Policy configuration – FortiOS 6

NAT46 policy

To configure a NAT46 policy in the GUI

  1. Go to Policy & Objects > NAT46 Policy

The right side window will display a table of the existing NAT46 Policies.

  • To edit an existing policy, double click on the policy you wish to edit l To create a new policy, select the Create New icon in the top left side of the right window.
  1. Set the Incoming Interface parameter by selecting the field with the “+” next to the field label. Selecting the field will slide out a window from the right where you can select from the available interfaces. You can select one or more specific interfaces or you can select the any Choosing the any option will remove any other interfaces. For more information on interfaces, check the Concepts section called Interfaces and Zones.
  2. Set the Outgoing Interface parameter by selecting the field with the “+” next to the field label. (Same rules apply as with the above step.)
  3. Set the Source parameter by selecting the field with the “+” next to the field label. The source in this case is either the source address, source user or source device of the initiating traffic. When the field is selected a window will slide out from the right. Tabs indicating Address, User or Device options are there to help categorize the options along with the option to search. In order to be able to select one of these options it needs to be configured as a firewall object before hand. The “+” icon next to the Search field is a shortcut for creating a new firewall object based on the tab that is currently selected. For the Address and Device tabs, single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  4. Set the Destination Address parameter by selecting the field with the “+” next to the field label. This field is similar to the Source field but address objects are the only available options to select. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  5. Set the Schedule parameter by using the drop down menu to select a preconfigured schedule. The “+” icon next to the Search field is a shortcut for creating a new schedule object. For more information on addresses, check the Firewall Objects section called Firewall schedules
  6. Set the Service parameter by selecting the field with the “+” next to the field label. (Same mechanics for selection apply as with the other similar fields in this window.) Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  7. Set the Action Select one of the following options for the action:
    • ACCEPT – lets the traffic through to the next phase of analysis l DENY – drops the session

While there are not as many Action options as with the IPv4 policy, because the choice of Action determines the settings and options below this parameter in the window the rest of the step are associated with a specific Action.

Settings if the ACCEPT action is selected.

Firewall / Network Options

  1. Skip the NAT setting. This type of policy is intended only for traffic that is being NATed from IPv4 to IPv6, because without NATing the traffic couldn’t reach its destination, so disabling NAT would be pointless. 11. Set the Fixed Port parameter by toggling the slider button.(gray means it is disabled)
  2. Set the IP Pool Configuration by selection one of the options of:

l Use Outgoing Interface Address l Use Dynamic IP Pool

If the Use Dynamic IP Pool option is selected, an additional field will appear with the + icon. Selecting this field will slide out a window from the right where a preexisting IP Pool can be chosen. One or more IP Pools can be chosen and the “+” icon next to the Search field is a shortcut for creating a new IP Pool.

  1. Set the Log Allowed Traffic parameter by toggling the slider button (gray means it is disabled).

If the Log Allowed Traffic setting is enabled, choose whether to log just Security Events or All Sessions and determine whether or not to keep a record of the packets by toggling the Capture Packets setting on or off.

  1. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  2. Toggle whether or not to Enable this policy.The default is enabled.
  3. Select the OK button to save the policy.

Settings if the DENY action is selected

Enable the Log Violation Traffic setting by toggling the slider button.

  1. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  2. Toggle whether or not to Enable this policy.The default is enabled.
  3. Select the OK button to save the policy.
This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.