Central SNAT

The central SNAT table enables you to define and control (with more granularity) the address translation performed by FortiGate. With the NAT table, you can define the rules for the source address or address group, and which IP pool the destination address uses.

While similar in functionality to IP pools where a single address is translated to an alternate address from a range of IP addresses, with IP pools there is no control over the translated port. When using the IP pool for source NAT, you can define a fixed port to ensure the source port number is unchanged. If no fixed port is defined, the port translation is randomly chosen by FortiGate. With the central NAT table, you have full control over both the IP address and port translation.

FortiGate reads the NAT rules from the top down until it hits a matching rule for the incoming address. This enables you to create multiple NAT policies that dictate which IP pool is used based on the source address. NAT policies can be rearranged within the policy list. NAT policies are applied to network traffic after a security policy.

The central SNAT table allows you to create, edit, delete, and clone central SNAT entries.

Central SNAT notes

  • The central NAT feature in not enabled by default.
  • If central NAT is enabled, the NAT option under IPv4 policies is skipped and SNAT must be done via central-snat-map. The firewall policy list and dialog boxes have messages and redirection links to show this information.
  • If NGFW mode is policy-based, then it is assumed that central NAT (specifically SNAT) is enabled implicitly.
  • The option to toggle NAT in central-snat-map policies has been added. Previously it was only shown in NGFW policy-based mode.
  • In the central SNAT policy dialog box, the port mapping fields for the original port have been updated to accept ranges.
  • If per VDOM NAT is enabled, NAT is skipped in firewall policy.
  • The central SNAT window contains a table of all the central SNAT policies.

Sample configuration

To enable or disable central SNAT using the CLI:
config system settings
   set central-nat {enable | disable}
end

When central NAT is enabled, Policy & Objects displays the Central SNAT section.

To create central SNAT using the GUI:
  1. In Policy & Objects > Central SNAT.

    The right pane displays a table of Central SNAT entries.

  2. To create a new entry, click Create New in the right pane.

    To edit an entry, double-click the policy you want to edit.

  3. To set the Incoming Interface, click + in that field.
  4. In the pane on the right, select an interface to add it.

    You can select multiple interfaces.

  5. To set the Outgoing Interface, click click + in that field.
  6. In the pane on the right, select an interface to add it.

    You can select multiple interfaces.

  7. To set the Source Address, click click + in that field.
  8. In the pane on the right, select an address to add it.

    You can select multiple addresses.

  9. To set the Destination Address, click click + in that field.
  10. In the pane on the right, select an address to add it.

    You can select multiple addresses.

  11. In NAT > IP Pool Configuration, select either Use Outgoing Interface Address or Use Dynamic IP Pool.

    If you select Use Dynamic IP Pool, click + and select which IP&nb