Central SNAT

Central SNAT

Central NAT is disabled by default. To toggle the feature on or off, use the following commands:

config system settings set central-nat [enable | disable] end

When Central NAT is enable the Central SNAT section will appear under the Policy & Objects heading in the GUI.

The Central SNAT window contains a table of all of the Central SNAT policies.

To configure a Central SNAT entry in the GUI

  1. Goto Policy & Objects > Central SNAT

The right side window will display a table of the existing Central SNAT entries.

l To edit an existing entry, double click on the policy you wish to edit l To create a new entry, select the Create New icon in the top left side of the right window.

  1. Set the Incoming Interface(s) by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available interfaces. Selecting a listed interface will highlight it in the window and add it to the field. Clicking on an object in this window while it’s highlighted will remove it from the field. Multiple selections are allowed.

 

Central SNAT

  1. Set the Outgoing Interface(s) by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available interfaces. Selecting a listed interface will highlight it in the window and add it to the field. Clicking on an object in this window while it’s highlighted will remove it from the field. Multiple selections are allowed.
  2. Set the Source Address by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available address objects. Selecting a listed object will highlight it in the window and add it to the field. Clicking on an object in this window while it’s highlighted will remove it from the field. Multiple selections are allowed. For more information on addresses, check the Firewall Objects section called Addresses.
  3. Set the Destination Address by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available address objects. Selecting a listed object will highlight it in the window and add it to the field. Clicking on an object in this window while it’s highlighted will remove it from the field. Multiple selections are allowed.

Under the NAT Heading

  1. Set the IP Pool Configuration parameter by selecting either Use Outgoing Interface Address or Use Dynamic IP Pool.

o If Use Dynamic IP Pool is chosen, a field will appear just beneath the option that is used to select which IP Pool object will be used.Set the IP Pool by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available objects.

  1. Set the Protocol parameter.

There are 5 options for the Protocol.

l ANY – any protocol traffic l TCP – TCP traffic only. Protocol number set to 6 l UDP – UDP traffic only . Protocol number set to 17 l SCTP – SCTP traffic only. Protocol number set to 132 l Specify – User can specify the traffic filter protocol by setting the protocol number in the field.

  1. If the IP Pool is of the type: Overload, Explicit Port Mapping can be enabled.

To enable or disable, use the check box. Once enabled, the following additional parameters will appear.

  • Original Source Port – in the left number field, set the starting number of the source port range.
  • Translated Port – in the left number field, set the starting number of the translated port range. If it is a single port range leave the right number field alone. If the right number field is set to a number higher than the left, the right number field for the Original Source Port will change to make sure the 2 number ranges have a matching number of ports.
  1. Select the OK button to save the entry.

To configure Central SNAT in the CLI

  1. Using the CLI interface of your choice, run the following command to get to the correct context.

config firewall central-snat-map

  • To edit an existing entry, run the command show or show full-configuration to get a listing of all of the entries in the map. Take note of the policy ID for the entry to be edited.
  • To create a new entry the next step will use the policy ID 0 which will check for an unused ID number and create an entry with that number.
  1. Edit or create an entry with the correct policy ID edit <policyID number>

Access Control List

Run the following commands to set the parameters of the entry:

set status [enable|disable]

set orig-addr <valid address object preconfigured on the FortiGate> set srcintf <name of interface on the FortiGate>

set dst-addr <valid address object preconfigured on the FortiGate> set dstintf <name of interface on the FortiGate> set protocol <integer for protocol number> set orig-port <integer for original port number> set nat-port <integer for translated port number>

  1. Save the entry by running the command end or next.
This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.