Fortinet white logo
Fortinet white logo

Cookbook

Central SNAT

Central SNAT

The central SNAT table enables you to define and control (with more granularity) the address translation performed by FortiGate. With the NAT table, you can define the rules for the source address or address group, and which IP pool the destination address uses.

While similar in functionality to IP pools where a single address is translated to an alternate address from a range of IP addresses, with IP pools there is no control over the translated port. When using the IP pool for source NAT, you can define a fixed port to ensure the source port number is unchanged. If no fixed port is defined, the port translation is randomly chosen by FortiGate. With the central NAT table, you have full control over both the IP address and port translation.

FortiGate reads the NAT rules from the top down until it hits a matching rule for the incoming address. This enables you to create multiple NAT policies that dictate which IP pool is used based on the source address. NAT policies can be rearranged within the policy list. NAT policies are applied to network traffic after a security policy.

The central SNAT table allows you to create, edit, delete, and clone central SNAT entries.

Central SNAT notes

  • The central NAT feature is not enabled by default.
  • If central NAT is enabled, the NAT option under IPv4 policies is skipped and SNAT must be done via central-snat-map. The IPv4 policy list and dialog boxes have messages and redirection links to show this information.
  • If NGFW mode is policy-based, then it is assumed that central NAT (specifically SNAT) is enabled implicitly.
  • The option to toggle NAT in central-snat-map policies has been added. Previously it was only shown in NGFW policy-based mode.
  • In the central SNAT policy dialog box, the port mapping fields for the original port have been updated to accept ranges.
  • If per VDOM NAT is enabled, NAT is skipped in firewall policy.
  • The central SNAT window contains a table of all the central SNAT policies.

Sample configuration

To enable or disable central SNAT using the CLI:
config system settings
   set central-nat [enable | disable]
end

When central NAT is enabled, Policy & Objects displays the Central SNAT section.

To create central SNAT using the GUI:
  1. In Policy & Objects > Central SNAT.

    The right pane displays a table of Central SNAT entries.

  2. To create a new entry, click Create New in the right pane.

    To edit an entry, double-click the policy you want to edit.

  3. To set the Incoming Interface, click + in that field.
  4. In the pane on the right, select an interface to add it.

    You can select multiple interfaces.

  5. To set the Outgoing Interface, click click + in that field.
  6. In the pane on the right, select an interface to add it.

    You can select multiple interfaces.

  7. To set the Source Address, click click + in that field.
  8. In the pane on the right, select an address to add it.

    You can select multiple addresses.

  9. To set the Destination Address, click click + in that field.
  10. In the pane on the right, select an address to add it.

    You can select multiple addresses.

  11. In NAT > IP Pool Configuration, select either Use Outgoing Interface Address or Use Dynamic IP Pool.

    If you select Use Dynamic IP Pool, click + and select which IP pool to use.

  12. Select one of the following Protocol parameters.
    • ANY. Use any protocol traffic.
    • TCP. Use TCP traffic only. Protocol number is set to 6.
    • UDP. Use UDP traffic only. Protocol number is set to 17.
    • SCTP. Use SCTP traffic only. Protocol number is set to 132.
    • Specify. You can specify the traffic filter protocol by setting the protocol number.
  13. If you use the Overload type of IP pool, you can enable Explicit Port Mapping.
    1. If you enable Explicit Port Mapping, set the Original Source Port to the start number of the source port range.
    2. Set the Translated Port to the start number of the translated port range.
  14. Click OK.
To configure central SNAT using the CLI:
config firewall central-snat-map
edit <policyID number>set status [enable|disable]
  set orig-addr <valid address object preconfigured on the FortiGate>
  set srcintf <name of interface on the FortiGate>
  set dst-addr <valid address object preconfigured on the FortiGate>
  set dstintf <name of interface on the FortiGate>
  set protocol <integer for protocol number>
  set orig-port <integer for original port number>
  set nat-port <integer for translated port number>
  set comments <string>
end
To set NAT to be not available regardless of NGFW mode:
config firewall central-snat-map
    edit 1
        set orig-addr "192-86-1-86"
        set srcintf "port23"
        set dst-addr "192-96-1-96"
        set dstintf "port22"
        set nat-ippool "pool1"
        set protocol 17
        set orig-port 2896-2897
        set nat enable 
    next
end
To hide NAT port if NAT IP pool is not set or if NAT is disabled:
config firewall central-snat-map
    edit 1
        set orig-addr "192-86-1-86"
        set srcintf "port23"
        set dst-addr "192-96-1-96"
        set dstintf "port22"
        set nat-ippool "pool1"
        set protocol 17
        set orig-port 2896-2897
        set nat disable
    next
end
To change original port to accept range:
config firewall central-snat-map
    edit 1
        set orig-addr "192-86-1-86"
        set srcintf "port23"
        set dst-addr "192-96-1-96"
        set dstintf "port22"
        set nat-ippool "pool1"
        set protocol 17
        set orig-port 2896-2897 (help text changed to: Original port or port range).
        set nat-port 35804-35805
    next
end

Central SNAT

Central SNAT

The central SNAT table enables you to define and control (with more granularity) the address translation performed by FortiGate. With the NAT table, you can define the rules for the source address or address group, and which IP pool the destination address uses.

While similar in functionality to IP pools where a single address is translated to an alternate address from a range of IP addresses, with IP pools there is no control over the translated port. When using the IP pool for source NAT, you can define a fixed port to ensure the source port number is unchanged. If no fixed port is defined, the port translation is randomly chosen by FortiGate. With the central NAT table, you have full control over both the IP address and port translation.

FortiGate reads the NAT rules from the top down until it hits a matching rule for the incoming address. This enables you to create multiple NAT policies that dictate which IP pool is used based on the source address. NAT policies can be rearranged within the policy list. NAT policies are applied to network traffic after a security policy.

The central SNAT table allows you to create, edit, delete, and clone central SNAT entries.

Central SNAT notes

  • The central NAT feature is not enabled by default.
  • If central NAT is enabled, the NAT option under IPv4 policies is skipped and SNAT must be done via central-snat-map. The IPv4 policy list and dialog boxes have messages and redirection links to show this information.
  • If NGFW mode is policy-based, then it is assumed that central NAT (specifically SNAT) is enabled implicitly.
  • The option to toggle NAT in central-snat-map policies has been added. Previously it was only shown in NGFW policy-based mode.
  • In the central SNAT policy dialog box, the port mapping fields for the original port have been updated to accept ranges.
  • If per VDOM NAT is enabled, NAT is skipped in firewall policy.
  • The central SNAT window contains a table of all the central SNAT policies.

Sample configuration

To enable or disable central SNAT using the CLI:
config system settings
   set central-nat [enable | disable]
end

When central NAT is enabled, Policy & Objects displays the Central SNAT section.

To create central SNAT using the GUI:
  1. In Policy & Objects > Central SNAT.

    The right pane displays a table of Central SNAT entries.

  2. To create a new entry, click Create New in the right pane.

    To edit an entry, double-click the policy you want to edit.

  3. To set the Incoming Interface, click + in that field.
  4. In the pane on the right, select an interface to add it.

    You can select multiple interfaces.

  5. To set the Outgoing Interface, click click + in that field.
  6. In the pane on the right, select an interface to add it.

    You can select multiple interfaces.

  7. To set the Source Address, click click + in that field.
  8. In the pane on the right, select an address to add it.

    You can select multiple addresses.

  9. To set the Destination Address, click click + in that field.
  10. In the pane on the right, select an address to add it.

    You can select multiple addresses.

  11. In NAT > IP Pool Configuration, select either Use Outgoing Interface Address or Use Dynamic IP Pool.

    If you select Use Dynamic IP Pool, click + and select which IP pool to use.

  12. Select one of the following Protocol parameters.
    • ANY. Use any protocol traffic.
    • TCP. Use TCP traffic only. Protocol number is set to 6.
    • UDP. Use UDP traffic only. Protocol number is set to 17.
    • SCTP. Use SCTP traffic only. Protocol number is set to 132.
    • Specify. You can specify the traffic filter protocol by setting the protocol number.
  13. If you use the Overload type of IP pool, you can enable Explicit Port Mapping.
    1. If you enable Explicit Port Mapping, set the Original Source Port to the start number of the source port range.
    2. Set the Translated Port to the start number of the translated port range.
  14. Click OK.
To configure central SNAT using the CLI:
config firewall central-snat-map
edit <policyID number>set status [enable|disable]
  set orig-addr <valid address object preconfigured on the FortiGate>
  set srcintf <name of interface on the FortiGate>
  set dst-addr <valid address object preconfigured on the FortiGate>
  set dstintf <name of interface on the FortiGate>
  set protocol <integer for protocol number>
  set orig-port <integer for original port number>
  set nat-port <integer for translated port number>
  set comments <string>
end
To set NAT to be not available regardless of NGFW mode:
config firewall central-snat-map
    edit 1
        set orig-addr "192-86-1-86"
        set srcintf "port23"
        set dst-addr "192-96-1-96"
        set dstintf "port22"
        set nat-ippool "pool1"
        set protocol 17
        set orig-port 2896-2897
        set nat enable 
    next
end
To hide NAT port if NAT IP pool is not set or if NAT is disabled:
config firewall central-snat-map
    edit 1
        set orig-addr "192-86-1-86"
        set srcintf "port23"
        set dst-addr "192-96-1-96"
        set dstintf "port22"
        set nat-ippool "pool1"
        set protocol 17
        set orig-port 2896-2897
        set nat disable
    next
end
To change original port to accept range:
config firewall central-snat-map
    edit 1
        set orig-addr "192-86-1-86"
        set srcintf "port23"
        set dst-addr "192-96-1-96"
        set dstintf "port22"
        set nat-ippool "pool1"
        set protocol 17
        set orig-port 2896-2897 (help text changed to: Original port or port range).
        set nat-port 35804-35805
    next
end