Fortinet black logo

Add interface for NAT46 and NAT64 to simplify policy and routing configurations

Add interface for NAT46 and NAT64 to simplify policy and routing configurations

This update simplifies the policy and routing of NAT46 and NAT64 policies by adding the NAT tunnel interface and options in firewall vip/vip6 and firewall policy settings. The policy46 and policy64 settings have been merged into policy, and vip46 and vip64 into vip and vip6. Most firewall policy options can now be used in policies with NAT46 and NAT64 options enabled.

Upgrading

When upgrading from FortiOS 6.4.x or 7.0.0 to 7.0.1 and later, the old configurations for vip46, vip64, policy46, policy64, nat64, and gui-nat46-64 will be removed. All objects in them will be removed.

The following CLI commands have been removed:

  • config firewall vip46
  • config firewall vip64
  • config firewall policy46
  • config firewall policy64
  • config system nat64
  • set gui-nat46-64 {enable | disable} (under config system settings)

The following GUI pages have been removed:

  • Policy & Objects > NAT46 Policy

  • Policy & Objects > NAT64 Policy

  • NAT46 and NAT64 VIP category options on Policy & Objects > Virtual IPs related pages

Note

During the upgrade process after the FortiGate reboots, the following message is displayed:

The config file may contain errors,
Please see details by the command 'diagnose debug config-error-log read'

The following output is displayed after running the diagnose command:

# diagnose debug config-error-log read
>>> "config" "firewall" "policy64" @ root:command parse error (error -61)
>>> "config" "firewall" "policy46" @ root:command parse error (error -61)

Creating new policies

After upgrading FortiOS 6.4.x or 7.0.0 to 7.0.1 and later, you will need to manually create new vip46 and vip64 policies.

  • Create a vip46 from config firewall vip and enable the nat46 option.

  • Create a vip64 from config firewall vip6 and enable the nat64 option.

  • Create or modify ippool and ippool6, and enable the nat64 or nat46 option.

  • Create a policy and enable the nat46 option, apply the vip46 and ippool6 in a policy.

  • Create a policy and enable the nat64 option, apply the vip64 and ippool in policy.

  • Ensure the routing on the client and server matches the new vip/vip6 and ippool/ippool6.

Example configurations

vip46 object:

Old configuration

New configuration

config firewall vip46
    edit "test-vip46-1"
        set extip 10.1.100.155
        set mappedip 2000:172:16:200::55
    next
end
config firewall vip
    edit "test-vip46-1"
        set extip 10.1.100.150
        set nat44 disable
        set nat46 enable
        set extintf "port24"
        set ipv6-mappedip 2000:172:16:200::55
    next
end

ippool6 object:

Old configuration

New configuration

config firewall ippool6
    edit "test-ippool6-1"
        set startip 2000:172:16:201::155
        set endip 2000:172:16:201::155
    next
end
config firewall ippool6
    edit "test-ippool6-1"
        set startip 2000:172:16:201::155
        set endip 2000:172:16:201::155
        set nat46 enable
    next
end

NAT46 policy:

Old configuration

New configuration

config firewall policy46
    edit 1
        set srcintf "port24"
        set dstintf "port17"
        set srcaddr "all"
        set dstaddr "test-vip46-1"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic enable
        set ippool enable
        set poolname "test-ippool6-1"
    next
end
config firewall policy
    edit 2
        set srcintf "port24"
        set dstintf "port17"
        set action accept
        set nat46 enable
        set srcaddr "all"
        set dstaddr "test-vip46-1"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set ippool enable
        set poolname6 "test-ippool6-1"
    next
end

vip64 object

Old configuration

New configuration

config firewall vip64
    edit "test-vip64-1"
        set extip 2000:10:1:100::155
        set mappedip 172.16.200.155
    next
end
config firewall vip6
    edit "test-vip64-1"
        set extip 2000:10:1:100::155
        set nat66 disable
        set nat64 enable
        set ipv4-mappedip 172.16.200.155
    next
end

ippool object

Old configuration

New configuration

config firewall ippool
    edit "test-ippool4-1"
        set startip 172.16.201.155
        set endip 172.16.201.155
    next
end
config firewall ippool
    edit "test-ippool4-1"
        set startip 172.16.201.155
        set endip 172.16.201.155
        set nat64 enable
    next
end

NAT64 policy:

Old configuration

New configuration

config firewall policy64
    edit 1
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "test-vip64-1"
        set action accept
        set schedule "always"
        set service "ALL"
        set ippool enable
        set poolname "test-ippool4-1"
    next
end
config firewall policy
    edit 1
        set srcintf "port24"
        set dstintf "port17"
        set action accept
        set nat64 enable
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "test-vip64-1"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set ippool enable
        set poolname "test-ippool4-1"
    next
end

Add interface for NAT46 and NAT64 to simplify policy and routing configurations

This update simplifies the policy and routing of NAT46 and NAT64 policies by adding the NAT tunnel interface and options in firewall vip/vip6 and firewall policy settings. The policy46 and policy64 settings have been merged into policy, and vip46 and vip64 into vip and vip6. Most firewall policy options can now be used in policies with NAT46 and NAT64 options enabled.

Upgrading

When upgrading from FortiOS 6.4.x or 7.0.0 to 7.0.1 and later, the old configurations for vip46, vip64, policy46, policy64, nat64, and gui-nat46-64 will be removed. All objects in them will be removed.

The following CLI commands have been removed:

  • config firewall vip46
  • config firewall vip64
  • config firewall policy46
  • config firewall policy64
  • config system nat64
  • set gui-nat46-64 {enable | disable} (under config system settings)

The following GUI pages have been removed:

  • Policy & Objects > NAT46 Policy

  • Policy & Objects > NAT64 Policy

  • NAT46 and NAT64 VIP category options on Policy & Objects > Virtual IPs related pages

Note

During the upgrade process after the FortiGate reboots, the following message is displayed:

The config file may contain errors,
Please see details by the command 'diagnose debug config-error-log read'

The following output is displayed after running the diagnose command:

# diagnose debug config-error-log read
>>> "config" "firewall" "policy64" @ root:command parse error (error -61)
>>> "config" "firewall" "policy46" @ root:command parse error (error -61)

Creating new policies

After upgrading FortiOS 6.4.x or 7.0.0 to 7.0.1 and later, you will need to manually create new vip46 and vip64 policies.

  • Create a vip46 from config firewall vip and enable the nat46 option.

  • Create a vip64 from config firewall vip6 and enable the nat64 option.

  • Create or modify ippool and ippool6, and enable the nat64 or nat46 option.

  • Create a policy and enable the nat46 option, apply the vip46 and ippool6 in a policy.

  • Create a policy and enable the nat64 option, apply the vip64 and ippool in policy.

  • Ensure the routing on the client and server matches the new vip/vip6 and ippool/ippool6.

Example configurations

vip46 object:

Old configuration

New configuration

config firewall vip46
    edit "test-vip46-1"
        set extip 10.1.100.155
        set mappedip 2000:172:16:200::55
    next
end
config firewall vip
    edit "test-vip46-1"
        set extip 10.1.100.150
        set nat44 disable
        set nat46 enable
        set extintf "port24"
        set ipv6-mappedip 2000:172:16:200::55
    next
end

ippool6 object:

Old configuration

New configuration

config firewall ippool6
    edit "test-ippool6-1"
        set startip 2000:172:16:201::155
        set endip 2000:172:16:201::155
    next
end
config firewall ippool6
    edit "test-ippool6-1"
        set startip 2000:172:16:201::155
        set endip 2000:172:16:201::155
        set nat46 enable
    next
end

NAT46 policy:

Old configuration

New configuration

config firewall policy46
    edit 1
        set srcintf "port24"
        set dstintf "port17"
        set srcaddr "all"
        set dstaddr "test-vip46-1"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic enable
        set ippool enable
        set poolname "test-ippool6-1"
    next
end
config firewall policy
    edit 2
        set srcintf "port24"
        set dstintf "port17"
        set action accept
        set nat46 enable
        set srcaddr "all"
        set dstaddr "test-vip46-1"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set ippool enable
        set poolname6 "test-ippool6-1"
    next
end

vip64 object

Old configuration

New configuration

config firewall vip64
    edit "test-vip64-1"
        set extip 2000:10:1:100::155
        set mappedip 172.16.200.155
    next
end
config firewall vip6
    edit "test-vip64-1"
        set extip 2000:10:1:100::155
        set nat66 disable
        set nat64 enable
        set ipv4-mappedip 172.16.200.155
    next
end

ippool object

Old configuration

New configuration

config firewall ippool
    edit "test-ippool4-1"
        set startip 172.16.201.155
        set endip 172.16.201.155
    next
end
config firewall ippool
    edit "test-ippool4-1"
        set startip 172.16.201.155
        set endip 172.16.201.155
        set nat64 enable
    next
end

NAT64 policy:

Old configuration

New configuration

config firewall policy64
    edit 1
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "test-vip64-1"
        set action accept
        set schedule "always"
        set service "ALL"
        set ippool enable
        set poolname "test-ippool4-1"
    next
end
config firewall policy
    edit 1
        set srcintf "port24"
        set dstintf "port17"
        set action accept
        set nat64 enable
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "test-vip64-1"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set ippool enable
        set poolname "test-ippool4-1"
    next
end