Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Online Help

    7.2.0
    7.2.0
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.2
    6.2.1
    6.2.0
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Policy NAT vs Central NAT mode

    Policy NAT vs Central NAT mode

    There are 2 NAT modes in FortiGate: policy NAT mode and central NAT mode. Policy NAT mode requires NATs to be configured inside firewall policies, which is the default mode that FortiGate uses. Central NAT mode separates NATs and policies into 2 independent modules so policies do not reference NAT objects.

    FortiConverter provides the option Enable Central NAT merge to control the NAT modes for the conversion of some 3rd party vendors, and the recommended mode is different depending on the vendor of the source configuration. When the recommended mode of each vendor is selected, the NAT conversion is more straightforward. It means that the NATs would be similar between the source and converted configuration. Hence, the number of policies and NAT objects do not change a lot, and it would be easier to review the conversion result.

    In Juniper SSG and Forcepoint Sidewinder, NATs are configured inside firewall policies, which is similar to policy NAT mode. Therefore, the option is disabled by default. WatchGuard allows NATs to be configured both inside policies and in an independent list at the same time. Currently, FortiConverter only converts it into the policy NAT mode.

    In Cisco, Check Point, Juniper SRX, Palo Alto, SonicWALL, Sophos, Huawei, and Forcepoint Stonesoft, NATs and policies are configured separately. Therefore, the option is enabled by default. On the contrary, the number of policies may greatly increase after converting these vendors into the policy mode because FortiConverter applies the “NAT merge” process to match the traffic of each NAT and each policy. This may create extra policies to perform the NAT behavior when the traffic overlaps. It is possible to get 2 or 3 times of policies after the NAT merge. For more details about NAT merge, please see the examples in Check Point and Cisco. In order to prevent users from reviewing a much larger policy list, central NAT mode should be the first choice.

    However, in central NAT mode, FortiGate doesn’t allow dynamic NAT rules to translate a single internal address into different external addresses based on different services. For example, if there are 2 dynamic NATs in the source configuration, one translates 10.10.10.1 with HTTP into 20.10.10.1, and the other translates 10.10.10.1 with SMTP into 20.10.10.2, then there is no way to distinguish these NATs under central NAT mode. If there are many such dynamic NATs in the source configuration, please select policy mode instead.

    The following table shows the difference between the 2 NAT modes:

    		 Policy NAT mode Central NAT mode
    Description NATs are configured in policies. NATs and policies are separated.
    Related categories for dynamic NAT

    config firewall ippool

    config firewall policy

    config firewall ippool

    config firewall central-snat-map
    Related categories for static NAT

    config firewall vip

    config firewall policy

    		 config firewall vip
    Recommended in vendors Juniper SSG, Forcepoint Sidewinder, WatchGuard Cisco, Check Point, Juniper SRX, Palo Alto, SonicWALL, Sophos, Huawei, Forcepoint Stonesoft
    Supported in vendors Cisco, Check Point, Juniper, Palo Alto, SonicWALL, Sophos, WatchGuard, Forcepoint Cisco, Check Point, Juniper, Palo Alto, SonicWALL, Sophos, Huawei, Forcepoint
    Allow dynamic NAT based on services Yes No
    May greatly increase the number of policies Yes for Cisco, Check Point, Juniper SRX, Palo Alto, SonicWALL, Sophos, Huawei and Forcepoint Stonesoft No

    For more information about central NAT mode, please refer to the links(in FortiOS 7.2.4) below:

    Central SNAT:

    https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/421028/central-snat

    Central DNAT:

    https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/448790/central-dnat

    Previous
    Next

    Policy NAT vs Central NAT mode

    Policy NAT vs Central NAT mode

    There are 2 NAT modes in FortiGate: policy NAT mode and central NAT mode. Policy NAT mode requires NATs to be configured inside firewall policies, which is the default mode that FortiGate uses. Central NAT mode separates NATs and policies into 2 independent modules so policies do not reference NAT objects.

    FortiConverter provides the option Enable Central NAT merge to control the NAT modes for the conversion of some 3rd party vendors, and the recommended mode is different depending on the vendor of the source configuration. When the recommended mode of each vendor is selected, the NAT conversion is more straightforward. It means that the NATs would be similar between the source and converted configuration. Hence, the number of policies and NAT objects do not change a lot, and it would be easier to review the conversion result.

    In Juniper SSG and Forcepoint Sidewinder, NATs are configured inside firewall policies, which is similar to policy NAT mode. Therefore, the option is disabled by default. WatchGuard allows NATs to be configured both inside policies and in an independent list at the same time. Currently, FortiConverter only converts it into the policy NAT mode.

    In Cisco, Check Point, Juniper SRX, Palo Alto, SonicWALL, Sophos, Huawei, and Forcepoint Stonesoft, NATs and policies are configured separately. Therefore, the option is enabled by default. On the contrary, the number of policies may greatly increase after converting these vendors into the policy mode because FortiConverter applies the “NAT merge” process to match the traffic of each NAT and each policy. This may create extra policies to perform the NAT behavior when the traffic overlaps. It is possible to get 2 or 3 times of policies after the NAT merge. For more details about NAT merge, please see the examples in Check Point and Cisco. In order to prevent users from reviewing a much larger policy list, central NAT mode should be the first choice.

    However, in central NAT mode, FortiGate doesn’t allow dynamic NAT rules to translate a single internal address into different external addresses based on different services. For example, if there are 2 dynamic NATs in the source configuration, one translates 10.10.10.1 with HTTP into 20.10.10.1, and the other translates 10.10.10.1 with SMTP into 20.10.10.2, then there is no way to distinguish these NATs under central NAT mode. If there are many such dynamic NATs in the source configuration, please select policy mode instead.

    The following table shows the difference between the 2 NAT modes:

    		 Policy NAT mode Central NAT mode
    Description NATs are configured in policies. NATs and policies are separated.
    Related categories for dynamic NAT

    config firewall ippool

    config firewall policy

    config firewall ippool

    config firewall central-snat-map
    Related categories for static NAT

    config firewall vip

    config firewall policy

    		 config firewall vip
    Recommended in vendors Juniper SSG, Forcepoint Sidewinder, WatchGuard Cisco, Check Point, Juniper SRX, Palo Alto, SonicWALL, Sophos, Huawei, Forcepoint Stonesoft
    Supported in vendors Cisco, Check Point, Juniper, Palo Alto, SonicWALL, Sophos, WatchGuard, Forcepoint Cisco, Check Point, Juniper, Palo Alto, SonicWALL, Sophos, Huawei, Forcepoint
    Allow dynamic NAT based on services Yes No
    May greatly increase the number of policies Yes for Cisco, Check Point, Juniper SRX, Palo Alto, SonicWALL, Sophos, Huawei and Forcepoint Stonesoft No

    For more information about central NAT mode, please refer to the links(in FortiOS 7.2.4) below:

    Central SNAT:

    https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/421028/central-snat

    Central DNAT:

    https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/448790/central-dnat

    Previous
    Next