Fortinet black logo

Online Help

23.1.0
23.1.0

Policy NAT vs Central NAT mode

Policy NAT vs Central NAT mode

There are 2 NAT modes in FortiGate: policy NAT mode and central NAT mode. Policy NAT mode requires NATs to be configured inside firewall policies, which is the default mode that FortiGate uses. Central NAT mode separates NATs and policies into 2 independent modules so policies do not reference NAT objects.

FortiConverter provides the option to control the NAT modes for the conversion of some 3rd party vendors, and the recommended mode is different depending on the vendor of the source configuration. When the recommended mode of each vendor is selected, the NAT conversion is more straightforward. It means that the NATs would be similar between the source and converted configuration. Hence, the number of policies and NAT objects do not change a lot, and it would be easier to review the conversion result.

In Juniper SSG and Forcepoint Sidewinder, NATs are configured inside firewall policies, which is similar to policy NAT mode. Therefore, policy NAT mode is recommended. WatchGuard allows NATs to be configured both inside policies and in an independent list at the same time. Currently, FortiConverter only converts it into the policy NAT mode.

In Cisco, Check Point, Juniper SRX, Palo Alto, SonicWALL, Sophos, Huawei, and Forcepoint Stonesoft, NATs and policies are configured separately. Therefore, central NAT mode is recommended. On the contrary, the number of policies may greatly increase after converting these vendors into the policy mode, because FortiConverter applies the “NAT merge” process to match the traffic of each NAT and each policy, and may create extra policies to perform the NAT behavior when the traffic overlaps. It is possible to get 2 or 3 times of policies after the NAT merge. For more details about NAT merge, please see the examples in Check Point and Cisco. In order to prevent users from reviewing a much larger policy list, central NAT mode should be the first choice.

However, in central NAT mode, FortiGate doesn’t allow dynamic NAT rules to translate a single internal address into different external addresses based on different services. For example, if there are 2 dynamic NATs in the source configuration, one translates 10.10.10.1 with HTTP into 20.10.10.1, and the other translates 10.10.10.1 with SMTP into 20.10.10.2, then there is no way to distinguish these NATs under central NAT mode. If there are many such dynamic NATs in the source configuration, please select policy mode instead.

The following table shows the difference between the 2 NAT modes:

 Policy NAT mode Central NAT mode
Description NATs are configured in policies. NATs and policies are separated.
Related categories for dynamic NAT

config firewall ippool

config firewall policy

config firewall ippool

config firewall central-snat-map
Related categories for static NAT

config firewall vip

config firewall policy

 config firewall vip
Recommended in vendors Juniper SSG, Forcepoint Sidewinder, WatchGuard Cisco, Check Point, Juniper SRX, Palo Alto, SonicWALL, Sophos, Huawei, Forcepoint Stonesoft
Supported in vendors Cisco, Check Point, Juniper, Palo Alto, SonicWALL, Sophos SG, WatchGuard, Forcepoint Cisco, Check Point, Juniper, Palo Alto, SonicWALL, Sophos, Huawei, Forcepoint
Allow dynamic NAT based on services Yes No
May excessively increase the number of policies Yes for Cisco, Check Point, Juniper SRX, Palo Alto, SonicWALL, Sophos SG, Huawei and Forcepoint Stonesoft No

For more information about central NAT mode, please refer to the links(in FortiOS 7.2.4) below:

Central SNAT:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/421028/central-snat

Central DNAT:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/448790/central-dnat

Previous
Next

Policy NAT vs Central NAT mode

There are 2 NAT modes in FortiGate: policy NAT mode and central NAT mode. Policy NAT mode requires NATs to be configured inside firewall policies, which is the default mode that FortiGate uses. Central NAT mode separates NATs and policies into 2 independent modules so policies do not reference NAT objects.

FortiConverter provides the option to control the NAT modes for the conversion of some 3rd party vendors, and the recommended mode is different depending on the vendor of the source configuration. When the recommended mode of each vendor is selected, the NAT conversion is more straightforward. It means that the NATs would be similar between the source and converted configuration. Hence, the number of policies and NAT objects do not change a lot, and it would be easier to review the conversion result.

In Juniper SSG and Forcepoint Sidewinder, NATs are configured inside firewall policies, which is similar to policy NAT mode. Therefore, policy NAT mode is recommended. WatchGuard allows NATs to be configured both inside policies and in an independent list at the same time. Currently, FortiConverter only converts it into the policy NAT mode.

In Cisco, Check Point, Juniper SRX, Palo Alto, SonicWALL, Sophos, Huawei, and Forcepoint Stonesoft, NATs and policies are configured separately. Therefore, central NAT mode is recommended. On the contrary, the number of policies may greatly increase after converting these vendors into the policy mode, because FortiConverter applies the “NAT merge” process to match the traffic of each NAT and each policy, and may create extra policies to perform the NAT behavior when the traffic overlaps. It is possible to get 2 or 3 times of policies after the NAT merge. For more details about NAT merge, please see the examples in Check Point and Cisco. In order to prevent users from reviewing a much larger policy list, central NAT mode should be the first choice.

However, in central NAT mode, FortiGate doesn’t allow dynamic NAT rules to translate a single internal address into different external addresses based on different services. For example, if there are 2 dynamic NATs in the source configuration, one translates 10.10.10.1 with HTTP into 20.10.10.1, and the other translates 10.10.10.1 with SMTP into 20.10.10.2, then there is no way to distinguish these NATs under central NAT mode. If there are many such dynamic NATs in the source configuration, please select policy mode instead.

The following table shows the difference between the 2 NAT modes:

 Policy NAT mode Central NAT mode
Description NATs are configured in policies. NATs and policies are separated.
Related categories for dynamic NAT

config firewall ippool

config firewall policy

config firewall ippool

config firewall central-snat-map
Related categories for static NAT

config firewall vip

config firewall policy

 config firewall vip
Recommended in vendors Juniper SSG, Forcepoint Sidewinder, WatchGuard Cisco, Check Point, Juniper SRX, Palo Alto, SonicWALL, Sophos, Huawei, Forcepoint Stonesoft
Supported in vendors Cisco, Check Point, Juniper, Palo Alto, SonicWALL, Sophos SG, WatchGuard, Forcepoint Cisco, Check Point, Juniper, Palo Alto, SonicWALL, Sophos, Huawei, Forcepoint
Allow dynamic NAT based on services Yes No
May excessively increase the number of policies Yes for Cisco, Check Point, Juniper SRX, Palo Alto, SonicWALL, Sophos SG, Huawei and Forcepoint Stonesoft No

For more information about central NAT mode, please refer to the links(in FortiOS 7.2.4) below:

Central SNAT:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/421028/central-snat

Central DNAT:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/448790/central-dnat

Previous
Next