Fortinet white logo
Fortinet white logo

CLI Reference

system firewall snat-policy

system firewall snat-policy

Use this command to configure a firewall SNAT policy. Firewall SNAT policies translate a matching source IP address to a single IP address or an IP address in an address pool.

Firewall SNAT policies are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating modes.

tooltip icon

FortiWeb applies a firewall SNAT policy only if IP forwarding is enabled. For details about IP forwarding, see router setting.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system firewall snat-policy

edit "<policy_name>"

set source-start <source_ipv4>

set source-end <source_ipv4>

set out-interface “<egress_port>”

set destination-start <destination_ipv4>

set destination-end <destination_ipv4>

set trans-to-type {ip | pool | no-nat}

set trans-to-ip “<translation_ipv4>”

set trans-to-ip-start “<first_ipv4>”

set trans-to-ip-end “<last_ipv4>”

next

end

Variable Description Default

"<policy_name>"

Enter a name that identifies the firewall SNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

No default.

source-start <source_ipv4>

Enter the first IP in the IP range to match the source IP address in the packet header that you want to translate. The IP address must be an IPv4 address.

0.0.0.0/0

source-end <source_ipv4>

Enter the last IP in the IP range to match the source IP address in the packet header that you want to translate. The IP address must be an IPv4 address.

out-interface “<egress_port>”

Select the interface that FortiWeb will use to forward traffic that matches the source-start <source_ipv4>.

No default.

destination-start <destination_ipv4>

Enter the first IP in the IP range to match the destination IP address in the packet header. The IP address must be an IPv4 address.

0.0.0.0/0

destination-end <destination_ipv4>

Enter the last IP in the IP range to match the destination IP address in the packet header. . The IP address must be an IPv4 address.

trans-to-type {ip | pool | no-nat}

Select one of the following:

  • ip—Select to translate the source IP to an IP address that you specify.

  • pool—Select to translate the source IP to the next available IP address in an IP address pool that you specify.

  • no-nat—Select to not perform SNAT for the matched traffic.

ip

trans-to-ip “<translation_ipv4>”

Enter the IP address that you want to translate the source IP to. An example IP address is 192.0.2.2. The IP address must be an IPv4 address.

This option is available only when the trans-to-type {ip | pool | no-nat} is set to IP.

0.0.0.0

trans-to-ip-start “<first_ipv4>”

Enter the first IP address in the SNAT pool. An example IP address is 192.0.2.3. The IP address must be an IPv4 address.

This option is available only when the trans-to-type {ip | pool | no-nat} is set to pool.

0.0.0.0

trans-to-ip-end “<last_ipv4>”

Enter the last IP address in the SNAT pool. An example IP address is 192.0.2.4. The IP address must be an IPv4 address.

This option is available only when the trans-to-type {ip | pool | no-nat} is set to pool.

0.0.0.0

Related Topic

system firewall snat-policy

system firewall snat-policy

Use this command to configure a firewall SNAT policy. Firewall SNAT policies translate a matching source IP address to a single IP address or an IP address in an address pool.

Firewall SNAT policies are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating modes.

tooltip icon

FortiWeb applies a firewall SNAT policy only if IP forwarding is enabled. For details about IP forwarding, see router setting.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system firewall snat-policy

edit "<policy_name>"

set source-start <source_ipv4>

set source-end <source_ipv4>

set out-interface “<egress_port>”

set destination-start <destination_ipv4>

set destination-end <destination_ipv4>

set trans-to-type {ip | pool | no-nat}

set trans-to-ip “<translation_ipv4>”

set trans-to-ip-start “<first_ipv4>”

set trans-to-ip-end “<last_ipv4>”

next

end

Variable Description Default

"<policy_name>"

Enter a name that identifies the firewall SNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

No default.

source-start <source_ipv4>

Enter the first IP in the IP range to match the source IP address in the packet header that you want to translate. The IP address must be an IPv4 address.

0.0.0.0/0

source-end <source_ipv4>

Enter the last IP in the IP range to match the source IP address in the packet header that you want to translate. The IP address must be an IPv4 address.

out-interface “<egress_port>”

Select the interface that FortiWeb will use to forward traffic that matches the source-start <source_ipv4>.

No default.

destination-start <destination_ipv4>

Enter the first IP in the IP range to match the destination IP address in the packet header. The IP address must be an IPv4 address.

0.0.0.0/0

destination-end <destination_ipv4>

Enter the last IP in the IP range to match the destination IP address in the packet header. . The IP address must be an IPv4 address.

trans-to-type {ip | pool | no-nat}

Select one of the following:

  • ip—Select to translate the source IP to an IP address that you specify.

  • pool—Select to translate the source IP to the next available IP address in an IP address pool that you specify.

  • no-nat—Select to not perform SNAT for the matched traffic.

ip

trans-to-ip “<translation_ipv4>”

Enter the IP address that you want to translate the source IP to. An example IP address is 192.0.2.2. The IP address must be an IPv4 address.

This option is available only when the trans-to-type {ip | pool | no-nat} is set to IP.

0.0.0.0

trans-to-ip-start “<first_ipv4>”

Enter the first IP address in the SNAT pool. An example IP address is 192.0.2.3. The IP address must be an IPv4 address.

This option is available only when the trans-to-type {ip | pool | no-nat} is set to pool.

0.0.0.0

trans-to-ip-end “<last_ipv4>”

Enter the last IP address in the SNAT pool. An example IP address is 192.0.2.4. The IP address must be an IPv4 address.

This option is available only when the trans-to-type {ip | pool | no-nat} is set to pool.

0.0.0.0

Related Topic