FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Khenri_FTNT
Staff
Staff
Article Id 193767
Description
This articles relates to FortiOS v5.2 and v5.4 where wan-link-load balancing is an option, it is applicable to all models.

In a situation where wan-link-load balancing is being used and there are two vips (one-to-one nat), one for each external ip (or an ip in those blocks). Since an interface cannot be selected to bind the vip to, a situation may occur where outbound traffic for the internal device will use the external vi pip of the wrong interface.

For example, traffic from an internal server will leave out of wan2 but the packet flow will show snat to the public ip used on the vip for wan1. In this case the srcintf-filter should be set.
FGT3HD3915809012 $ id=20085 trace_id=9 func=print_pkt_detail line=4717 msg="vd-root received a packet(proto=1, 10.2.1.8:1->8.8.8.8:8) from port4. code=8, type=0, id=1, seq=99."
id=20085 trace_id=9 func=init_ip_session_common line=4868 msg="allocate a new session-007886ca"
id=20085 trace_id=9 func=vf_ip_route_input_common line=2584 msg="find a route: flag=04000000 gw-192.34.174.81 via port2"
id=20085 trace_id=9 func=fw_forward_handler line=698 msg="Allowed by Policy-43: SNAT"
id=20085 trace_id=9 func=__ip_session_run_tuple line=2755 msg="SNAT 10.2.1.8->192.34.174.84:1"
incorrect nat when going out port3 using port 2 vipped ip
id=20085 trace_id=16 func=print_pkt_detail line=4717 msg="vd-root received a packet(proto=1, 10.2.1.8:1->8.8.8.8:8) from port4. code=8, type=0, id=1, seq=112."
id=20085 trace_id=16 func=resolve_ip_tuple_fast line=4781 msg="Find an existing session, id-00789b33, original direction"
id=20085 trace_id=16 func=vf_ip_route_input_common line=2584 msg="find a route: flag=04000000 gw-50.76.147.118 via port3"
id=20085 trace_id=16 func=__ip_session_run_tuple line=2755 msg="SNAT 10.2.1.8->192.34.174.84:1"

Config firewall vip
edit <vip_used_for_wan1>
set srcintf-filter wan1
next
edit <vip_used_for_wan2>
set srcintf-filter wan2
end

Contributors