Policy and Objects – FortiManager 5.2

Central NAT

The central NAT table enables you to define and control (with more granularity) the address translation performed by the FortiGate unit. With the NAT table, you can define the rules which dictate the source address or address group, and which IP pool the destination address uses.

While similar in functionality to IP pools, where a single address is translated to an alternate address from a range of IP addresses, with IP pools there is no control over the translated port. When using the IP pool for source NAT, you can define a fixed port to guarantee the source port number is unchanged. If no fixed port is defined, the port translation is randomly chosen by the FortiGate unit. With the central NAT table, you have full control over both the IP address and port translation.

The FortiGate unit reads the NAT rules in a top-down methodology, until it hits a matching rule for the incoming address. This enables you to create multiple NAT policies that dictate which IP pool is used based on the source address. The NAT policies can be rearranged within the policy list as well. NAT policies are applied to network traffic after a security policy.

The Central NAT tab allows you to create, edit, delete, and clone central NAT entries. The following information is displayed for these entries: NAT ID, Status, Original Address, Original Source Port, Translated Address, Translated Port, and Last Modified (administrator, and date and time that the entry was last modified). Select the checkbox in the Status column to enable or disable the central NAT entry.

  1. Select the ADOM from the drop-down list in the toolbar.
  2. Select the policy package where you are creating the new interface policy from the tree menu.
  3. Select Central NAT in the policy toolbar.
  4. Select Create New from the toolbar. The New NAT page opens.
Central NAT
  1. Configure the following settings:
Source Address Select the source address from the drop-down list. You can select to create a new address or address group in the Source Address dialog box.
Translated Address Select the translated address from the drop-down list. You can select to create a new IP Pool in the Translated Address dialog box.
Original Source Port Type the original source port range.
Translated Port Type the translated port range.
  1. Select OK to save the setting.

IPv6 policy

IPv6 security policies are created both for an IPv6 network, and a transitional network. A transitional network is a network that is transitioning over to IPv6, but must still have access to the Internet or must connect over an IPv4 network.

These policies allow for this specific type of traffic to travel between the IPv6 and IPv4 networks. The IPv6 options for creating these policies is hidden by default.

To create a new IPv6 Policy, go to the Policy & Objects tab and select IPv6 Policy in the policy toolbar. Right-click the content pane and select Create New > Policy orCreate New > Identity Policy. See To create a new IPv4 policy: for more information.

Explicit proxy poSlicy

For information on creating explicit proxy policies in FortiManager v5.2, see the FortiOS Handbook available in the

IPv6 interface policy

To create a new IPv6 Interface Policy, go to the Policy & Objects tab and select IPv6 Interface Policy in the policy toolbar. Right-click the content pane and select Create New. See Interface policy for more information.

This entry was posted in Administration Guides, FortiManager and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

9 thoughts on “Policy and Objects – FortiManager 5.2

  1. Richard Lopez

    Question about ADOMs. In previous versions of FortiOS 4.3 maybe earlier. When you had multiple devices under an ADOM the policies and objects were clearly separated per device being managed. With the newer FortiOS it seems as though there is overlapping and my policies and objects seem to be cross contaminated between devices. What is your perspective on this and/or work around? Thank you in advance – Richard

    Reply
    1. Mike Post author

      I always keep my devices separated by Firmware version. ADOM 4.3 ADOM 5.2 ADOM 5.4 etc to keep things nice and neat.

      Reply
  2. simbhu

    I have an issue for deleting the V4.2 ADOMs from FMG V5.2 getting the below error.

    Some ADOM(s) were not deleted successfully because they are not empty

    But those ADOMs are not used anywhere. How to find out where it is used?

    No admin accounts having access to the ADOM, No policy package for the ADOM.

    Reply
    1. Mike Post author

      Usually, it experiences this issue because something somewhere is still referencing it. Whether that item be a policy package as you mentioned before or a group etc.

      Reply
  3. Thierry

    Hi Mike,

    We use fortimanager v5.4.1-build1082 160629 (GA) FMG-VM64 but we cant drag and drop within the rule base. (drag en drop from the object side plain does work) I have seen a instruction video were they lock the adom but also that future is non exsistent in our GUI.

    You have any idea what this could be ? I did not see any issues on this subject on the fortinet site. We have upgraded from a older version FM.

    kind regards and thanks for this great support site, i look here first!

    Reply
      1. Thierry

        Not sure ( I was not involved and there is no change history) but i did found this in the “alert message console”

        Upgrade image from v5.2.7-build0757-160408(GA) to v5.4.1-build1082-160629

        Reply
  4. linaab

    Hello,

    HELP !! we have multiple firewalls we would like to upload on our Fortimanager in the same ADOM.

    The problem is that some objects have the same names but different IPs adresses. i read that the only solution is mapping the objects. if we do so we will have to it manually on every object (more than ~200) which is not an option for me. Can you please help me with this problem ?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.