Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nalexiou
Staff
Staff

Created on ‎01-13-2009 06:40 AM

Article Id 193423

Technical Tip: Mapping VIP outbound connections

Article
Virtual IPs can affect outbound NAT, even though there are not selected in an outbound firewall policy.

If no virtual IPs are configured, FortiGates apply traditional outbound NAT to connections outbound from private network IP addresses to public network IP addresses.
However, if virtual IP configurations exist, the FortiGate uses the virtual IPs’ inbound NAT mappings in reverse to apply outbound NAT, causing IP address mappings for both inbound and outbound traffic to be symmetric.

For example, if a network interface’s IP address is 10.10.10.1, and its bound virtual IP’s external IP address is 10.10.10.2, mapping inbound traffic to the private network IP address 192.168.2.1, traffic outbound from 192.168.2.1 will be translated to 10.10.10.2, not 10.10.10.1.

Reverse SNAT and nat-source-vip option.

- When nat-source-vip enabled is configured, the FortiGate will perform SNAT according to the VIP.

- When nat-source-vip disabled is configured, the FortiGate will perform SNAT based on the following order:
1) IPpool specified in the policy.
2) Reverse SNAT according to the VIP (with nat-source-vip disable).
3) IP of the outgoing interface.

Labels:
10971
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.