Refer to the exhibits.
Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
The administrator disabled the WebServer firewall policy.
Which IP address will be used to source NAT the traffic, if a user with address 10.0.1.10 connects over SSH to the host with address 10.200.3.1?
The IP address that will be used to source NAT the traffic is 10.200.1.1. Since the traffic is coming from the LAN (10.0.1.10) to the WAN (10.200.3.1), and the WebServer firewall policy which includes the VIP (10.200.1.10 to 10.0.1.10) is disabled, the active Full_Access firewall policy is applied. This policy has NAT enabled, which means it will use the outgoing interface's IP address for NAT. Therefore, the outgoing IP will be the WAN interface IP address, which is 10.200.1.1.
If WebServer firewall policy was active it would be A because: SNAT changes it to 10.200.1.10 due to VIP. But correct is C due to the disabled WebServer firewall policy. https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-VIP-s-External-IP-Address-for-Source/ta-p/189947
Even if WebServer firewall policy was active it would be C the correct answer. This traffic is coming from LAN to WAN, so match is in the first policy which has NAT enable so use outgoing interface IP address.
SNAT changes it to 10.200.1.10 due to VIP.
Disregard. Correct is C due to disabled the WebServer firewall policy.
Disabling the policy of the VIP does not deactivate the VIP. On a VIP called one-on-one or with no port forwarding assign. The external ip address will be used to snat the internal ip address. Try it on a lab.
The caveat is that there has to be an active firewall policy with the vip as the destination address object for the external vip to be used in SNAT as well.
You are correct. https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-VIP-s-External-IP-Address-for-Source/ta-p/189947
The VIP entry must be referenced in at least one firewall policy in order to use VIP's external IP for performing SNAT.
NAT enabled will use outgoing interface address
C is correct
C. 10.200.1.1 Traffic is coming from LAN to WAN, matches policy Full_Access which has NAT enable, so traffic uses source IP address of outgoing interface. Simple SNAT. Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
Correct answer: A
C. 10.200.1.1 Traffic is coming from LAN to WAN, matches policy Full_Access which has NAT enable, so traffic uses source IP address of outgoing interface. Simple SNAT. Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
C. 10.200.1.1 Traffic is coming from LAN to WAN, matches policy Full_Access which has NAT enable, so traffic uses source IP address of outgoing interface. Simple SNAT. Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
VIPs are DNAT and this traffic is originating from LAN to WAN which would then use SNAT if enabled on the firewall policy.
C Fortigate Security 7.2 Study Guide Pg 112 If policy with VIP is disabled, FG will not used it for SNAT purposes. Therefore the alternative would be the NAT rule used in Full_access, which since there’s no pool specified, it will be PAT which is the egress interface IP of 10.200.1.1.
Fortigate Security 7.2 Study Guide Pg 112 If policy with VIP is disabled, FG will not used it for SNAT purposes.
10.0.1.10 has been natted with 10.200.1.10 as one-on-one nat. Disabling the VIP policy does not deactivate the VIP.
CORRECTION, C is the right one because the VIP policy is disabled.
c is the correct anser
The question is about SNAT so LAN to WAN rule, if traffic is destined from the LAN to WAN then it would NAT out over the WAN IP or if a IPPOOL was present it would NAT out over that. DNAT is inbound WAN to LAN so incoming traffic sent towards the VIP rule would be affected by the NAT. I think the correct answer is C.
ChatGPT answer (XD): "Disabling a security policy on a Fortigate device will not deactivate the NAT VIP configured in it. The VIP will still translate traffic regardless of the policy being disabled. The security policy and NAT VIP are separate configurations on the Fortigate device, and disabling the security policy will not affect the operation of the NAT VIP"
The VIP entry must be referenced in at least one firewall policy in order to use VIP's external IP for performing SNAT.
The VIP entry must be referenced in at least one firewall policy in order to use VIP's external IP for performing SNAT.
C is a valid response