FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
haljawhari
Staff
Staff
Article Id 197580

Description

The article describes a solution for the following scenario:
                                   FGT external IP
[ INTERNAL SERVER ]===[ FortiGate ]==={ Internet }
                                   Other external IP
The requirement is that all traffic from the Server to the Internet uses a different source IP than the FortiGate public IP.  In this case, one or more public (external) IP addresses have been provided by the ISP, and the solution is based on IP Pool.


Solution

Example.

The following addresses are used in this example:
 
•     FortiGate WAN interface (port1) external IP : 192.168.183.110
•     Another  IP address (192.168.183.111) is provided by the ISP and that must be used to source NAT the traffic of the Server : 10.160.1.10
                                           External IP 192.168.183.110
              10.160.1.10      port2       port1
[ INTERNAL SERVER ]===[ FortiGate ]==={ Internet }
                                           Source NAT
                                           to
192.168.183.111


CLI Configuration

# config system interface
    edit "port1"
        set ip 192.168.183.110 255.255.254.0
end

# config firewall ippool
    edit "Server_EXT_IP"
        set endip 192.168.183.111
        set startip 192.168.183.111
end

# config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set ippool enable
        set poolname "Server_EXT_IP"
        set schedule "always"
        set service "ANY"
        set nat enable
end
Verification with a sniffer trace (on HTTP traffic for example).
FGT # diagnose sniffer packet any "port 80" 4
30.690038 port2 in 10.160.1.10.1310 -> 192.168.183.254.80: syn 2092282704
30.690106 port1 out 192.168.183.111.58810 -> 192.168.183.254.80: syn 2092282704
The output shows that the traffic egressing port1 is sourced with the IP address defined the IP Pool and Firewall Policy.
Contributors