Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Create a new central DNAT or IPv6 central DNAT policy

Destination NAT (DNAT) is typically applied to traffic from the Internet that is going to be directed to a server on a network behind the FortiGate device. The actual address of the internal network is hidden. When a request is received, FortiGate checks the NAT table and determines if the destination IP address for incoming traffic must be changed using DNAT.

DNAT must take place before routing so that the unit can route packets to the correct destination.

DNAT policies can be created, or imported from Virtual IP (VIP) objects. Virtual servers can also be imported from ADOM objects to DNAT policies. DNAT policies are automatically added to the Virtual IP (VIP) object table (Object Configurations > Firewall Objects > Virtual IPs) when they are created.

VIPs can be edited from either the DNAT or VIP object tables by double-clicking on the VIP, right-clicking on the VIP and selecting Edit, or selecting the VIP and clicking Edit in the toolbar. The network type cannot be changed. DNAT policies can also be copied, pasted, cloned, and moved using the right-click or Edit menus.

Deleting a DNAT policy does not delete the corresponding VIP object, and a VIP object cannot be deleted if it is in the DNAT table.

DNAT policies support overlapping IP address ranges; VIPs do not. DNAT policies do not support VIP groups.

See Destination NAT in the FortiOS Administration Guide for more information.

Central DNAT does not support Section View.

Central NAT must be enabled when creating or editing the policy package for this option to be available in the tree menu. See Create new policy packages.

Central DNAT must be enabled in Tools > Display Options as well for the option to be visible in the tree menu. On the Policy & Objects tab, from the Tools menu, select Display Options. In the Policy section, select the Central DNAT check box to display this option.

To create a new central DNAT policy:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select Central DNAT Policy.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Color

    Select a color. This color will be used to indentify this DNAT in the fabric view.

    Status

    Enable or disable the policy.

    This option is not available for IPv6 policies.

    Interface

    Select an interface.

    Configure Default Value

    Enable or disable the default value.

    Type

    Select the network type: Static NAT, DNS Translation, FQDN, or Load balance.

    This option is only available when Configure Default Value is enabled.

    For IPv6 policies, only Static NAT is available.

    External IP Address/Range

    Enter the start and end external IP addresses in the fields. If there is only one address, enter it in both fields.

    This option is only available when Configure Default Value is enabled and the network type is not FQDN.

    Mapped IP [v4/v6] Address/Range

    Enter the mapped IP address or address range.

    These options are only available when Configure Default Value is enabled and the network type is not FQDN.

    For IPv6 policies, select Use Embedded to use the lower 32 bits of the external IPv6 address as the mapped IPv4 address.

    External IP Address

    Enter the external IP address.

    This option is only available when Configure Default Value is enabled and the network type is FQDN.

    Mapped Address

    Select the mapped address.

    This option is only available when Configure Default Value is enabled and the network type is FQDN.

    Source Interface Filter

    Select a source interface filter.

    This option is only available when Configure Default Value is enabled.

    Optional Filters

    Enable or disable optional filters.

    This option is only available when Configure Default Value is enabled.

    Source Address

    If Optional Filters is enabled, add source IP, range, or subnet filters. Multiple filters can be added using the Add icon.

    Services

    If Optional Filters is enabled, enable or disable and then select services.

    Port Forwarding

    Enable or disable port forwarding and then configure the ports to map.

    This option is only available when Configure Default Value is enabled.

    Protocol

    If Port Forwarding is enabled, select the protocol: TCP, UDP, SCTP, or ICMP. ICMP is not available for IPv6 policies.

    External Service Port

    If Port Forwarding is enabled, enter the external service port.

    This option is not available when Protocol is ICMP.

    Map to [IPv4/IPv6] Port

    If Port Forwarding is enabled, enter the map to port.

    This option is not available when Protocol is ICMP.

    Enable ARP Reply

    Select to enable address resolution protocol (ARP) reply.

    This option is only available when Configure Default Value is enabled.

    Add To Groups

    Select the groups to which the virtual IP should be added.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced option, see the FortiOS CLI Reference.

    Per-Device Mapping

    Enable or disable per-device mapping.

    If multiple imported VIP objects have the same name but different details, the object type will become Dynamic Virtual IP, and the per-device mappings will be listed here.

    Mappings can also be manually added, edited, and deleted as needed.

    Change Note

    Add a description of the changes being made to the policy. This field is required.

  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
To import VIPs from the VIP object table:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy &Objects > Policy Packages.
  3. In the tree menu for the policy package, click Central DNAT.
  4. Click Import in the toolbar. The Import dialog box will open.
  5. Select the VIP object or objects that need to be imported. If necessary, use the search box to locate specific objects.
  6. Click OK to import the VIPs to the Central DNAT table.
Advanced options

Option

Description

Default

add-nat46-route

Enable or disable adding NAT46 to a route.

This option is not available for IPv6 policies.

enable

add-nat64-route

Enable or disable adding NAT64 to a route.

This option is only available for IPv6 policies.

enable

dns-mapping-ttl

Enter time-to-live for DNS response, from 0 to 604 800. Set to to 0 to use the DNS server's response time.

This option is not available for IPv6 policies.

0

extaddr

Select an external FQDN.

This option is not available for IPv6 policies.

None

gratuitous-arp-interval

Set the time intervalin seconds between sending of gratuitous address resolution protocol (ARP) packets by a virtual IP. Set to 0 to disable this feature. Set from 5 to 8640000 seconds to enable

This option is not available for IPv6 policies.

0

http-cookie-age

Set the time in minutes that client web browsers should keep a cookie. Set to 0 for no time limit.

60

http-cookie-domain

Enter the domain name to which cookie persistence should apply.

none

http-cookie-domain-from-host

Enable or disable use of the HTTP cookie domain from the host field in HTTP.

disable

http-cookie-generation

Set the generation of HTTP cookies to be accepted. The exact value is not important, only that it is different from any generation that has already been used. Changing this value invalidates all existing cookies.

0

http-cookie-path

Specify the path to which cookie persistence is limited.

none

http-cookie-share

Configure to control the sharing of cookies across virtual servers.

Using same-ip means that any cookie generated by one virtual server can be used by another virtual server in the same virtual domain.

Disable stops cookie sharing between virtual servers.

same-ip

http-ip-header

For HTTP multiplexing, enable or disable to add teh original client IP address in the X-Forwarded-For HTTP header.

disable

http-ip-header-name

For HTTP multiplexing, enter a custom HTTP header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used.

none

http-multiplex

Enable or disable HTTP multiplexing.

disable

http-redirect

Enable or disable redirection of HTTP to HTTPS.

disable

https-cookie-secure

Enable or disable verification that HTTPS cookies are secure.

disable

id

Enter a unique number as the policy ID, or use the default (0) to automatically assign a policy ID. Policy IDs can be up to a maximum of 9 digits in length. Once a policy ID has been configured it cannot be changed.

0

ldbd-method

Select the method used to distribute sessions to real servers.

static

max-embryonic-connections

Set the maximum number of incomplete connections, from 0 to 100000.

1000

monitor

Select the health check monitor to use when polling to determine a virtual server's connectivity status.

none

nat-source-vip

Enable or disable forcing the source NAT mapped IP to the external IP for all traffic.

disable

nat44

Enable or disable NAT44.

This option is not available for IPv6 policies.

enable

nat46

Enable or disable NAT46.

This option is not available for IPv6 policies.

disable

nat64

Enable or disable NAT64.

This option is only available for IPv6 policies.

enable

nat66

Enable or disable NAT66.

This option is only available for IPv6 policies.

disable

outlook-web-access

Enable to add the Front-End-Https header for Microsoft Outlook Web Access.

disable

persistence

Configure the method used to ensure that clients connect to the same server every time they make a request that is part of the same session.

none

portmapping-type

Select the port mapping type, either 1-to-1 or m-to-n (many to many).

This option is not available for IPv6 policies.

1-to-1

server-type

Select the protocol to be load balanced by the virtual server (also called the server load balance virtual IP).

none

ssl-accept-ffdhe-groups

Enable or disable using the FFDHE cipher suite for SSL key exchange.

enable

ssl-algorithm

Set the permitted encryption algorithms for SSL sessions according to encryption strength:

  • high: permit only high encryption algorithms: AES or 3DES.
  • medium: permit high or medium (RC4) algorithms.
  • low: permit high, medium, or low (DES) algorithms.
  • custom: only allow some preselected cipher suites to be used.

high

ssl-certificate

Select the certificate to use for SSL handshake.

none

ssl-client-fallback

Enable or disable support for preventing downgrade attacks on client connections.

enable

ssl-client-rekey-count

Set the maximum length of data in MB before triggering a client rekey. Set to 0 to disable.

0

ssl-client-renegotiation

Select the SSL secure renegotiation policy.

  • allow: allow, but do not require secure renegotiation.
  • deny: do not allow renegotiation.
  • secure: require secure renegotiation.

allow

ssl-client-session-state-max

Set the maximum number of SSL session states to keep between the client and FortiGate, from 0 to 100000.

1000

ssl-client-session-state-timeout

Set the number of minutes to keep the SSL session states between the client and FortiGate, from 1 to 14400.

30

ssl-client-session-state-type

Select the method to use to expire SSL sessions between the client and FortiGate.

  • both: expire SSL session states when either ssl-client-session-state-max or ssl-client-session-state-timeout is exceeded, regardless of which occurs first.
  • count: expire SSL session states when ssl-client-session-state-max is exceeded.
  • disable: expire all SSL session states.
  • time: expire SSL session states when ssl-client-session-state-timeout is exceeded.

both

ssl-dh-bits

Select the number of bits used in the Diffie-Hellman exchange for RSA encryption of the SSL connection: 768, 1024, 1536, 2048, 3072, or 4096.

2048

ssl-hpkp

Enable or disable including HPKP header in the response.

disable

ssl-hpkp-age

Set the number of seconds that the client should honor the HPKP setting (60 - 157680000).

5184000

ssl-hpkp-backup

Select the certificate used to generate the backup HPKP pin from.

none

ssl-hpkp-include-subdomains

Enable or disable indicating that the HPKP header applies to all subdomains.

disable

ssl-hpkp-primary

Select the certificate used to generate the primary HPKP pin from.

none

ssl-hpkp-report-uri

Set the URL to report HPKP violations to (maximum size = 255).

none

ssl-hsts

Enable or disable including HSTS header in response.

disable

ssl-hsts-age

Set the number of seconds that the client should honour the HSTS setting (60 - 157680000).

5184000

ssl-hsts-include-subdomains

Enable or disable indicating that the HSTS header applies to all subdomains.

disable

ssl-http-location-conversion

Enable to replace HTTP with HTTPS in the reply’s Location HTTP header field.

disable

ssl-http-match-host

Enable or disable HTTP host matching for location conversion.

disable

ssl-max-version

Select the highest version of SSL/TLS to allow in SSL sessions: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, or tls-1.3.

tls-1.3

ssl-min-version

Select the lowest version of SSL/TLS to allow in SSL sessions: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, or tls-1.3.

tls-1.1

ssl-mode

Select the method to use for SSL offloading between the client and FortiGate (half) or from the client to FortiGate and from FortiGate to the server (full).

half

ssl-pfs

Select the cipher suites that can be used for SSL perfect forward secrecy (PFS):

  • allow: allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.
  • deny: allow only non-Diffie-Hellman cipher suites, so PFS is not applied.
  • require: allow only Diffie-Hellman cipher suites, so PFS is applied.

This setting applies to both client and server sessions.

require

ssl-send-empty-frags

Enable or disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 and TLS 1.0 only).

This setting may need to be disabled for compatibility with older systems.

enable

ssl-server-algorithm

Set the permitted encryption algorithms for SSL server sessions according to encryption strength:

  • high: permit only high encryption algorithms: AES or 3DES.
  • medium: permit high or medium (RC4) algorithms.
  • low: permit high, medium, or low (DES) algorithms.
  • custom: only allow some preselected cipher suites to be used.
  • client: Use the same encruption algorithms for both client and server sessions.

client

ssl-server-max-version

Select the highest version of SSL/TLS to allow in SSL server sessions: client, ssl-3.0, tls-1.0, tls-1.1, tls-1.2, or tls-1.3.

client

ssl-server-min-version

Select the lowest version of SSL/TLS to allow in SSL server sessions: client, ssl-3.0, tls-1.0, tls-1.1, tls-1.2, or tls-1.3.

client

ssl-server-session-state-max

Set the maximum number of FortiGate to server SSL session states to keep, from 0 to 100000.

100

ssl-server-session-state-timeout

Set the number of minutes to keep FortiGate to server SSL session states, from 1 to 14400.

60

ssl-server-session-state-type

Select the method to use to expire FortiGate to server SSL sessions:

  • both: expire SSL session states when either ssl-client-session-state-max or ssl-client-session-state-timeout is exceeded, regardless of which occurs first.
  • count: expire SSL session states when ssl-client-session-state-max is exceeded.
  • disable: expire all SSL session states.
  • time: expire SSL session states when ssl-client-session-state-timeout is exceeded.

both

uuid

Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

00000000-0000- 0000-0000- 000000000000

weblogic-server

Enable or disable adding an HTTP header to indicate SSL offloading for a WebLogic server.

disable

websphere-server

Enable or disable adding an HTTP header to indicate SSL offloading for a WebSphere server.

disable

Create a new central DNAT or IPv6 central DNAT policy

Destination NAT (DNAT) is typically applied to traffic from the Internet that is going to be directed to a server on a network behind the FortiGate device. The actual address of the internal network is hidden. When a request is received, FortiGate checks the NAT table and determines if the destination IP address for incoming traffic must be changed using DNAT.

DNAT must take place before routing so that the unit can route packets to the correct destination.

DNAT policies can be created, or imported from Virtual IP (VIP) objects. Virtual servers can also be imported from ADOM objects to DNAT policies. DNAT policies are automatically added to the Virtual IP (VIP) object table (Object Configurations > Firewall Objects > Virtual IPs) when they are created.

VIPs can be edited from either the DNAT or VIP object tables by double-clicking on the VIP, right-clicking on the VIP and selecting Edit, or selecting the VIP and clicking Edit in the toolbar. The network type cannot be changed. DNAT policies can also be copied, pasted, cloned, and moved using the right-click or Edit menus.

Deleting a DNAT policy does not delete the corresponding VIP object, and a VIP object cannot be deleted if it is in the DNAT table.

DNAT policies support overlapping IP address ranges; VIPs do not. DNAT policies do not support VIP groups.

See Destination NAT in the FortiOS Administration Guide for more information.

Central DNAT does not support Section View.

Central NAT must be enabled when creating or editing the policy package for this option to be available in the tree menu. See Create new policy packages.

Central DNAT must be enabled in Tools > Display Options as well for the option to be visible in the tree menu. On the Policy & Objects tab, from the Tools menu, select Display Options. In the Policy section, select the Central DNAT check box to display this option.

To create a new central DNAT policy:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select Central DNAT Policy.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Color

    Select a color. This color will be used to indentify this DNAT in the fabric view.

    Status

    Enable or disable the policy.

    This option is not available for IPv6 policies.

    Interface

    Select an interface.

    Configure Default Value

    Enable or disable the default value.

    Type

    Select the network type: Static NAT, DNS Translation, FQDN, or Load balance.

    This option is only available when Configure Default Value is enabled.

    For IPv6 policies, only Static NAT is available.

    External IP Address/Range

    Enter the start and end external IP addresses in the fields. If there is only one address, enter it in both fields.

    This option is only available when Configure Default Value is enabled and the network type is not FQDN.

    Mapped IP [v4/v6] Address/Range

    Enter the mapped IP address or address range.

    These options are only available when Configure Default Value is enabled and the network type is not FQDN.

    For IPv6 policies, select Use Embedded to use the lower 32 bits of the external IPv6 address as the mapped IPv4 address.

    External IP Address

    Enter the external IP address.

    This option is only available when Configure Default Value is enabled and the network type is FQDN.

    Mapped Address

    Select the mapped address.

    This option is only available when Configure Default Value is enabled and the network type is FQDN.

    Source Interface Filter

    Select a source interface filter.

    This option is only available when Configure Default Value is enabled.

    Optional Filters

    Enable or disable optional filters.

    This option is only available when Configure Default Value is enabled.

    Source Address

    If Optional Filters is enabled, add source IP, range, or subnet filters. Multiple filters can be added using the Add icon.

    Services

    If Optional Filters is enabled, enable or disable and then select services.

    Port Forwarding

    Enable or disable port forwarding and then configure the ports to map.

    This option is only available when Configure Default Value is enabled.

    Protocol

    If Port Forwarding is enabled, select the protocol: TCP, UDP, SCTP, or ICMP. ICMP is not available for IPv6 policies.

    External Service Port

    If Port Forwarding is enabled, enter the external service port.

    This option is not available when Protocol is ICMP.

    Map to [IPv4/IPv6] Port

    If Port Forwarding is enabled, enter the map to port.

    This option is not available when Protocol is ICMP.

    Enable ARP Reply

    Select to enable address resolution protocol (ARP) reply.

    This option is only available when Configure Default Value is enabled.

    Add To Groups

    Select the groups to which the virtual IP should be added.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced option, see the FortiOS CLI Reference.

    Per-Device Mapping

    Enable or disable per-device mapping.

    If multiple imported VIP objects have the same name but different details, the object type will become Dynamic Virtual IP, and the per-device mappings will be listed here.

    Mappings can also be manually added, edited, and deleted as needed.

    Change Note

    Add a description of the changes being made to the policy. This field is required.

  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
To import VIPs from the VIP object table:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy &Objects > Policy Packages.
  3. In the tree menu for the policy package, click Central DNAT.
  4. Click Import in the toolbar. The Import dialog box will open.
  5. Select the VIP object or objects that need to be imported. If necessary, use the search box to locate specific objects.
  6. Click OK to import the VIPs to the Central DNAT table.
Advanced options

Option

Description

Default

add-nat46-route

Enable or disable adding NAT46 to a route.

This option is not available for IPv6 policies.

enable

add-nat64-route

Enable or disable adding NAT64 to a route.

This option is only available for IPv6 policies.

enable

dns-mapping-ttl

Enter time-to-live for DNS response, from 0 to 604 800. Set to to 0 to use the DNS server's response time.

This option is not available for IPv6 policies.

0

extaddr

Select an external FQDN.

This option is not available for IPv6 policies.

None

gratuitous-arp-interval

Set the time intervalin seconds between sending of gratuitous address resolution protocol (ARP) packets by a virtual IP. Set to 0 to disable this f