Troubleshooting Tip: SNAT in a Policy with VIP

sferreira · ‎11-03-2017

Description

This article explains SNAT in a Policy with VIP in FortiOS v5.2
Each time a new Policy LAN to LAN (the same LAN) with Destination VIP is configured, Source NAT is also applied.

Scope

v5.2.X.

Solution

# config system interface

    edit "LAN"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https ssh http fgfm capwap
        set role lan
        set snmp-index 8
    next
end

# config firewall VIP
edit "VIP"
        set extip 192.168.2.3
        set extintf "LAN"
        set mappedip 10.10.10.10
    next
end

# config firewall policy
edit 1
        set srcintf "LAN"
        set dstintf "LAN"
        set srcaddr "ALL"
        set dstaddr "VIP"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

If IP 10.10.10.20 pings IP 192.168.2.3 in order to reach IP 10.10.10.10, a Source NAT is applied from 10.10.10.20 to 10.10.10.1 (the LAN's interface IP), even if NAT is not enabled on the Policy:

id=13 trace_id=29650 func=__ip_session_run_tuple line=2471 msg="SNAT 10.10.10.20->10.10.10.1"

From v5.2.x or downwards, no solution has been presented for this issue.

From v5.4 upwards it is possible to disable this behavior in the system settings, visit the following link: