Fortinet black logo

CLI Reference

system firewall snat-policy

system firewall snat-policy

Use this command to configure a firewall SNAT policy. Firewall SNAT policies translate a matching source IP address to a single IP address or an IP address in an address pool.

Firewall SNAT policies are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating modes.

tooltip icon

FortiWeb applies a firewall SNAT policy only if IP forwarding is enabled. For details about IP forwarding, see router setting.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system firewall snat-policy

edit policy_name

set from “<source_ipv4_mask>”

set out-interface “<egress_port>”

set to “<destination_ipv4_mask>”

set trans-to-ip “<translation_ipv4>”

set trans-to-ip-end “<last_ipv4>”

set trans-to-ip-start “<first_ipv4>”

set trans-to-type {ip | pool}

Variable Description Default

policy_name

Enter a name that identifies the firewall SNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

No default.

from “<source_ipv4_mask>”

Enter the IP address and subnet mask to match the source IP address in the packet header that you want to translate. An example from is 192.0.2.0/24. The IP address must be an IPv4 address.

0.0.0.0/0

out-interface “<egress_port>”

Select the interface that FortiWeb will use to forward traffic that matches the from “<source_ipv4_mask>”.

No default.

to “<destination_ipv4_mask>”

Enter the IP address and subnet mask to match the destination IP address in the packet header. An example Destination is 192.0.2.1/24. The IP address must be an IPv4 address.

0.0.0.0/0

trans-to-ip “<translation_ipv4>”

Enter the IP address that you want to translate the from “<source_ipv4_mask>” to. An example IP address is 192.0.2.2. The IP address must be an IPv4 address.

This option is available only when the trans-to-type {ip | pool} is set to IP Address.

0.0.0.0

trans-to-ip-end “<last_ipv4>”

Enter the last IP address in the SNAT pool. An example IP address is 192.0.2.4. The IP address must be an IPv4 address.

This option is available only when the trans-to-type {ip | pool} is set to pool.

0.0.0.0

trans-to-ip-start “<first_ipv4>”

Enter the first IP address in the SNAT pool. An example IP address is 192.0.2.3. The IP address must be an IPv4 address.

This option is available only when the trans-to-type {ip | pool} is set to pool.

0.0.0.0

trans-to-type {ip | pool}

Select one of the following:

ip

Related Topic

system firewall snat-policy

Use this command to configure a firewall SNAT policy. Firewall SNAT policies translate a matching source IP address to a single IP address or an IP address in an address pool.

Firewall SNAT policies are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating modes.

tooltip icon

FortiWeb applies a firewall SNAT policy only if IP forwarding is enabled. For details about IP forwarding, see router setting.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system firewall snat-policy

edit policy_name

set from “<source_ipv4_mask>”

set out-interface “<egress_port>”

set to “<destination_ipv4_mask>”

set trans-to-ip “<translation_ipv4>”

set trans-to-ip-end “<last_ipv4>”

set trans-to-ip-start “<first_ipv4>”

set trans-to-type {ip | pool}

Variable Description Default

policy_name

Enter a name that identifies the firewall SNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

No default.

from “<source_ipv4_mask>”

Enter the IP address and subnet mask to match the source IP address in the packet header that you want to translate. An example from is 192.0.2.0/24. The IP address must be an IPv4 address.

0.0.0.0/0

out-interface “<egress_port>”

Select the interface that FortiWeb will use to forward traffic that matches the from “<source_ipv4_mask>”.

No default.

to “<destination_ipv4_mask>”

Enter the IP address and subnet mask to match the destination IP address in the packet header. An example Destination is 192.0.2.1/24. The IP address must be an IPv4 address.

0.0.0.0/0

trans-to-ip “<translation_ipv4>”

Enter the IP address that you want to translate the from “<source_ipv4_mask>” to. An example IP address is 192.0.2.2. The IP address must be an IPv4 address.

This option is available only when the trans-to-type {ip | pool} is set to IP Address.

0.0.0.0

trans-to-ip-end “<last_ipv4>”

Enter the last IP address in the SNAT pool. An example IP address is 192.0.2.4. The IP address must be an IPv4 address.

This option is available only when the trans-to-type {ip | pool} is set to pool.

0.0.0.0

trans-to-ip-start “<first_ipv4>”

Enter the first IP address in the SNAT pool. An example IP address is 192.0.2.3. The IP address must be an IPv4 address.

This option is available only when the trans-to-type {ip | pool} is set to pool.

0.0.0.0

trans-to-type {ip | pool}

Select one of the following:

ip

Related Topic