Fortinet black logo

CLI Reference

system firewall dnat policy

system firewall dnat policy

Use this command to configure a firewall DNAT policy. Firewall DNAT policies translate the destination IP address.

Firewall DNAT policies are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating modes.

tooltip icon

FortiWeb applies a firewall DNAT policy only if IP forwarding is enabled. For details about IP forwarding, see router setting.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system firewall dnat-policy

edit "<policy_name>"

set external-start <external_ipv4>

set mapped-start <mapped_ipv4>

set mapped-end <mapped_ipv4>

set ingress-interface <ingress_port>

set protocol {tcp | udp | icmp}

set port-forwarding {enable | disable}

set external-port-start <external_port>

set external-port-end <external_port>

set mapped-port-start <mapped_port>

set mapped-port-end <mapped_port>

next

end

Variable Description Default

"<policy_name>"

Enter a name that identifies the firewall DNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

No default.

external-start <external_ipv4>

Enter the first IP address of an IP range to match the destination IP address in the packet header that you want to translate.

The external addresses must be one-to-one mapped to the translated addresses. For example, if the external IP range contains 10 addresses, the mapped IP range must also contain 10 addresses.

After you configure the mapped-start and mapped-end, the system will calculate how many addresses are included in the range and automatically determine the last IP address of the external IP range.

The IP address must be IPv4.

0.0.0.0

mapped-start <mapped_ipv4>

Enter the first IP address of an IP range that you want to translate the external IP to.

0.0.0.0

mapped-end <mapped_ipv4>

Enter the last IP address of an IP range that you want to translate the external IP to.

0.0.0.0

ingress-interface <ingress_port>

Enter the interface to match the network interface through which the packet comes in FortiWeb.

No default.

protocol {tcp | udp | icmp}

Select the protocol type of the packets that you want to translate.

No default.

port-forwarding {enable | disable}

Enable to translate the port in destination IP address.

No default.

external-port-start <external_port>

Enter the first port in the port range to match the port in destination IP address.

This option is available only when port-forwarding is enabled.

0

external-port-end <external_port>

Enter the last port in the port range to match the port in destination IP address.

This option is available only when port-forwarding is enabled.

0

mapped-port-start <mapped_port>

Enter the first port in the port range to translate the external port range to.

This option is available only when port-forwarding is enabled.

0

mapped-port-end <mapped_port>

Enter the last port in the port range to translate the external port range to.

This option is available only when port-forwarding is enabled.

0

Related Topic

system firewall dnat policy

Use this command to configure a firewall DNAT policy. Firewall DNAT policies translate the destination IP address.

Firewall DNAT policies are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating modes.

tooltip icon

FortiWeb applies a firewall DNAT policy only if IP forwarding is enabled. For details about IP forwarding, see router setting.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system firewall dnat-policy

edit "<policy_name>"

set external-start <external_ipv4>

set mapped-start <mapped_ipv4>

set mapped-end <mapped_ipv4>

set ingress-interface <ingress_port>

set protocol {tcp | udp | icmp}

set port-forwarding {enable | disable}

set external-port-start <external_port>

set external-port-end <external_port>

set mapped-port-start <mapped_port>

set mapped-port-end <mapped_port>

next

end

Variable Description Default

"<policy_name>"

Enter a name that identifies the firewall DNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

No default.

external-start <external_ipv4>

Enter the first IP address of an IP range to match the destination IP address in the packet header that you want to translate.

The external addresses must be one-to-one mapped to the translated addresses. For example, if the external IP range contains 10 addresses, the mapped IP range must also contain 10 addresses.

After you configure the mapped-start and mapped-end, the system will calculate how many addresses are included in the range and automatically determine the last IP address of the external IP range.

The IP address must be IPv4.

0.0.0.0

mapped-start <mapped_ipv4>

Enter the first IP address of an IP range that you want to translate the external IP to.

0.0.0.0

mapped-end <mapped_ipv4>

Enter the last IP address of an IP range that you want to translate the external IP to.

0.0.0.0

ingress-interface <ingress_port>

Enter the interface to match the network interface through which the packet comes in FortiWeb.

No default.

protocol {tcp | udp | icmp}

Select the protocol type of the packets that you want to translate.

No default.

port-forwarding {enable | disable}

Enable to translate the port in destination IP address.

No default.

external-port-start <external_port>

Enter the first port in the port range to match the port in destination IP address.

This option is available only when port-forwarding is enabled.

0

external-port-end <external_port>

Enter the last port in the port range to match the port in destination IP address.

This option is available only when port-forwarding is enabled.

0

mapped-port-start <mapped_port>

Enter the first port in the port range to translate the external port range to.

This option is available only when port-forwarding is enabled.

0

mapped-port-end <mapped_port>

Enter the last port in the port range to translate the external port range to.

This option is available only when port-forwarding is enabled.

0

Related Topic