NAT merge options
For Check Point and Cisco PIX conversions, you can select which types of NAT configuration FortiConverter uses to generate output firewall policies, or whether FortiConverter derives its NAT-based policies based on object names or object values.
Because it can take FortiConverter several hours to complete a conversion that includes a large number of NAT rules, Fortinet recommends that you turn off NAT merge for all types of NAT for your initial conversion. Then, after you resolve any issues with the conversion, run it again at a convenient time with NAT merge enabled.
NAT merge depth
The FortiConverter NAT merge feature compares the firewall policy source and destination address with addresses in NAT rules. When these addresses overlap, FortiConverter uses the NAT rules to generate additional policies in the output configuration.
If a policy has an address with a large range, it can overlap with many NAT rules, which generates many NAT
policies. Because output that includes a large number of NAT policies can be hard to review, FortiConverter provides NAT merge depth options that can reduce the number of NAT policies.
The merge depth policies control both the type of NAT to merge and the scope of the merge:
- When you select Off for a type of NAT, FortiConverter doesn't perform NAT merge using NAT rules of that type. If it’s turned off for all types, the output conversion contains the converted source configuration policies only.
- When you select Object Names, FortiConverter generates policies based on NAT rules only where the address name the rules use is found in a policy. For Cisco PIX, this option can also match NAT rules and policies if they contain addresses that match exactly. For example, a source configuration NAT rule dynamically translates the object "address1"(IP 10.10.10.10) to "200.200.200.200". The source configuration also has three polices:
- policy1: source address is "address1"
- policy2: source address is "10.10.10.0-10.10.10.255"
- policy3: source address is "all"
Only policy1 matches the NAT rule, because it shares the address object name, and policy2 and policy3 don't match
because they don't reference the name "address1".
Cisco PIX allows you to use an IP address to configure a NAT rule instead of a name. For example, the NAT rule 10.10.10.10 to 200.200.200.200. When Object Names is selected, this NAT rule matches a policy with source address 10.10.10.10, even though it doesn't refer to a object name because they have the exactly the same IP range. This is a useful option if you make use of supernet addresses that would match many address objects.
-
When you select Object Values, FortiConverter generates policies based on NAT rules that have address values that fall anywhere in the range specified by a policy (overlap).
For the example above, when Object Values is selected, the NAT rule that translates the object "address1"(IP 10.10.10.10) to "200.200.200.200" matches both policy2 and policy3.
Object Values generates the most accurate matching of NAT rules and policies, but in most cases, it also generates more NAT policies.