Policy configuration – FortiOS 6

Central SNAT

The Central NAT feature in not enabled by default. When central-nat is enabled, nat option under IPv4 policies is skipped and SNAT must be done via central-snat-map.

  • Info messages and redirection links have been added to IPv4 policy list and dialog to indicate the above l If NGFW mode is policy-based, then it is assumed that central-nat (specifically SNAT) is enabled implicitly l The option to toggle NAT in central-snat-map policies has been added (previously it was only shown in NGFW policy-based mode).
  • In central-snat policy dialog, the port-mapping fields for the original port have been updated to accept ranges. l Nat will be skipped in firewall policy if per vdom central nat is enabled. l The Central SNAT window contains a table of all of the Central SNAT policies.

To toggle the feature on or off, use the following commands:

Central SNAT

config system settings set central-nat [enable | disable] end

When Central NAT is enable the Central SNAT section will appear under the Policy & Objects heading in the GUI.

To configure a Central SNAT entry in the GUI

  1. Go to Policy & Objects > Central SNAT

The right side window will display a table of the existing Central SNAT entries.

l To edit an existing entry, double click on the policy you wish to edit l To create a new entry, select the Create New icon in the top left side of the right window.

  1. Set the Incoming Interface(s) by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available interfaces. Selecting a listed interface will highlight it in the window and add it to the field. Clicking on an object in this window while it’s highlighted will remove it from the field. Multiple selections are allowed.
  2. Set the Outgoing Interface(s) by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available interfaces. Selecting a listed interface will highlight it in the window and add it to the field. Clicking on an object in this window while it’s highlighted will remove it from the field. Multiple selections are allowed.
  3. Set the Source Address by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available address objects. Selecting a listed object will highlight it in the window and add it to the field. Clicking on an object in this window while it’s highlighted will remove it from the field. Multiple selections are allowed. For more information on addresses, check the Firewall Objects section called Addresses.
  4. Set the Destination Address by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available address objects. Selecting a listed object will highlight it in the window and add it to the field. Clicking on an object in this window while it’s highlighted will remove it from the field. Multiple selections are allowed.

Under the NAT Heading

  1. Set the IP Pool Configuration parameter by selecting either Use Outgoing Interface Address or Use Dynamic IP Pool.

o If Use Dynamic IP Pool is chosen, a field will appear just beneath the option that is used to select which IP Pool object will be used.Set the IP Pool by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available objects.

  1. Set the Protocol parameter.

There are 5 options for the Protocol.

  • ANY – any protocol traffic l TCP – TCP traffic only. Protocol number set to 6 l UDP – UDP traffic only . Protocol number set to 17 l SCTP – SCTP traffic only. Protocol number set to 132
  • Specify – User can specify the traffic filter protocol by setting the protocol number in the field.
  1. If the IP Pool is of the type: Overload, Explicit Port Mapping can be enabled.

To enable or disable, use the check box. Once enabled, the following additional parameters will appear.

Central SNAT

  • Original Source Port – in the left number field, set the starting number of the source port range.
  • Translated Port – in the left number field, set the starting number of the translated port range. If it is a single port range leave the right number field alone. If the right number field is set to a number higher than the left, the right number field for the Original Source Port will change to make sure the 2 number ranges have a matching number of ports.
  1. Select the OK button to save the entry.

To configure Central SNAT in the CLI

  1. Using the CLI interface of your choice, run the following command to get to the correct context.

config firewall central-snat-map

  • To edit an existing entry, run the command show or show full-configuration to get a listing of all of the entries in the map. Take note of the policy ID for the entry to be edited.
  • To create a new entry the next step will use the policy ID 0 which will check for an unused ID number and create an entry with that number.
  1. Edit or create an entry with the correct policy ID edit <policyID number>

Run the following commands to set the parameters of the entry:

set status [enable|disable]

set orig-addr <valid address object preconfigured on the FortiGate> set srcintf <name of interface on the FortiGate>

set dst-addr <valid address object preconfigured on the FortiGate> set dstintf <name of interface on the FortiGate> set protocol <integer for protocol number> set orig-port <integer for original port number> set nat-port <integer for translated port number> set comments <string>

3. Save the entry by running the command end or next. Example scenarios to showing how CLI treats central-nat

Make nat available regardless of NGFW mode.

config firewall central-snat-map edit 1 set orig-addr “192-86-1-86” set srcintf “port23” set dst-addr “192-96-1-96” set dstintf “port22” set nat-ippool “pool1” set protocol 17 set orig-port 2896-2897 set nat enable end

Hide nat-port if nat-ippool is not set or NAT is disabled.

config firewall central-snat-map edit 1

IPv4 access control list

set orig-addr “192-86-1-86” set srcintf “port23” set dst-addr “192-96-1-96” set dstintf “port22” set nat-ippool “pool1” set protocol 17 set orig-port 2896-2897 set nat disable end

Change orig-port to accept range

config firewall central-snat-map edit 1 set orig-addr “192-86-1-86” set srcintf “port23” set dst-addr “192-96-1-96” set dstintf “port22” set nat-ippool “pool1” set protocol 17 set orig-port 2896-2897 (help text changed to: Original port or port range). set nat-port 35804-35805 end

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.