Fortinet black logo

Administration Guide

Home FortiManager 7.2.2 Administration Guide

Create a new central SNAT policy

7.2.2
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.6
6.2.5
6.2.3
6.2.2
6.2.1
6.2.0
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.10
5.2.7
5.2.6
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
4.3.8
4.3.7
4.3.6
4.3.5
4.3.4
4.3.3
4.3.2
4.3.1
4.3.0
4.2.9
4.2.8
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2.0
4.1.0
4.0.3
4.0.2
4.0.1
4.0.0
Copy Link
Copy Doc ID 685e995b-337a-11ed-9d74-fa163e15d75b:41403
Download PDF

Create a new central SNAT policy

Central SNAT (source NAT) enables you to define and control (with more granularity) the address translation performed by the FortiGate unit. With the NAT table, you can define the rules which dictate the source address or address group and which IP pool the destination address uses.

While similar in functionality to IP pools, where a single address is translated to an alternate address from a range of IP addresses, with IP pools there is no control over the translated port. When using the IP pool for source NAT, you can define a fixed port to guarantee the source port number is unchanged. If no fixed port is defined, the port translation is randomly chosen by the FortiGate unit. With the central NAT table, you have full control over both the IP address and port translation.

The FortiGate unit reads the NAT rules in a top-down methodology, until it hits a matching rule for the incoming address. This enables you to create multiple NAT policies that dictate which IP pool is used based on the source address. The NAT policies can be rearranged within the policy list as well. NAT policies are applied to network traffic after a security policy.

If NGFW mode is policy-based, then it is assumed that central NAT (specifically SNAT) is enabled implicitly.

See Central SNAT in the FortiOS Administration Guide for more information about central SNAT.

Central SNAT does not support Section View.

Central NAT must be enabled when creating or editing the policy package for this option to be available in the tree menu. See Create new policy packages.

Central SNAT must also be enabled in Feature Visibility for the option to be visible in the tree menu. On the Policy & Objects tab, from the Tools menu, select Feature Visibility. In the Policy section, select the Central SNAT check box to display this option.
To create a new central SNAT policy:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select Central SNAT Policy.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    Type

    Select whether to perform SNAT on IPv4 or IPv6.

    Incoming Interface

    Click the field then select interfaces.

    Click the remove icon to remove interfaces.

    New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

    Outgoing Interface

    Select outgoing interfaces in the same manner as Incoming Interface.

    Source Address

    Select source addresses, address groups, virtual IPs, and virtual IP groups.

    Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    NAT

    Select to enable NAT.If enabled, select NAT, NAT46, or NAT64. If Type is set to IPv4, NAT64 is not available. If Type is set to IPv6, NAT46 is not available.

    IP Pool Configuration

    If NAT is selected, select Use Outgoing Interface Address or Use Dynamic IP Pool.

    Protocol

    Select the protocol: ANY, TCP, UDP, SCTP, or Specify. If Specify is selected, specify the protocol number.

    This option is only available when NAT is selected.

    Explicit Port Mapping

    Enable or disable port mapping, then set the Original Source Port to match.

    Choose an original source port from one to 65535. The NAT'd port will be chosen by the FortiGate based on the IP Pool configuration.

    Explicit port mapping cannot apply to some protocols which do not use ports, such as ICMP. When enabling a NAT policy which uses Explicit port mapping, always consider that ICMP traffic will not match this policy.

    When using IP Pools, only the Overload type IP Pool allows Explicit port mapping. When Explicit port mapping is applied, you must define an original source port range and a translated sort port range. The source port will map one to one with the translated port.

    See Dynamic SNAT in the FortiOS Administration Guide for more information about how each IP pool type works.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.For more information on advanced option, see the FortiOS CLI Reference.

    Change Note

    Add a description of the changes being made to the policy. This field is required.

  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
Advanced options

Option

Description

Default

uuid

Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

00000000-0000- 0000-0000- 000000000000
Previous
Next

Create a new central SNAT policy

Central SNAT (source NAT) enables you to define and control (with more granularity) the address translation performed by the FortiGate unit. With the NAT table, you can define the rules which dictate the source address or address group and which IP pool the destination address uses.

While similar in functionality to IP pools, where a single address is translated to an alternate address from a range of IP addresses, with IP pools there is no control over the translated port. When using the IP pool for source NAT, you can define a fixed port to guarantee the source port number is unchanged. If no fixed port is defined, the port translation is randomly chosen by the FortiGate unit. With the central NAT table, you have full control over both the IP address and port translation.

The FortiGate unit reads the NAT rules in a top-down methodology, until it hits a matching rule for the incoming address. This enables you to create multiple NAT policies that dictate which IP pool is used based on the source address. The NAT policies can be rearranged within the policy list as well. NAT policies are applied to network traffic after a security policy.

If NGFW mode is policy-based, then it is assumed that central NAT (specifically SNAT) is enabled implicitly.

See Central SNAT in the FortiOS Administration Guide for more information about central SNAT.

Central SNAT does not support Section View.

Central NAT must be enabled when creating or editing the policy package for this option to be available in the tree menu. See Create new policy packages.

Central SNAT must also be enabled in Feature Visibility for the option to be visible in the tree menu. On the Policy & Objects tab, from the Tools menu, select Feature Visibility. In the Policy section, select the Central SNAT check box to display this option.
To create a new central SNAT policy:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select Central SNAT Policy.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    Type

    Select whether to perform SNAT on IPv4 or IPv6.

    Incoming Interface

    Click the field then select interfaces.

    Click the remove icon to remove interfaces.

    New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

    Outgoing Interface

    Select outgoing interfaces in the same manner as Incoming Interface.

    Source Address

    Select source addresses, address groups, virtual IPs, and virtual IP groups.

    Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    NAT

    Select to enable NAT.If enabled, select NAT, NAT46, or NAT64. If Type is set to IPv4, NAT64 is not available. If Type is set to IPv6, NAT46 is not available.

    IP Pool Configuration

    If NAT is selected, select Use Outgoing Interface Address or Use Dynamic IP Pool.

    Protocol

    Select the protocol: ANY, TCP, UDP, SCTP, or Specify. If Specify is selected, specify the protocol number.

    This option is only available when NAT is selected.

    Explicit Port Mapping

    Enable or disable port mapping, then set the Original Source Port to match.

    Choose an original source port from one to 65535. The NAT'd port will be chosen by the FortiGate based on the IP Pool configuration.

    Explicit port mapping cannot apply to some protocols which do not use ports, such as ICMP. When enabling a NAT policy which uses Explicit port mapping, always consider that ICMP traffic will not match this policy.

    When using IP Pools, only the Overload type IP Pool allows Explicit port mapping. When Explicit port mapping is applied, you must define an original source port range and a translated sort port range. The source port will map one to one with the translated port.

    See Dynamic SNAT in the FortiOS Administration Guide for more information about how each IP pool type works.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.For more information on advanced option, see the FortiOS CLI Reference.

    Change Note

    Add a description of the changes being made to the policy. This field is required.

  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
Advanced options

Option

Description

Default

uuid

Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

00000000-0000- 0000-0000- 000000000000
Previous
Next