SNAT precedence: DNAT with nat-source-vip enabled vs. Central SNAT policy?
we have configured a DNAT policy, that matches a wide /16 external IP-range to an internal IP-range. On this policy "nat-sourcer-vip" is also enabled, so that bidirectional initiation of Extranet communication is possible. One of the Hosts out of the internal range needs a seperate specific Source-NAT address for outgoing communication only. Therefore I configured a more specific Central SNAT Policy for this specific communication. But when analyzing the logs, the firewall still maps the external address of the DNAT policy to the traffic.
My question is, which policy has precedence for outgoing source-natted traffic, the DNAT policy with nat-source-vip enabled or the SNAT policy?
What other factors play a role in the selection of the SNAT address, either by SNAT or DNAT + nat-source-vip? Is there a documentation available?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.