Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.5 Administration Guide
7.4.5
7.6.0
7.4.5
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Destination NAT

Destination NAT

Network Address Translation (NAT) is the process that enables a single device, such as a router or firewall, to act as an agent between the internet or public network and a local or private network. This agent acts in real-time to translate the source or destination IP address of a client or server on the network interface. NAT can be subdivided into two types:

  • Source NAT (SNAT)

  • Destination NAT (DNAT)

This section is about DNAT. For information about SNAT, see Source NAT.

A virtual IP (VIP) maps external IP addresses to internal IP addresses for DNAT. See Configuring VIPs and Configuring VIP groups.

The following types of VIPs can be created:

Static VIP

A virtual IP that maps an IP address or range to another IP address or range. Custom settings can allow the VIP to be filtered by Source Address and/or services, so that the VIP only applies to the filtered traffic. See Static virtual IPs.

Static VIP with services

A virtual IP that defines services for a single port number mapping. See Virtual IP with services.

Static VIP with port forwarding

A virtual IP that hides the port number for an internal server or maps several internal servers to the same public IP address. See Virtual IPs with port forwarding.

FQDN-based VIP

A virtual IP mapped to an FQDN. See Configure FQDN-based VIPs.

Virtual server load balancing

A special type of virtual IP used to implement server load balancing. See Virtual server load balance.

Virtual IPs can also be used for server load balance multiplexing. See Virtual server load balance multiplexing.

Central DNAT

Where DNAT is configured by creating virtual IPs and selecting the VIPs in firewall policies, central NAT is not configured in the firewall policy.

Central NAT is enabled in System Settings. When enabled, the Policy & Objects tree displays the Central SNAT policy option. Use the Central SNAT policy to configure VIPs as separate objects. During use, FortiGate reads the enabled NAT rules from the top down, until it locates a matching rule. See Central DNAT.

See also Configuring PCP port mapping with SNAT and DNAT.

Previous
Next

Destination NAT

Destination NAT

Network Address Translation (NAT) is the process that enables a single device, such as a router or firewall, to act as an agent between the internet or public network and a local or private network. This agent acts in real-time to translate the source or destination IP address of a client or server on the network interface. NAT can be subdivided into two types:

  • Source NAT (SNAT)

  • Destination NAT (DNAT)

This section is about DNAT. For information about SNAT, see Source NAT.

A virtual IP (VIP) maps external IP addresses to internal IP addresses for DNAT. See Configuring VIPs and Configuring VIP groups.

The following types of VIPs can be created:

Static VIP

A virtual IP that maps an IP address or range to another IP address or range. Custom settings can allow the VIP to be filtered by Source Address and/or services, so that the VIP only applies to the filtered traffic. See Static virtual IPs.

Static VIP with services

A virtual IP that defines services for a single port number mapping. See Virtual IP with services.

Static VIP with port forwarding

A virtual IP that hides the port number for an internal server or maps several internal servers to the same public IP address. See Virtual IPs with port forwarding.

FQDN-based VIP

A virtual IP mapped to an FQDN. See Configure FQDN-based VIPs.

Virtual server load balancing

A special type of virtual IP used to implement server load balancing. See Virtual server load balance.

Virtual IPs can also be used for server load balance multiplexing. See Virtual server load balance multiplexing.

Central DNAT

Where DNAT is configured by creating virtual IPs and selecting the VIPs in firewall policies, central NAT is not configured in the firewall policy.

Central NAT is enabled in System Settings. When enabled, the Policy & Objects tree displays the Central SNAT policy option. Use the Central SNAT policy to configure VIPs as separate objects. During use, FortiGate reads the enabled NAT rules from the top down, until it locates a matching rule. See Central DNAT.

See also Configuring PCP port mapping with SNAT and DNAT.

Previous
Next