Central DNAT
The FortiGate unit checks the NAT table and determines if the destination IP address for incoming traffic must be changed using DNAT. DNAT is typically applied to traffic from the Internet that is going to be directed to a server on a network behind the FortiGate device. DNAT means the actual address of the internal network is hidden from the Internet. This step determines whether a route to the destination address actually exists.
DNAT must take place before routing so that the unit can route packets to the correct destination.
DNAT policies can be created, or imported from Virtual IP (VIP) objects. Virtual servers can also be imported from ADOM objects to DNAT policies. DNAT policies are automatically added to the VIP object table (Object Configurations > Firewall Objects > Virtual IPs) when they are created.
VIPs can be edited from either the DNAT or VIP object tables by double-clicking on the VIP, right-clicking on the VIP and selected Edit, or selecting the VIP and clicking Edit in the toolbar. The network type cannot be changed. DNAT policies can also be copied, pasted, cloned, and moved from the right-click or Edit menus.
Deleting a DNAT policy does not delete the corresponding VIP object, and a VIP object cannot be deleted if it is in the DNAT table.
DNAT policies support overlapping IP address ranges; VIPs do not. DNAT policies do not support VIP groups.
Central DNAT does not support Section View. |
Central NAT must be enabled when creating or editing the policy package for this option to be available in the tree menu. See Create new policy packages. |
To create a new central DNAT entry:
- Ensure you are in the correct ADOM.
- Go to Policy & Objects > Policy Packages.
- In the tree menu for the policy package, click Central DNAT.
- Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Virtual IP pane opens.
- Configure the following settings, then click OK to create the VIP:
Name
Enter a unique name for the DNAT.
Comments
Optionally, enter comments about the DNAT, such as its purpose, or the changes that have been made to it.
Color
Select a color.
Interface
Select an interface.
Network Type
Select the network type: Static NAT, DNS Translation, or FQDN.
External IP Address/Range
Enter the start and end external IP addresses in the fields. If there is only one address, enter it in both fields.
This option is not available when the network type is FQDN.
Mapped IP Address/Range
Enter the mapped IP address.
This option is not available when the network type is FQDN.
External IP Address
Enter the external IP address.
This option is only available when the network type is FQDN.
Mapped Address
Select the mapped address.
This option is only available when the network type is FQDN.
Source Interface Filter
Select a source interface filter.
Optional Filters
Enable or disable optional filters.
Source Address
Add source IP, range, or subnet filters. Multiple filters can be added using the Add icon.
Services
Enable and add services.
Port Forwarding
Enable or disable port forwarding.
Protocol
Select the protocol: TCP, UDP, SCTP, or ICMP.
External Service Port
Enter the external service port.
This option is not available when Protocol is ICMP.
Map to Port
Enter the map to port.
This option is not available when Protocol is ICMP.
Enable ARP Reply
Select to enable ARP reply.
Add To Groups
Optionally, select groups to add the virtual IP to from the list.
Advanced Options
Configure advanced options, see Advanced options.
For more information on advanced option, see the FortiOS CLI Reference.
Per-Device Mapping
Enable or disable per-device mapping.
If multiple imported VIP objects have the same name but different details, the object type will become Dynamic Virtual IP, and the per-device mappings will be listed here.
Mappings can also be manually added, edited, and deleted as needed.
To import VIPs from the Virtual IP object table:
- Ensure you are in the correct ADOM.
- Go to Policy &Objects > Policy Packages.
- In the tree menu for the policy package, click Central DNAT.
- Click Import in the toolbar. The Import dialog box will open.
- Select the VIP object or objects that need to be imported. If necessary, use the search box to locate specific objects.
- Click OK to import the VIPs to the Central DNAT table.
Advanced options
Option |
Description |
Default |
---|---|---|
dns-mapping-ttl |
Enter time-to-live for DNS response, from 0 to 604 800. 0 means use the DNS server's response time. |
0 |
extaddr |
Select an address. |
None |
gratuitous-arp-interval |
Set the time interval between sending of gratuitous ARP packets by a virtual IP. 0 disables this feature. |
0 |
http-cookie-age |
Set how long the browser caches cooking, from 0 to 525600 seconds. |
60 |
http-cookie-domain |
Enter the domain name to restrict the cookie to. |
none |
http-cookie-domain-from-host |
If enabled, when the unit adds a SetCookie to the HTTP(S) response, the Domain attribute in the SetCookie is set to the value of the Host: header, if there is one. |
disable |
http-cookie-generation |
The exact value of the generation is not important, only that it is different from any generation that has already been used. |
0 |
http-cookie-path |
Limit the cookies to a particular path. |
none |
http-cookie-share |
Configure HTTP cookie persistence to control the sharing of cookies across more than one virtual server. The default setting means that any cookie generated by one virtual server can be used by another virtual server in the same virtual domain. Disable to make sure that a cookie generated for a virtual server cannot be used by other virtual servers. |
same-ip |
http-ip-header-name |
Enter a name for the custom HTTP header that the original client IP address is added to. |
none |
https-cookie-secure |
Enable or disable using secure cookies for HTTPS sessions. |
disable |
id |
Custom defined ID. |
0 |
max-embryonic-connections |
The maximum number of partially established SSL or HTTP connections, from 0 to 100000. |
1000 |
nat-source-vip |
Enable to prevent unintended servers from using a virtual IP. Disable to use the actual IP address of the server (or the destination interface if using NAT) as the source address of connections from the server that pass through the device. |
disable |
outlook-web-access |
If enabled, the |
disable |
ssl-algorithm |
Set the permitted encryption algorithms for SSL sessions according to encryption strength:
|
high |
ssl-client-fallback |
Enable to prevent Downgrade Attacks on client connections. |
enable |
ssl-client-renegotiation |
Select the SSL secure renegotiation policy.
|
allow |
ssl-client-session-state-max |
The maximum number of SSL session states to keep for the segment of the SSL connection between the client and the unit, from 0 to 100000. |
1000 |
ssl-client-session-state-timeout |
The number of minutes to keep the SSL session states for the segment of the SSL connection between the client and the unit, from 1 to 14400. |
30 |
ssl-client-session-state-type |
The method to use to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.
|
both |
ssl-dh-bits |
The number of bits used in the Diffie-Hellman exchange for RSA encryption of the SSL connection: |
2048 |
ssl-hpkp |
Enable or disable including HPKP header in response. |
disable |
ssl-hpkp-age |
The number of seconds that the client should honor the HPKP setting (60 - 157680000). |
5184000 |
ssl-hpkp-backup |
Certificate to generate the backup HPKP pin from (size = 35, datasource(s) = vpn.certificate.local.name,vpn.certificate.ca.name). |
None |
ssl-hpkp-include-subdomains |
Enable or disable indicating that the HPKP header applies to all subdomains. |
disable |
ssl-hpkp-primary |
Certificate to generate the primary HPKP pin from (size = 35, datasource(s) = vpn.certificate.local.name,vpn.certificate.ca.name). |
None |
ssl-hpkp-report-uri |
URL to report HPKP violations to (size = 255). |
|
ssl-hsts |
Enable or disable including HSTS header in response. |
disable |
ssl-hsts-age |
The number of seconds that the client should honour the HSTS setting (60 - 157680000). |
5184000 |
ssl-hsts-include-subdomains |
Enable or disable indicating that the HSTS header applies to all subdomains. |
disable |
ssl-http-location-conversion |
Enable to replace http with https in the reply’s Location HTTP header field. |
disable |
ssl-http-match-host |
Enable to apply Location conversion to the reply’s HTTP header only if the host name portion of Location matches the request’s Host field or, if the Host field does not exist, the host name portion of the request’s URI. |
disable |
ssl-max-version |
The highest version of SSL/TLS to allow in SSL sessions: |
tls-1.2 |
ssl-min-version |
The lowest version of SSL/TLS to allow in SSL sessions: |
tls-1.0 |
ssl-pfs |
Select the handling of Perfect Forward Secrecy (PFS) by controlling the cipher suites that can be selected.
|
allow |
ssl-send-empty-frags |
Enable to precede the record with empty fragments to thwart attacks on CBC IV. Disable this option if SSL acceleration will be used with an old or buggy SSL implementation which cannot properly handle empty fragments. |
enable |
ssl-server-algorithm |
Set the permitted encryption algorithms for SSL server sessions according to encryption strength:
|
client |
ssl-server-max-version |
The highest version of SSL/TLS to allow in SSL server sessions: |
client |
ssl-server-min-version |
The lowest version of SSL/TLS to allow in SSL server sessions: |
client |
ssl-server-session-state-max |
The maximum number of SSL session states to keep for the segment of the SSL connection between the client and the unit, from 0 to 100000. |
100 |
ssl-server-session-state-timeout |
The number of minutes to keep the SSL session states for the segment of the SSL connection between the client and the unit, from 1 to 14400. |
60 |
ssl-server-session-state-type |
The method to use to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.
|
both |
weblogic-server |
Enable or disable adding an HTTP header to indicate SSL offloading for a WebLogic server. |
disable |
websphere-server |
Enable or disable adding an HTTP header to indicate SSL offloading for a WebSphere server. |
disable |