Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiWeb 7.2.0 Administration Guide
    7.2.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Network address translation (NAT)

    Network address translation (NAT)

    You can set firewall SNAT and DNAT policies to translate the source IP addresses or destination IP addresses for the packets coming in FortiWeb. They are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating modes. FortiWeb supports modifying the firewall configurations even if the license is expired.

    FortiWeb applies a firewall SNAT or DNAT policy only if IP forwarding is enabled. To check whether IP forwarding is enabled, enter this command in the CLI:

    get router setting

    If ip-forward is set to enable, IP forwarding is enabled, and FortiWeb is applying the firewall SNAT policy.

    If ip-forward is set to disable, IP forwarding isn't enabled, and FortiWeb isn't applying the firewall SNAT policy. To enable IP forwarding, enter these commands in the CLI:

    config router setting

    set ip-forward enable

    end

    For details about these CLI commands, see the FortiWeb CLI Reference:

    HTTPs://docs.fortinet.com/fortigate/reference

    To configure a firewall SNAT policy
    1. Go to System > Firewall > NAT policy and select the Firewall SNAT Policy tab.

      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

    2. Click Create New.
    3. Configure these settings:

      Name

      Enter a name that identifies the firewall SNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

      Source Range

      Enter the IP address range to match the source IP address in the packet header that you want to translate. The IP address must be an IPv4 address.

      Destination Range

      Enter the IP address range to match the destination IP address in the packet header. The IP address must be an IPv4 address.

      Egress interface

      Select the interface that FortiWeb will use to forward traffic that matches the Network address translation (NAT).

      Translation Type

      Select one of the following:

      Translation to IP Address

      Enter the IP address that you want to translate the Network address translation (NAT) to. An example IP address is 192.0.2.2. The IP address must be an IPv4 address.

      This option is available only when the Network address translation (NAT) is set to IP Address.

      Pool Address Range

      Enter the first IP address in the SNAT pool. An example IP address is 192.0.2.3. The IP address must be an IPv4 address.

      This option is available only when the Network address translation (NAT) is set to Pool.

      To

      Enter the last IP address in the SNAT pool. An example IP address is 192.0.2.4. The IP address must be an IPv4 address.

      This option is available only when the Network address translation (NAT) is set to Pool.

    To configure a firewall DNAT policy
    1. Go to System > Firewall > NAT policy and select the Firewall DNAT Policy tab.

      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

    2. Click Create New.
    3. Configure these settings:

      Name

      Enter a name that identifies the firewall DNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

      External Address Range

      Enter the IP address range to match the destination IP address in the packet header that you want to translate. The external addresses must be one-to-one mapped to the translated addresses. For example, if the External Address Range contains 10 addresses, the Mapped Address Range must also contain 10 addresses.

      You need to first configure the Mapped Address Range, then enter the first address for the External Address Range, the system will calculate how many addresses should be included and automatically fill the last address in External Address Range.

      The IP address must be IPv4.

      Mapped Address Range

      Enter the IP address range that you want to translate the External Address Range to. The IP address must be IPv4.

      Ingress interface

      Select the interface to match the network interface through which the packet comes in FortiWeb. The IP address must be IPv4.

      Protocol

      Select the protocol type of the packets that you want to translate.

      Port Forwarding

      Enable to translate the port in destination IP address.

      External Port Range

      Enter the port range to match the port in destination IP address.

      This option is available only when Port Forwarding is enabled.

      Mapped Port Range

      Enter the port range to translate the External Port Range to.

      This option is available only when Port Forwarding is enabled.

    4. Click OK.
    Previous
    Next

    Network address translation (NAT)

    Network address translation (NAT)

    You can set firewall SNAT and DNAT policies to translate the source IP addresses or destination IP addresses for the packets coming in FortiWeb. They are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating modes. FortiWeb supports modifying the firewall configurations even if the license is expired.

    FortiWeb applies a firewall SNAT or DNAT policy only if IP forwarding is enabled. To check whether IP forwarding is enabled, enter this command in the CLI:

    get router setting

    If ip-forward is set to enable, IP forwarding is enabled, and FortiWeb is applying the firewall SNAT policy.

    If ip-forward is set to disable, IP forwarding isn't enabled, and FortiWeb isn't applying the firewall SNAT policy. To enable IP forwarding, enter these commands in the CLI:

    config router setting

    set ip-forward enable

    end

    For details about these CLI commands, see the FortiWeb CLI Reference:

    HTTPs://docs.fortinet.com/fortigate/reference

    To configure a firewall SNAT policy
    1. Go to System > Firewall > NAT policy and select the Firewall SNAT Policy tab.

      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

    2. Click Create New.
    3. Configure these settings:

      Name

      Enter a name that identifies the firewall SNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

      Source Range

      Enter the IP address range to match the source IP address in the packet header that you want to translate. The IP address must be an IPv4 address.

      Destination Range

      Enter the IP address range to match the destination IP address in the packet header. The IP address must be an IPv4 address.

      Egress interface

      Select the interface that FortiWeb will use to forward traffic that matches the Network address translation (NAT).

      Translation Type

      Select one of the following:

      Translation to IP Address

      Enter the IP address that you want to translate the Network address translation (NAT) to. An example IP address is 192.0.2.2. The IP address must be an IPv4 address.

      This option is available only when the Network address translation (NAT) is set to IP Address.

      Pool Address Range

      Enter the first IP address in the SNAT pool. An example IP address is 192.0.2.3. The IP address must be an IPv4 address.

      This option is available only when the Network address translation (NAT) is set to Pool.

      To

      Enter the last IP address in the SNAT pool. An example IP address is 192.0.2.4. The IP address must be an IPv4 address.

      This option is available only when the Network address translation (NAT) is set to Pool.

    To configure a firewall DNAT policy
    1. Go to System > Firewall > NAT policy and select the Firewall DNAT Policy tab.

      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

    2. Click Create New.
    3. Configure these settings:

      Name

      Enter a name that identifies the firewall DNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

      External Address Range

      Enter the IP address range to match the destination IP address in the packet header that you want to translate. The external addresses must be one-to-one mapped to the translated addresses. For example, if the External Address Range contains 10 addresses, the Mapped Address Range must also contain 10 addresses.

      You need to first configure the Mapped Address Range, then enter the first address for the External Address Range, the system will calculate how many addresses should be included and automatically fill the last address in External Address Range.

      The IP address must be IPv4.

      Mapped Address Range

      Enter the IP address range that you want to translate the External Address Range to. The IP address must be IPv4.

      Ingress interface

      Select the interface to match the network interface through which the packet comes in FortiWeb. The IP address must be IPv4.

      Protocol

      Select the protocol type of the packets that you want to translate.

      Port Forwarding

      Enable to translate the port in destination IP address.

      External Port Range

      Enter the port range to match the port in destination IP address.

      This option is available only when Port Forwarding is enabled.

      Mapped Port Range

      Enter the port range to translate the External Port Range to.

      This option is available only when Port Forwarding is enabled.

    4. Click OK.
    Previous
    Next