Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 6.0.0 CLI Reference
    6.0.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config firewall nat-snat

    config firewall nat-snat

    Use this command to configure source NAT (SNAT) rules.

    You use SNAT when clients have IP addresses from private networks. This ensures you do not have multiple sessions from different clients with source IP 192.168.1.1, for example. Or, you can map all client traffic to a single source IP address because a source address from a private network is not meaningful to the FortiADC system or backend servers.

    The system maintains this NAT table and performs the inverse translation when it receives the server-to-client traffic. Be sure to configure the backend servers to use the FortiADC address as the default gateway so that server responses are also rewritten by the NAT module.

    Note: This SNAT feature is not supported for traffic to virtual servers. Use the virtual server SNAT feature instead.

    Before you begin:

    • You must have read-write permission for firewall settings.

    Syntax

    config firewall nat-snat

    edit <name>

    set from <ip&netmask>

    set out-interface <datasource>

    set status {enable | disable}

    set to <ip&netmask>

    set traffic-group <datasource>

    set trans-to-type {ip | pool | no-nat}

    set trans-to-ip <class_ip>

    set trans-to-ip-start <class_ip>

    set trans-to-ip-end <class_ip>

    next

    end

    from

    Address/mask notation to match the source IP address in the packet header. 0.0.0.0/0 matches all IP addresses.

    out-interface

    Interface that forwards traffic.
    status

    Enable or disable SNAT status.

    to

    Address/mask notation to match the destination IP address in the packet header. For example, 192.0.2.0/24.
    traffic-group

    Specify a traffic group configuration object.

    trans-to-type
    • ip—Specify to translate the source IP to a single specified address.
    • pool—Specify to translate the source IP to the next address in a pool.
    • no-nat—Specify for no translation.

    trans-to-ip

    Specify an IPv4 address. The source IP address in the packet header will be translated to this address.

    trans-to-ip-start

    First IP address in the SNAT pool.

    trans-to-ip-end

    Last IP address in the SNAT pool.

    Example

    FortiADC-VM # config firewall nat-snat

    FortiADC-VM (nat-snat) # edit fw-snat-example

    Add new entry 'fw-snat-example' for node 1941

    FortiADC-VM (fw-snat-example) # get

    from : 0.0.0.0/0

    to : 0.0.0.0/0

    out-interface :

    trans-to-type : ip

    trans-to-ip : 0.0.0.0

    traffic-group :

    status : enable

    FortiADC-VM (fw-snat-example) # set to 192.0.2.0/24

    FortiADC-VM (fw-snat-example) # set out-interface port5

    FortiADC-VM (fw-snat-example) # set trans-to-ip 192.0.2.10

    FortiADC-VM (fw-snat-example) # get

    from : 0.0.0.0/0

    to : 192.0.2.0/24

    out-interface : port5

    trans-to-type : ip

    trans-to-ip : 192.0.2.10

    traffic-group :

    status : enable

    FortiADC-VM (fw-snat-example) # end

    Previous
    Next

    config firewall nat-snat

    config firewall nat-snat

    Use this command to configure source NAT (SNAT) rules.

    You use SNAT when clients have IP addresses from private networks. This ensures you do not have multiple sessions from different clients with source IP 192.168.1.1, for example. Or, you can map all client traffic to a single source IP address because a source address from a private network is not meaningful to the FortiADC system or backend servers.

    The system maintains this NAT table and performs the inverse translation when it receives the server-to-client traffic. Be sure to configure the backend servers to use the FortiADC address as the default gateway so that server responses are also rewritten by the NAT module.

    Note: This SNAT feature is not supported for traffic to virtual servers. Use the virtual server SNAT feature instead.

    Before you begin:

    • You must have read-write permission for firewall settings.

    Syntax

    config firewall nat-snat

    edit <name>

    set from <ip&netmask>

    set out-interface <datasource>

    set status {enable | disable}

    set to <ip&netmask>

    set traffic-group <datasource>

    set trans-to-type {ip | pool | no-nat}

    set trans-to-ip <class_ip>

    set trans-to-ip-start <class_ip>

    set trans-to-ip-end <class_ip>

    next

    end

    from

    Address/mask notation to match the source IP address in the packet header. 0.0.0.0/0 matches all IP addresses.

    out-interface

    Interface that forwards traffic.
    status

    Enable or disable SNAT status.

    to

    Address/mask notation to match the destination IP address in the packet header. For example, 192.0.2.0/24.
    traffic-group

    Specify a traffic group configuration object.

    trans-to-type
    • ip—Specify to translate the source IP to a single specified address.
    • pool—Specify to translate the source IP to the next address in a pool.
    • no-nat—Specify for no translation.

    trans-to-ip

    Specify an IPv4 address. The source IP address in the packet header will be translated to this address.

    trans-to-ip-start

    First IP address in the SNAT pool.

    trans-to-ip-end

    Last IP address in the SNAT pool.

    Example

    FortiADC-VM # config firewall nat-snat

    FortiADC-VM (nat-snat) # edit fw-snat-example

    Add new entry 'fw-snat-example' for node 1941

    FortiADC-VM (fw-snat-example) # get

    from : 0.0.0.0/0

    to : 0.0.0.0/0

    out-interface :

    trans-to-type : ip

    trans-to-ip : 0.0.0.0

    traffic-group :

    status : enable

    FortiADC-VM (fw-snat-example) # set to 192.0.2.0/24

    FortiADC-VM (fw-snat-example) # set out-interface port5

    FortiADC-VM (fw-snat-example) # set trans-to-ip 192.0.2.10

    FortiADC-VM (fw-snat-example) # get

    from : 0.0.0.0/0

    to : 192.0.2.0/24

    out-interface : port5

    trans-to-type : ip

    trans-to-ip : 192.0.2.10

    traffic-group :

    status : enable

    FortiADC-VM (fw-snat-example) # end

    Previous
    Next