Central NAT
The central NAT table enables you to define and control (with more granularity) the address translation performed by the FortiGate unit. With the NAT table, you can define the rules which dictate the source address or address group, and which IP pool the destination address uses.
While similar in functionality to IP pools, where a single address is translated to an alternate address from a range of IP addresses, with IP pools there is no control over the translated port. When using the IP pool for source NAT, you can define a fixed port to guarantee the source port number is unchanged. If no fixed port is defined, the port translation is randomly chosen by the FortiGate unit. With the central NAT table, you have full control over both the IP address and port translation.
The FortiGate unit reads the NAT rules in a top-down methodology, until it hits a matching rule for the incoming address. This enables you to create multiple NAT policies that dictate which IP pool is used based on the source address. The NAT policies can be rearranged within the policy list as well. NAT policies are applied to network traffic after a security policy.
The Central NAT tab allows you to create, edit, delete, and clone central NAT entries. The following information is displayed for these entries: NAT ID, Status, Original Address, Original Source Port, Translated Address, Translated Port, and Last Modified (administrator, and date and time that the entry was last modified). Select the checkbox in the Status column to enable or disable the central NAT entry.
- Select the ADOM from the drop-down list in the toolbar.
- Select the policy package where you are creating the new interface policy from the tree menu.
- Select Central NAT in the policy toolbar.
- Select Create New from the toolbar. The New NAT page opens.
Central NAT
- Configure the following settings:
Source Address | Select the source address from the drop-down list. You can select to create a new address or address group in the Source Address dialog box. |
Translated Address | Select the translated address from the drop-down list. You can select to create a new IP Pool in the Translated Address dialog box. |
Original Source Port | Type the original source port range. |
Translated Port | Type the translated port range. |
- Select OK to save the setting.
IPv6 policy
IPv6 security policies are created both for an IPv6 network, and a transitional network. A transitional network is a network that is transitioning over to IPv6, but must still have access to the Internet or must connect over an IPv4 network.
These policies allow for this specific type of traffic to travel between the IPv6 and IPv4 networks. The IPv6 options for creating these policies is hidden by default.
To create a new IPv6 Policy, go to the Policy & Objects tab and select IPv6 Policy in the policy toolbar. Right-click the content pane and select Create New > Policy orCreate New > Identity Policy. See To create a new IPv4 policy: for more information.
Explicit proxy poSlicy
For information on creating explicit proxy policies in FortiManager v5.2, see the FortiOS Handbook available in the
IPv6 interface policy
To create a new IPv6 Interface Policy, go to the Policy & Objects tab and select IPv6 Interface Policy in the policy toolbar. Right-click the content pane and select Create New. See Interface policy for more information.
Question about ADOMs. In previous versions of FortiOS 4.3 maybe earlier. When you had multiple devices under an ADOM the policies and objects were clearly separated per device being managed. With the newer FortiOS it seems as though there is overlapping and my policies and objects seem to be cross contaminated between devices. What is your perspective on this and/or work around? Thank you in advance – Richard
I always keep my devices separated by Firmware version. ADOM 4.3 ADOM 5.2 ADOM 5.4 etc to keep things nice and neat.
I have an issue for deleting the V4.2 ADOMs from FMG V5.2 getting the below error.
Some ADOM(s) were not deleted successfully because they are not empty
But those ADOMs are not used anywhere. How to find out where it is used?
No admin accounts having access to the ADOM, No policy package for the ADOM.
Usually, it experiences this issue because something somewhere is still referencing it. Whether that item be a policy package as you mentioned before or a group etc.
Is there any possibilities to find out the references for that ADOM on the FMG.
Hi Mike,
We use fortimanager v5.4.1-build1082 160629 (GA) FMG-VM64 but we cant drag and drop within the rule base. (drag en drop from the object side plain does work) I have seen a instruction video were they lock the adom but also that future is non exsistent in our GUI.
You have any idea what this could be ? I did not see any issues on this subject on the fortinet site. We have upgraded from a older version FM.
kind regards and thanks for this great support site, i look here first!
Did you follow the supported upgrade path when you moved your FortiManager up through the code?
Not sure ( I was not involved and there is no change history) but i did found this in the “alert message console”
Upgrade image from v5.2.7-build0757-160408(GA) to v5.4.1-build1082-160629
Hello,
HELP !! we have multiple firewalls we would like to upload on our Fortimanager in the same ADOM.
The problem is that some objects have the same names but different IPs adresses. i read that the only solution is mapping the objects. if we do so we will have to it manually on every object (more than ~200) which is not an option for me. Can you please help me with this problem ?