FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pciurea
Staff
Staff
Article Id 189955

Description


This article describes the behavior of VIP configured with 'Any' interface.

Solution


When using VIPs configured with 'Any' interface, the default behavior for outgoing internal initiated traffic is to use the External IP address mentioned in the VIP configuration.



 
 
This behavior is confirmed From CLI:
# config firewall vip
    edit <VIPname>
        set nat-source-vip ?
disable: Force only the source NAT mapped IP to the external IP for traffic egressing the external interface of the VIP.
enable: Force the source NAT mapped IP to the external IP for all traffic.

By default, this is set to disabled.
So the behavior will be 'Force only the source NAT mapped IP to the external IP for traffic egressing the external interface of the VIP.'.
 
As the VIP is configured with < 'Any'>, all the traffic will be matched.
 
This behavior can only be overridden with an IP pool in the firewall policy matching the outgoing traffic.
As a general rule SNAT is happening on the following order:   

1) reverse SNAT according to the VIP if 'nat-source-vip' enabled; otherwise.
2) 'ippool' specified in the policy.
3) reverse SNAT according to the VIP if 'nat-source-vip' is disable -  for traffic egressing the external interface configured on the VIP.
4) IP of the outgoing interface.