Create a new central DNAT or IPv6 central DNAT policy
Destination NAT (DNAT) is typically applied to traffic from the Internet that is going to be directed to a server on a network behind the FortiGate device. The actual address of the internal network is hidden. When a request is received, FortiGate checks the NAT table and determines if the destination IP address for incoming traffic must be changed using DNAT.
DNAT must take place before routing so that the unit can route packets to the correct destination.
DNAT policies can be created, or imported from Virtual IP (VIP) objects. Virtual servers can also be imported from ADOM objects to DNAT policies. DNAT policies are automatically added to the Virtual IP (VIP) object table (Firewall Objects > Virtual IPs) when they are created.
VIPs can be edited from either the DNAT or VIP object tables by double-clicking on the VIP, right-clicking on the VIP and selecting Edit, or selecting the VIP and clicking Edit in the toolbar. The network type cannot be changed. DNAT policies can also be copied, pasted, cloned, and moved using the right-click or Edit menus.
Deleting a DNAT policy does not delete the corresponding VIP object, and a VIP object cannot be deleted if it is in the DNAT table.
DNAT policies support overlapping IP address ranges; VIPs do not. DNAT policies do not support VIP groups.
See Destination NAT in the FortiOS Administration Guide for more information.
Central DNAT does not support Section View. |
Central NAT must be enabled when creating or editing the policy package for this option to be available in the tree menu. See Create new policy packages. Central DNAT must be enabled in Feature Visibility as well for the option to be visible in the tree menu. On the Policy & Objects tab, from the Tools menu, select Feature Visibility. In the Policy section, select the Central DNAT check box to display this option. |
To create a new central DNAT policy:
- If using ADOMs, ensure that you are in the correct ADOM.
- Go to Policy & Objects > Policy Packages.
- In the tree menu for the policy package in which you will be creating the new policy, select Central DNAT Policy.
- Click Create New.
- Enter the following information:
Option
Description
Name
Enter a unique name for the policy. Each policy must have a unique name. Comments
Add a description of the policy, such as its purpose, or the changes that have been made to it.
Color
Select a color. This color will be used to indentify this DNAT in the fabric view.
Status
Enable or disable the policy.
This option is not available for IPv6 policies.
Interface
Select an interface.
Configure Default Value
Enable or disable the default value.
Type
Select the network type: Static NAT, DNS Translation, FQDN, or Load balance.
This option is only available when Configure Default Value is enabled.
For IPv6 policies, only Static NAT is available.
External IP Address/Range
Enter the start and end external IP addresses in the fields. If there is only one address, enter it in both fields.
This option is only available when Configure Default Value is enabled and the network type is not FQDN.
Mapped IP [v4/v6] Address/Range
Enter the mapped IP address or address range.
These options are only available when Configure Default Value is enabled and the network type is not FQDN.
For IPv6 policies, select Use Embedded to use the lower 32 bits of the external IPv6 address as the mapped IPv4 address.
External IP Address
Enter the external IP address.
This option is only available when Configure Default Value is enabled and the network type is FQDN.
Mapped Address
Select the mapped address.
This option is only available when Configure Default Value is enabled and the network type is FQDN.
Source Interface Filter
Select a source interface filter.
This option is only available when Configure Default Value is enabled.
Optional Filters
Enable or disable optional filters.
This option is only available when Configure Default Value is enabled.
Source Address
If Optional Filters is enabled, add source IP, range, or subnet filters. Multiple filters can be added using the Add icon.
Services
If Optional Filters is enabled, enable or disable and then select services.
Port Forwarding
Enable or disable port forwarding and then configure the ports to map.
This option is only available when Configure Default Value is enabled.
Protocol
If Port Forwarding is enabled, select the protocol: TCP, UDP, SCTP, or ICMP. ICMP is not available for IPv6 policies.
External Service Port
If Port Forwarding is enabled, enter the external service port.
This option is not available when Protocol is ICMP.
Map to [IPv4/IPv6] Port
If Port Forwarding is enabled, enter the map to port.
This option is not available when Protocol is ICMP.
Enable ARP Reply
Select to enable address resolution protocol (ARP) reply.
This option is only available when Configure Default Value is enabled.
Add To Groups
Select the groups to which the virtual IP should be added.
Advanced Options
Configure advanced options, see Advanced options below.
For more information on advanced option, see the FortiOS CLI Reference.
Per-Device Mapping
Enable or disable per-device mapping.
If multiple imported VIP objects have the same name but different details, the object type will become Dynamic Virtual IP, and the per-device mappings will be listed here.
Mappings can also be manually added, edited, and deleted as needed.
Change Note
Add a description of the changes being made to the policy. This field is required.
- Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
To import VIPs from the VIP object table:
- Ensure you are in the correct ADOM.
- Go to Policy &Objects > Policy Packages.
- In the tree menu for the policy package, click Central DNAT.
- Click Import in the toolbar. The Import dialog box will open.
- Select the VIP object or objects that need to be imported. If necessary, use the search box to locate specific objects.
- Click OK to import the VIPs to the Central DNAT table.
Advanced options
Option |
Description |
Default |
---|---|---|
add-nat46-route |
Enable or disable adding NAT46 to a route. This option is not available for IPv6 policies. |
enable |
add-nat64-route |
Enable or disable adding NAT64 to a route. This option is only available for IPv6 policies. |
enable |
dns-mapping-ttl |
Enter time-to-live for DNS response, from 0 to 604 800. Set to to 0 to use the DNS server's response time. This option is not available for IPv6 policies. |
0 |
extaddr |
Select an external FQDN. This option is not available for IPv6 policies. |
None |
gratuitous-arp-interval |
Set the time intervalin seconds between sending of gratuitous address resolution protocol (ARP) packets by a virtual IP. Set to 0 to disable this feature. Set from 5 to 8640000 seconds to enable This option is not available for IPv6 policies. |
0 |
http-cookie-age |
Set the time in minutes that client web browsers should keep a cookie. Set to 0 for no time limit. |
60 |
http-cookie-domain |
Enter the domain name to which cookie persistence should apply. |
none |
http-cookie-domain-from-host |
Enable or disable use of the HTTP cookie domain from the |
disable |
http-cookie-generation |
Set the generation of HTTP cookies to be accepted. The exact value is not important, only that it is different from any generation that has already been used. Changing this value invalidates all existing cookies. |
0 |
http-cookie-path |
Specify the path to which cookie persistence is limited. |
none |
http-cookie-share |
Configure to control the sharing of cookies across virtual servers. Using Disable stops cookie sharing between virtual servers. |
same-ip |
http-ip-header |
For HTTP multiplexing, enable or disable to add teh original client IP address in the |
disable |
http-ip-header-name |
For HTTP multiplexing, enter a custom HTTP header name. The original client IP address is added to this header. If empty, |
none |
http-multiplex |
Enable or disable HTTP multiplexing. |
disable |
http-redirect |
Enable or disable redirection of HTTP to HTTPS. |
disable |
https-cookie-secure |
Enable or disable verification that HTTPS cookies are secure. |
disable |
id |
Enter a unique number as the policy ID, or use the default (0) to automatically assign a policy ID. Policy IDs can be up to a maximum of 9 digits in length. Once a policy ID has been configured it cannot be changed. |
0 |
ldbd-method |
Select the method used to distribute sessions to real servers. |
static |
max-embryonic-connections |
Set the maximum number of incomplete connections, from 0 to 100000. |
1000 |
monitor |
Select the health check monitor to use when polling to determine a virtual server's connectivity status. |
none |
nat-source-vip |
Enable or disable forcing the source NAT mapped IP to the external IP for all traffic. |
disable |
nat44 |
Enable or disable NAT44. This option is not available for IPv6 policies. |
enable |
nat46 |
Enable or disable NAT46. This option is not available for IPv6 policies. |
disable |
nat64 |
Enable or disable NAT64. This option is only available for IPv6 policies. |
enable |
nat66 |
Enable or disable NAT66. This option is only available for IPv6 policies. |
disable |
outlook-web-access |
Enable to add the |
disable |
persistence |
Configure the method used to ensure that clients connect to the same server every time they make a request that is part of the same session. |
none |
portmapping-type |
Select the port mapping type, either This option is not available for IPv6 policies. |
1-to-1 |
server-type |
Select the protocol to be load balanced by the virtual server (also called the server load balance virtual IP). |
none |
ssl-accept-ffdhe-groups |
Enable or disable using the FFDHE cipher suite for SSL key exchange. |
enable |
ssl-algorithm |
Set the permitted encryption algorithms for SSL sessions according to encryption strength:
|
high |
ssl-certificate |
Select the certificate to use for SSL handshake. |
none |
ssl-client-fallback |
Enable or disable support for preventing downgrade attacks on client connections. |
enable |
ssl-client-rekey-count |
Set the maximum length of data in MB before triggering a client rekey. Set to 0 to disable. |
0 |
ssl-client-renegotiation |
Select the SSL secure renegotiation policy.
|
allow |
ssl-client-session-state-max |
Set the maximum number of SSL session states to keep between the client and FortiGate, from 0 to 100000. |
1000 |
ssl-client-session-state-timeout |
Set the number of minutes to keep the SSL session states between the client and FortiGate, from 1 to 14400. |
30 |
ssl-client-session-state-type |
Select the method to use to expire SSL sessions between the client and FortiGate.
|
both |
ssl-dh-bits |
Select the number of bits used in the Diffie-Hellman exchange for RSA encryption of the SSL connection: |
2048 |
ssl-hpkp |
Enable or disable including HPKP header in the response. |
disable |
ssl-hpkp-age |
Set the number of seconds that the client should honor the HPKP setting (60 - 157680000). |
5184000 |
ssl-hpkp-backup |
Select the certificate used to generate the backup HPKP pin from. |
none |
ssl-hpkp-include-subdomains |
Enable or disable indicating that the HPKP header applies to all subdomains. |
disable |
ssl-hpkp-primary |
Select the certificate used to generate the primary HPKP pin from. |
none |
ssl-hpkp-report-uri |
Set the URL to report HPKP violations to (maximum size = 255). |
none |
ssl-hsts |
Enable or disable including HSTS header in response. |
disable |
ssl-hsts-age |
Set the number of seconds that the client should honour the HSTS setting (60 - 157680000). |
5184000 |
ssl-hsts-include-subdomains |
Enable or disable indicating that the HSTS header applies to all subdomains. |
disable |
ssl-http-location-conversion |
Enable to replace HTTP with HTTPS in the reply’s |
disable |
ssl-http-match-host |
Enable or disable HTTP host matching for location conversion. |
disable |
ssl-max-version |
Select the highest version of SSL/TLS to allow in SSL sessions: |
tls-1.3 |
ssl-min-version |
Select the lowest version of SSL/TLS to allow in SSL sessions: |
tls-1.1 |
ssl-mode |
Select the method to use for SSL offloading between the client and FortiGate ( |
half |
ssl-pfs |
Select the cipher suites that can be used for SSL perfect forward secrecy (PFS):
This setting applies to both client and server sessions. |
require |
ssl-send-empty-frags |
Enable or disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 and TLS 1.0 only). This setting may need to be disabled for compatibility with older systems. |
enable |
ssl-server-algorithm |
Set the permitted encryption algorithms for SSL server sessions according to encryption strength:
|
client |
ssl-server-max-version |
Select the highest version of SSL/TLS to allow in SSL server sessions: |
client |
ssl-server-min-version |
Select the lowest version of SSL/TLS to allow in SSL server sessions: |
client |
ssl-server-session-state-max |
Set the maximum number of FortiGate to server SSL session states to keep, from 0 to 100000. |
100 |
ssl-server-session-state-timeout |
Set the number of minutes to keep FortiGate to server SSL session states, from 1 to 14400. |
60 |
ssl-server-session-state-type |
Select the method to use to expire FortiGate to server SSL sessions:
|
both |
uuid |
Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset. |
00000000-0000- 0000-0000- 000000000000 |
weblogic-server |
Enable or disable adding an HTTP header to indicate SSL offloading for a WebLogic server. |
disable |
websphere-server |
Enable or disable adding an HTTP header to indicate SSL offloading for a WebSphere server. |
disable |