Reference

https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/736522/hairpin-nat
https://networkinterview.com/nat-reflection-fortigate-firewall/

Situation

Ex: Internal User uses Citrix to connect the VIP to access the internal server service.

# 內部Client連線到用NAT的外部IP轉址去連線內部Server且VIP對全介面啟用
# 內部Client跟內部Server相同網段
A Hairpin NAT issue occurs when internal clients try to access a server using its public DNAT address("VIP is enabled on all interfaces.").
Causing the traffic to loop back through the firewall.

Solution

[1]
Login FortiGate WebUI > Firewall & Objects > Firewall Policy > Create New

[2]
# 除了DNAT政策以外，建立Internal user > VIP 的Policy並使用SNAT。
# 為了讓Server的流量回FortiGate，避免同網段不經過FortiGate直接回應Client。
Incoming Interface: Internal user
Outgoing Interface: WAN
NAT: enable
IP Pool Configuration: Use Outgoing Interface Address

TroubleShooting

diagnose sys session list
> hook=pre  dir=org act=dnat 10.10.10.1:8080->1.1.1.1:12345(192.168.1.1:443)
> hook=post dir=org act=snat 10.10.10.1:8080->192.168.1.1:443(192.168.1.254:8080)

=== 回程流量 src and dst IP交換 ===

> hook=pre  dir=reply act=dnat 192.168.1.1:443->192.168.1.254:8080(10.10.10.1:8080)
> hook=post dir=reply act=snat 192.168.1.1:443->10.10.10.1:8080(1.1.1.1:12345)