Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 7.2.3 CLI Reference
    7.2.3
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    system firewall dnat policy

    system firewall dnat policy

    Use this command to configure a firewall DNAT policy. Firewall DNAT policies translate the destination IP address.

    Firewall DNAT policies are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating modes.

    tooltip icon

    FortiWeb applies a firewall DNAT policy only if IP forwarding is enabled. For details about IP forwarding, see router setting.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

    Syntax

    config system firewall dnat-policy

    edit "<policy_name>"

    set external-start <external_ipv4>

    set mapped-start <mapped_ipv4>

    set mapped-end <mapped_ipv4>

    set ingress-interface <ingress_port>

    set protocol {tcp | udp | icmp}

    set port-forwarding {enable | disable}

    set external-port-start <external_port>

    set external-port-end <external_port>

    set mapped-port-start <mapped_port>

    set mapped-port-end <mapped_port>

    next

    end

    Variable Description Default

    "<policy_name>"

    Enter a name that identifies the firewall DNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

    No default.

    external-start <external_ipv4>

    Enter the first IP address of an IP range to match the destination IP address in the packet header that you want to translate.

    The external addresses must be one-to-one mapped to the translated addresses. For example, if the external IP range contains 10 addresses, the mapped IP range must also contain 10 addresses.

    After you configure the mapped-start and mapped-end, the system will calculate how many addresses are included in the range and automatically determine the last IP address of the external IP range.

    The IP address must be IPv4.

    0.0.0.0
    mapped-start <mapped_ipv4>

    Enter the first IP address of an IP range that you want to translate the external IP to.

    0.0.0.0

    mapped-end <mapped_ipv4>

    Enter the last IP address of an IP range that you want to translate the external IP to.

    0.0.0.0
    ingress-interface <ingress_port>

    Enter the interface to match the network interface through which the packet comes in FortiWeb.

    No default.
    protocol {tcp | udp | icmp}

    Select the protocol type of the packets that you want to translate.

    No default.
    port-forwarding {enable | disable}

    Enable to translate the port in destination IP address.

    No default.
    external-port-start <external_port>

    Enter the first port in the port range to match the port in destination IP address.

    This option is available only when port-forwarding is enabled.

    0
    external-port-end <external_port>

    Enter the last port in the port range to match the port in destination IP address.

    This option is available only when port-forwarding is enabled.

    0

    mapped-port-start <mapped_port>

    Enter the first port in the port range to translate the external port range to.

    This option is available only when port-forwarding is enabled.

    0

    mapped-port-end <mapped_port>

    Enter the last port in the port range to translate the external port range to.

    This option is available only when port-forwarding is enabled.

    0

    Related Topic

    Previous
    Next

    system firewall dnat policy

    system firewall dnat policy

    Use this command to configure a firewall DNAT policy. Firewall DNAT policies translate the destination IP address.

    Firewall DNAT policies are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating modes.

    tooltip icon

    FortiWeb applies a firewall DNAT policy only if IP forwarding is enabled. For details about IP forwarding, see router setting.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

    Syntax

    config system firewall dnat-policy

    edit "<policy_name>"

    set external-start <external_ipv4>

    set mapped-start <mapped_ipv4>

    set mapped-end <mapped_ipv4>

    set ingress-interface <ingress_port>

    set protocol {tcp | udp | icmp}

    set port-forwarding {enable | disable}

    set external-port-start <external_port>

    set external-port-end <external_port>

    set mapped-port-start <mapped_port>

    set mapped-port-end <mapped_port>

    next

    end

    Variable Description Default

    "<policy_name>"

    Enter a name that identifies the firewall DNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

    No default.

    external-start <external_ipv4>

    Enter the first IP address of an IP range to match the destination IP address in the packet header that you want to translate.

    The external addresses must be one-to-one mapped to the translated addresses. For example, if the external IP range contains 10 addresses, the mapped IP range must also contain 10 addresses.

    After you configure the mapped-start and mapped-end, the system will calculate how many addresses are included in the range and automatically determine the last IP address of the external IP range.

    The IP address must be IPv4.

    0.0.0.0
    mapped-start <mapped_ipv4>

    Enter the first IP address of an IP range that you want to translate the external IP to.

    0.0.0.0

    mapped-end <mapped_ipv4>

    Enter the last IP address of an IP range that you want to translate the external IP to.

    0.0.0.0
    ingress-interface <ingress_port>

    Enter the interface to match the network interface through which the packet comes in FortiWeb.

    No default.
    protocol {tcp | udp | icmp}

    Select the protocol type of the packets that you want to translate.

    No default.
    port-forwarding {enable | disable}

    Enable to translate the port in destination IP address.

    No default.
    external-port-start <external_port>

    Enter the first port in the port range to match the port in destination IP address.

    This option is available only when port-forwarding is enabled.

    0
    external-port-end <external_port>

    Enter the last port in the port range to match the port in destination IP address.

    This option is available only when port-forwarding is enabled.

    0

    mapped-port-start <mapped_port>

    Enter the first port in the port range to translate the external port range to.

    This option is available only when port-forwarding is enabled.

    0

    mapped-port-end <mapped_port>

    Enter the last port in the port range to translate the external port range to.

    This option is available only when port-forwarding is enabled.

    0

    Related Topic

    Previous
    Next