Fortinet black logo

Administration Guide

NAT detection

Copy Link
Copy Doc ID dc02a854-ab11-11ea-8b7d-00505692583a:546856
Download PDF

NAT detection

A NATing device is a device (e.g., a router) that sits on your network and performs Network Address Translation (NAT) to share network resources with one or more devices behind the NATing device. This could be a security risk to your network. An administrator can see the NATing device by its IP, however, the other devices behind it remain hidden.

NAT Detection has the ability to identify the following:

  • A host/device that has a NIC card with an IP that is does not match the IP address of the device connected directly to the port.
  • A user is MAC spoofing, where the user registers the host and then sets the NATing device's MAC address to the host's MAC address

The key to NAT detection is identifying the authorized IP ranges (i.e., for Production, Remediation etc.). The Dissolvable Agent or Persistent Agent gathers host IP and MAC address information. The NAT device will be within the authorized range, but the host behind it is served an IP by the NAT device and its IP is outside the range. This mismatch triggers events and alarms that indicate that a NATing device is being used.

The information gathered by the agent is returned to the FortiNAC server and analyzed as follows:

  • FortiNAC determines whether or not the IP address of the device connected directly to the port is within the range specified for NAT detection.
  • If the IP address is within the NAT detection range, then FortiNAC verifies that one of the IP addresses returned by the Agent matches the IP address of the device connected directly to the port. The agent can only return the IP addresses of the host, not the NAT device. If none of the IP addresses of the host sent match the IP address of the device on the port, then a "Possible NAT User" event is generated.

    Note

    If a network user sets local or self-signed IP addresses on the host that is behind the NAT device, no event is triggered.

  • The agent also returns the MAC addresses of the interfaces on the host. If FortiNAC detects that the device connected to the port and the interfaces on the host have the same MAC address, it generates a "Possible NAT Device, MAC Spoofed" event.

By mapping alarms to notify management when these events occur, you can identify and remove NATing devices from your network.

If you want to allow a router with hosts connected behind it to access your network, you must enable NAT Detection by entering the IP ranges within which using a NAT device is permitted and detected. If NAT Detection is not enabled, or the router is given an IP address that is not within a NAT detection range, both the router and the host behind it are left in registration. The administrator is not notified that a NAT device is connected.

To run NAT Detection, the following requirements must be met:

  • Hosts must use either the Dissolvable Agent or the Persistent Agent
  • At least one security policy must be defined to use the Dissolvable Agent or Persistent Agent
  • Designate the IP address ranges that FortiNAC should monitor.
  • Map the NAT detection events to alarms with an appropriate action (e.g., notify management). See Map events to alarms for details.

    Note

    If you have a host trying to connect through a router, and that router is not in an IP address range being checked for NAT Detection, that host will be stuck in Registration. Create IP address Ranges in NAT Detection that encompass any of IP address the router could be given.

Add or modify IP ranges

You must enter a separate range of IP addresses for each subnet.

Example:

Range 1 = 192.168.5.2 - 192.168.5.255

Range 2 = 192.168.6.2 - 192.168.6.255

Do not enter a single range spanning both of the above 192.168.5.2 - 192.168.6.255

  1. Click System > Settings.
  2. Expand the Identification folder and click NAT Detection.
  3. Click Add.
  4. Enter the starting and ending IP addresses for the range and click Add.
  5. Repeat for additional ranges of IP addresses.

Remove an IP range

  1. Click System > Settings.
  2. Expand the Identification folder and click NAT Detection.
  3. Select an IP range to be deleted.
  4. Click Delete.

NAT detection configurations and results

NAT detection configuration and corresponding results can be complex. Below are a series of examples detailing common scenarios and the results shown in FortiNAC.

Note

The IP addresses used in the examples below are only for illustration purposes. They are not the specific IP addresses you will see on your own network.

For the purposes of the examples assume the following:

  • Network IP Range for Production = 10.10.5.50 - 10.10.5.99
  • Network IP Range for Registration = 10.10.5.100 - 10.10.5.200
  • NAT Detection has been configured with the following IP ranges:

    • 10.10.5.50 - 10.10.5.99
    • 10.10.5.100 - 10.10.5.200
Scenario 1: NAT detection enabled, using endpoint compliance policy and agent
  1. The user connects a router to a port on your network and then connects a host to the router.
  2. Neither the router nor the host are registered.
  3. The router is placed in Registration and is given a Registration IP address of 10.10.5.101. The host is given IP address 192.168.1.1 by the router.
  4. The user goes through the registration process and is assigned an endpoint compliance policy.

    Note

    NAT Detection requires that the host have an agent installed.

  5. The IP address of the router is within one of the IP ranges set up for NAT Detection. The IP address of the host is sent by the agent to FortiNAC. FortiNAC determines that the host IP address is outside the IP ranges set up for NAT Detection. This process triggers a "NAT Device Registered" event.
  6. When the host itself is registered a "Possible NAT User" event is triggered.
  7. On the Host View, the router has been registered as a NAT Device to the user. The router has an IP address in the Production range, such as 10.10.5.51. The Registered To field displays User Name - NAT Device, such as Doe, John - NAT Device. The Host icon is displayed and shows as on-line.
  8. On the Host View, the PC behind the router is registered as a host to the user. The Host's IP address displays as a production IP address, such as 10.10.5.50. However, the host actually still has the IP served by the router of 192.168.1.1. The Registered To field displays only the user name, such as Doe, John. The Host icon is displayed and shows as offline even though the host is on-line.
Scenario 2: NAT detection enabled, not using endpoint compliance policy or agent
  1. The user connects a router to a port on your network and then connects a host to the router.
  2. Neither the router nor the host are registered.
  3. The router is placed in Registration and is given a Registration IP address of 10.10.5.101. The host is given IP address 192.168.1.1 by the router.
  4. The user goes through the registration process.
  5. On the Host View, the router has been registered as a PC to the user. The host connected to the router is not shown because FortiNAC is unaware of the host's existence behind the router.
  6. Events associated with a NAT device are not generated.
  7. Eventually the router is moved to Production and the host can access the network and the Internet. This may require the user to release and renew the IP address on the router by disconnecting and reconnecting the router to the port.
Scenario 3: NAT detection disabled, not using endpoint compliance policy or agent
  1. The user connects a router to a port on your network and then connects a host to the router.
  2. Neither the router nor the host are registered.
  3. The router is placed in Registration and is given a Registration IP address of 10.10.5.101. The host is given IP address 192.168.1.1 by the router.
  4. The user goes through the Registration process, but there is no endpoint compliance policy required. The user does not download an agent.
  5. The only IP address information provided to FortiNAC is the information returned from the switch where the router is connected when it is polled.
  6. The router is assigned a Production IP address, such as 10.10.5.55.
  7. The host behind the router continues to use the 192.168.1.1 IP address assigned by the router.
  8. On the Host View, the router has been registered to the user, but FortiNAC is unaware that this device is a NAT Device. The Registered To field displays User Name, such as Doe, John . The Host icon is displayed and shows as on-line.
  9. FortiNAC is not aware of the host behind the router, therefore, its information is not displayed. The user of this host can access the network and the Internet.
  10. In this scenario the user may need to release/renew the IP address on both the host and the router to access the Internet.
Scenario 4: NAT detection disabled, using endpoint compliance policy and agent
  1. The user connects a router to a port on your network and then connects a host to the router.
  2. Neither the router nor the host are registered.
  3. The router is placed in Registration and is given a Registration IP address of 10.10.5.101. The host is given IP address 192.168.1.1 by the router.
  4. The user goes through the Registration process and is assigned an endpoint compliance policy which includes downloading and installing either the Dissolvable Agent or the Persistent Agent.
  5. The router is not registered and is trapped in the registration VLAN. The host is registered but is also trapped in the registration VLAN because it is connected to the router.
  6. In the Host View, the router continues to display as a rogue. The host is registered but shows as offline.

NAT detection

A NATing device is a device (e.g., a router) that sits on your network and performs Network Address Translation (NAT) to share network resources with one or more devices behind the NATing device. This could be a security risk to your network. An administrator can see the NATing device by its IP, however, the other devices behind it remain hidden.

NAT Detection has the ability to identify the following:

  • A host/device that has a NIC card with an IP that is does not match the IP address of the device connected directly to the port.
  • A user is MAC spoofing, where the user registers the host and then sets the NATing device's MAC address to the host's MAC address

The key to NAT detection is identifying the authorized IP ranges (i.e., for Production, Remediation etc.). The Dissolvable Agent or Persistent Agent gathers host IP and MAC address information. The NAT device will be within the authorized range, but the host behind it is served an IP by the NAT device and its IP is outside the range. This mismatch triggers events and alarms that indicate that a NATing device is being used.

The information gathered by the agent is returned to the FortiNAC server and analyzed as follows:

  • FortiNAC determines whether or not the IP address of the device connected directly to the port is within the range specified for NAT detection.
  • If the IP address is within the NAT detection range, then FortiNAC verifies that one of the IP addresses returned by the Agent matches the IP address of the device connected directly to the port. The agent can only return the IP addresses of the host, not the NAT device. If none of the IP addresses of the host sent match the IP address of the device on the port, then a "Possible NAT User" event is generated.

    Note

    If a network user sets local or self-signed IP addresses on the host that is behind the NAT device, no event is triggered.

  • The agent also returns the MAC addresses of the interfaces on the host. If FortiNAC detects that the device connected to the port and the interfaces on the host have the same MAC address, it generates a "Possible NAT Device, MAC Spoofed" event.

By mapping alarms to notify management when these events occur, you can identify and remove NATing devices from your network.

If you want to allow a router with hosts connected behind it to access your network, you must enable NAT Detection by entering the IP ranges within which using a NAT device is permitted and detected. If NAT Detection is not enabled, or the router is given an IP address that is not within a NAT detection range, both the router and the host behind it are left in registration. The administrator is not notified that a NAT device is connected.

To run NAT Detection, the following requirements must be met:

  • Hosts must use either the Dissolvable Agent or the Persistent Agent
  • At least one security policy must be defined to use the Dissolvable Agent or Persistent Agent
  • Designate the IP address ranges that FortiNAC should monitor.
  • Map the NAT detection events to alarms with an appropriate action (e.g., notify management). See Map events to alarms for details.

    Note

    If you have a host trying to connect through a router, and that router is not in an IP address range being checked for NAT Detection, that host will be stuck in Registration. Create IP address Ranges in NAT Detection that encompass any of IP address the router could be given.

Add or modify IP ranges

You must enter a separate range of IP addresses for each subnet.

Example:

Range 1 = 192.168.5.2 - 192.168.5.255

Range 2 = 192.168.6.2 - 192.168.6.255

Do not enter a single range spanning both of the above 192.168.5.2 - 192.168.6.255

  1. Click System > Settings.
  2. Expand the Identification folder and click NAT Detection.
  3. Click Add.
  4. Enter the starting and ending IP addresses for the range and click Add.
  5. Repeat for additional ranges of IP addresses.

Remove an IP range

  1. Click System > Settings.
  2. Expand the Identification folder and click NAT Detection.
  3. Select an IP range to be deleted.
  4. Click Delete.

NAT detection configurations and results

NAT detection configuration and corresponding results can be complex. Below are a series of examples detailing common scenarios and the results shown in FortiNAC.

Note

The IP addresses used in the examples below are only for illustration purposes. They are not the specific IP addresses you will see on your own network.

For the purposes of the examples assume the following:

  • Network IP Range for Production = 10.10.5.50 - 10.10.5.99
  • Network IP Range for Registration = 10.10.5.100 - 10.10.5.200
  • NAT Detection has been configured with the following IP ranges:

    • 10.10.5.50 - 10.10.5.99
    • 10.10.5.100 - 10.10.5.200
Scenario 1: NAT detection enabled, using endpoint compliance policy and agent
  1. The user connects a router to a port on your network and then connects a host to the router.
  2. Neither the router nor the host are registered.
  3. The router is placed in Registration and is given a Registration IP address of 10.10.5.101. The host is given IP address 192.168.1.1 by the router.
  4. The user goes through the registration process and is assigned an endpoint compliance policy.

    Note

    NAT Detection requires that the host have an agent installed.

  5. The IP address of the router is within one of the IP ranges set up for NAT Detection. The IP address of the host is sent by the agent to FortiNAC. FortiNAC determines that the host IP address is outside the IP ranges set up for NAT Detection. This process triggers a "NAT Device Registered" event.
  6. When the host itself is registered a "Possible NAT User" event is triggered.
  7. On the Host View, the router has been registered as a NAT Device to the user. The router has an IP address in the Production range, such as 10.10.5.51. The Registered To field displays User Name - NAT Device, such as Doe, John - NAT Device. The Host icon is displayed and shows as on-line.
  8. On the Host View, the PC behind the router is registered as a host to the user. The Host's IP address displays as a production IP address, such as 10.10.5.50. However, the host actually still has the IP served by the router of 192.168.1.1. The Registered To field displays only the user name, such as Doe, John. The Host icon is displayed and shows as offline even though the host is on-line.
Scenario 2: NAT detection enabled, not using endpoint compliance policy or agent
  1. The user connects a router to a port on your network and then connects a host to the router.
  2. Neither the router nor the host are registered.
  3. The router is placed in Registration and is given a Registration IP address of 10.10.5.101. The host is given IP address 192.168.1.1 by the router.
  4. The user goes through the registration process.
  5. On the Host View, the router has been registered as a PC to the user. The host connected to the router is not shown because FortiNAC is unaware of the host's existence behind the router.
  6. Events associated with a NAT device are not generated.
  7. Eventually the router is moved to Production and the host can access the network and the Internet. This may require the user to release and renew the IP address on the router by disconnecting and reconnecting the router to the port.
Scenario 3: NAT detection disabled, not using endpoint compliance policy or agent
  1. The user connects a router to a port on your network and then connects a host to the router.
  2. Neither the router nor the host are registered.
  3. The router is placed in Registration and is given a Registration IP address of 10.10.5.101. The host is given IP address 192.168.1.1 by the router.
  4. The user goes through the Registration process, but there is no endpoint compliance policy required. The user does not download an agent.
  5. The only IP address information provided to FortiNAC is the information returned from the switch where the router is connected when it is polled.
  6. The router is assigned a Production IP address, such as 10.10.5.55.
  7. The host behind the router continues to use the 192.168.1.1 IP address assigned by the router.
  8. On the Host View, the router has been registered to the user, but FortiNAC is unaware that this device is a NAT Device. The Registered To field displays User Name, such as Doe, John . The Host icon is displayed and shows as on-line.
  9. FortiNAC is not aware of the host behind the router, therefore, its information is not displayed. The user of this host can access the network and the Internet.
  10. In this scenario the user may need to release/renew the IP address on both the host and the router to access the Internet.
Scenario 4: NAT detection disabled, using endpoint compliance policy and agent
  1. The user connects a router to a port on your network and then connects a host to the router.
  2. Neither the router nor the host are registered.
  3. The router is placed in Registration and is given a Registration IP address of 10.10.5.101. The host is given IP address 192.168.1.1 by the router.
  4. The user goes through the Registration process and is assigned an endpoint compliance policy which includes downloading and installing either the Dissolvable Agent or the Persistent Agent.
  5. The router is not registered and is trapped in the registration VLAN. The host is registered but is also trapped in the registration VLAN because it is connected to the router.
  6. In the Host View, the router continues to display as a rogue. The host is registered but shows as offline.