Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 6.3.6 CLI Reference
    6.3.6
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    system firewall snat-policy

    system firewall snat-policy

    Use this command to configure a firewall SNAT policy. Firewall SNAT policies translate a matching source IP address to a single IP address or an IP address in an address pool.

    Firewall SNAT policies are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating modes.

    tooltip icon

    FortiWeb applies a firewall SNAT policy only if IP forwarding is enabled. For details about IP forwarding, see router setting.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

    Syntax

    config system firewall snat-policy

    edit "<policy_name>"

    set source-start <source_ipv4>

    set source-end <source_ipv4>

    set out-interface “<egress_port>”

    set destination-start <destination_ipv4>

    set destination-end <destination_ipv4>

    set trans-to-type {ip | pool | no-nat}

    set trans-to-ip “<translation_ipv4>”

    set trans-to-ip-start “<first_ipv4>”

    set trans-to-ip-end “<last_ipv4>”

    next

    end

    Variable Description Default

    "<policy_name>"

    Enter a name that identifies the firewall SNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

    No default.

    source-start <source_ipv4>

    Enter the first IP in the IP range to match the source IP address in the packet header that you want to translate. The IP address must be an IPv4 address.

    0.0.0.0/0

    source-end <source_ipv4>

    Enter the last IP in the IP range to match the source IP address in the packet header that you want to translate. The IP address must be an IPv4 address.

    out-interface “<egress_port>”

    Select the interface that FortiWeb will use to forward traffic that matches the source-start <source_ipv4>.

    No default.

    destination-start <destination_ipv4>

    Enter the first IP in the IP range to match the destination IP address in the packet header. The IP address must be an IPv4 address.

    0.0.0.0/0

    destination-end <destination_ipv4>

    Enter the last IP in the IP range to match the destination IP address in the packet header. . The IP address must be an IPv4 address.

    trans-to-type {ip | pool | no-nat}

    Select one of the following:

    • ip—Select to translate the source IP to an IP address that you specify.

    • pool—Select to translate the source IP to the next available IP address in an IP address pool that you specify.

    • no-nat—Select to not perform SNAT for the matched traffic.

    ip

    trans-to-ip “<translation_ipv4>”

    Enter the IP address that you want to translate the source IP to. An example IP address is 192.0.2.2. The IP address must be an IPv4 address.

    This option is available only when the trans-to-type {ip | pool | no-nat} is set to IP.

    0.0.0.0

    trans-to-ip-start “<first_ipv4>”

    Enter the first IP address in the SNAT pool. An example IP address is 192.0.2.3. The IP address must be an IPv4 address.

    This option is available only when the trans-to-type {ip | pool | no-nat} is set to pool.

    0.0.0.0

    trans-to-ip-end “<last_ipv4>”

    Enter the last IP address in the SNAT pool. An example IP address is 192.0.2.4. The IP address must be an IPv4 address.

    This option is available only when the trans-to-type {ip | pool | no-nat} is set to pool.

    0.0.0.0

    Related Topic

    Previous
    Next

    system firewall snat-policy

    system firewall snat-policy

    Use this command to configure a firewall SNAT policy. Firewall SNAT policies translate a matching source IP address to a single IP address or an IP address in an address pool.

    Firewall SNAT policies are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating modes.

    tooltip icon

    FortiWeb applies a firewall SNAT policy only if IP forwarding is enabled. For details about IP forwarding, see router setting.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

    Syntax

    config system firewall snat-policy

    edit "<policy_name>"

    set source-start <source_ipv4>

    set source-end <source_ipv4>

    set out-interface “<egress_port>”

    set destination-start <destination_ipv4>

    set destination-end <destination_ipv4>

    set trans-to-type {ip | pool | no-nat}

    set trans-to-ip “<translation_ipv4>”

    set trans-to-ip-start “<first_ipv4>”

    set trans-to-ip-end “<last_ipv4>”

    next

    end

    Variable Description Default

    "<policy_name>"

    Enter a name that identifies the firewall SNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

    No default.

    source-start <source_ipv4>

    Enter the first IP in the IP range to match the source IP address in the packet header that you want to translate. The IP address must be an IPv4 address.

    0.0.0.0/0

    source-end <source_ipv4>

    Enter the last IP in the IP range to match the source IP address in the packet header that you want to translate. The IP address must be an IPv4 address.

    out-interface “<egress_port>”

    Select the interface that FortiWeb will use to forward traffic that matches the source-start <source_ipv4>.

    No default.

    destination-start <destination_ipv4>

    Enter the first IP in the IP range to match the destination IP address in the packet header. The IP address must be an IPv4 address.

    0.0.0.0/0

    destination-end <destination_ipv4>

    Enter the last IP in the IP range to match the destination IP address in the packet header. . The IP address must be an IPv4 address.

    trans-to-type {ip | pool | no-nat}

    Select one of the following:

    • ip—Select to translate the source IP to an IP address that you specify.

    • pool—Select to translate the source IP to the next available IP address in an IP address pool that you specify.

    • no-nat—Select to not perform SNAT for the matched traffic.

    ip

    trans-to-ip “<translation_ipv4>”

    Enter the IP address that you want to translate the source IP to. An example IP address is 192.0.2.2. The IP address must be an IPv4 address.

    This option is available only when the trans-to-type {ip | pool | no-nat} is set to IP.

    0.0.0.0

    trans-to-ip-start “<first_ipv4>”

    Enter the first IP address in the SNAT pool. An example IP address is 192.0.2.3. The IP address must be an IPv4 address.

    This option is available only when the trans-to-type {ip | pool | no-nat} is set to pool.

    0.0.0.0

    trans-to-ip-end “<last_ipv4>”

    Enter the last IP address in the SNAT pool. An example IP address is 192.0.2.4. The IP address must be an IPv4 address.

    This option is available only when the trans-to-type {ip | pool | no-nat} is set to pool.

    0.0.0.0

    Related Topic

    Previous
    Next