited on ‎04-29-2024 10:26 PM By Community Manager

Article Id 312247

Technical Tip: Outbound Traffic uses VIP IP as SNAT IP

Description This article describes the behavior of SNAT when VIP is configured (no port forwarding).
Scope FortiGate.
Solution

There are two options for FortiGate to perform SNAT configurable in the firewall policy.

  • Use Outgoing Interface Address.
  • Use Dynamic IP Pool.

When VIP is configured as one-to-one mapping (no port-forwarding), FortiGate will use this VIP IP address as it SNAT IP address.

 

Below is a firewall policy configuration example with 'Use Outgoing Interface Address' as its SNAT IP:

 

Firewall Policy Outbound.png

 

Below is the SNAT IP used for outbound traffic from 10.201.1.181:

 

Outbound Interface IP as SNAT.png

 

Below is the Virtual IP configuration:

 

VIP object.png

 

When the above VIP is used or referenced in a firewall policy, outbound traffic from host 10.201.1.181 will use 10.47.17.177 (VIP IP) as its SNAT IP:

 

VIP as SNAT.png
202
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.