Fortinet black logo

Administration Guide

NAT policies

NAT policies

Use NAT46 policies for IPv6 environments where you want to expose certain services to the public IPv4 Internet. You will need to configure a virtual IP to permit the access.

Use NAT64 policies to perform network address translation (NAT) between an internal IPv6 network and an external IPv4 network.

The NAT46 Policy tab allows you to create, edit, delete, and clone NAT46 policies. The NAT64 Policy tab allows you to create, edit, delete, and clone NAT64 policies.

On the Policy & Objects pane, from the Tools menu, select Display Options, and then select the NAT46 Policy and NAT64 Policy checkboxes to display these options.

To create a NAT46 or NAT64 policy:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package, click NAT46 Policy or NAT64 Policy.
  4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Policy pane opens.
  5. Configure the following settings, then click OK to create the policy:

    Incoming Interface

    Click the field then select interfaces from the Object Selector frame, or drag and drop the address from the object pane.

    Outgoing Interface

    Select outgoing interfaces.

    Source Address

    Select source addresses.

    Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    Service

    Select services and service groups.

    Schedule

    Select schedules, one time or recurring, and schedule groups.

    Action

    Select an action for the policy to take: ACCEPT, or DENY.

    Log Allowed Traffic

    Select to log allowed traffic.

    NAT

    NAT is enabled by default for this policy type when the Action is ACCEPT.

    Use Destination Interface Address is selected by default. Select Fixed Port if required.

    Dynamic IP Pool

    Select to use dynamic IP pools. Select Fixed Port if required, and the IP Pool Name from the available IP pool objects.

    This option is only available for NAT64 policies.

    Traffic Shaping

    Select traffic shapers.

    This option is available if the Action is ACCEPT.

    Reverse Traffic Shaping

    Select traffic shapers.

    This option is available if at least one forward traffic shaper is selected.

    Per-IP Traffic Shaping

    Select per IP traffic shapers.

    This option is available if the Action is ACCEPT.

    Description

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    ippool

    Enable IP pools. This option is only available for NAT46 policies.

    permit-any-host

    Enable to accept UDP packets from any host.

    poolname

    Select a firewall IP pool from the dropdown list (default = None). This option is only available for NAT46 policies.

    tcp-mss-receiver

    Enter a value for the receiver’s TCP MSS.

    tcp-mss-sender

    Enter a value for the sender’s TCP MSS.

NAT policies

Use NAT46 policies for IPv6 environments where you want to expose certain services to the public IPv4 Internet. You will need to configure a virtual IP to permit the access.

Use NAT64 policies to perform network address translation (NAT) between an internal IPv6 network and an external IPv4 network.

The NAT46 Policy tab allows you to create, edit, delete, and clone NAT46 policies. The NAT64 Policy tab allows you to create, edit, delete, and clone NAT64 policies.

On the Policy & Objects pane, from the Tools menu, select Display Options, and then select the NAT46 Policy and NAT64 Policy checkboxes to display these options.

To create a NAT46 or NAT64 policy:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package, click NAT46 Policy or NAT64 Policy.
  4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Policy pane opens.
  5. Configure the following settings, then click OK to create the policy:

    Incoming Interface

    Click the field then select interfaces from the Object Selector frame, or drag and drop the address from the object pane.

    Outgoing Interface

    Select outgoing interfaces.

    Source Address

    Select source addresses.

    Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    Service

    Select services and service groups.

    Schedule

    Select schedules, one time or recurring, and schedule groups.

    Action

    Select an action for the policy to take: ACCEPT, or DENY.

    Log Allowed Traffic

    Select to log allowed traffic.

    NAT

    NAT is enabled by default for this policy type when the Action is ACCEPT.

    Use Destination Interface Address is selected by default. Select Fixed Port if required.

    Dynamic IP Pool

    Select to use dynamic IP pools. Select Fixed Port if required, and the IP Pool Name from the available IP pool objects.

    This option is only available for NAT64 policies.

    Traffic Shaping

    Select traffic shapers.

    This option is available if the Action is ACCEPT.

    Reverse Traffic Shaping

    Select traffic shapers.

    This option is available if at least one forward traffic shaper is selected.

    Per-IP Traffic Shaping

    Select per IP traffic shapers.

    This option is available if the Action is ACCEPT.

    Description

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    ippool

    Enable IP pools. This option is only available for NAT46 policies.

    permit-any-host

    Enable to accept UDP packets from any host.

    poolname

    Select a firewall IP pool from the dropdown list (default = None). This option is only available for NAT46 policies.

    tcp-mss-receiver

    Enter a value for the receiver’s TCP MSS.

    tcp-mss-sender

    Enter a value for the sender’s TCP MSS.