Fortinet black logo

Handbook

NAT64 policy

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:355981
Download PDF

NAT64 policy

To configure a NAT64 policy in the GUI

  1. Go to Policy & Objects > NAT64 Policy

    The right side window will display a table of the existing NAT64 Policies.

    • To edit an existing policy, double click on the policy you wish to edit
    • To create a new policy, select the Create New icon in the top left side of the right window.
  2. Set the Incoming Interface parameter by selecting the field with the "+" next to the field label. Selecting the field will slide out a window from the right where you can select from the available interfaces. You can select one or more specific interfaces or you can select the any option. Choosing the any option will remove any other interfaces. For more information on interfaces, check the Concepts section called Interfaces and zones.
  3. Set the Outgoing Interface parameter by selecting the field with the "+" next to the field label. (Same rules apply as with the above step.)
  4. Set the Source Address parameter by selecting the field with the "+" next to the field label. The source in this case is an IPv6 Address object of the initiating traffic. When the field is selected a window will slide out from the right. In order to be able to select one of these options it needs to be configured as a firewall object before hand. The "+" icon next to the Search field is a shortcut for creating a new firewall object based on the tab that is currently selected. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  5. Set the Destination Address parameter by selecting the field with the "+" next to the field label. This field is similar to the Source Addressfield. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  6. Set the Schedule parameter by using the drop down menu to select a preconfigured schedule. The "+" icon next to the Search field is a shortcut for creating a new schedule object. For more information on addresses, check the Firewall Objects section called Schedules
  7. Set the Service parameter by selecting the field with the "+" next to the field label. (Same mechanics for selection apply as with the other similar fields in this window.) Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  8. Set the Action parameter. Select one of the following options for the action:
    • ACCEPT - lets the traffic through to the next phase of analysis
    • DENY - drops the session

    While there are not as many Action options as with the IPv4 policy, because the choice of Action determines the settings and options below this parameter in the window the rest of the step are associated with a specific Action.

Settings if the ACCEPT action is selected.

Firewall / Network Options

  1. Skip the NAT setting. This type of policy is intended only for traffic that is being NATed from IPv6 to IPv4, because without NATing the traffic couldn't reach its destination, so disabling NAT would be pointless.
  2. Set the IP Pool Configuration by selection one of the options of:
    • Use Outgoing Interface Address
    • Use Dynamic IP Pool

    If the Use Dynamic IP Pool option is selected, an additional field will appear with the + icon. Selecting this field will slide out a window from the right where a preexisting IP Pool can be chosen. One or more IP Pools can be chosen and the "+" icon next to the Search field is a shortcut for creating a new IP Pool.

  3. Set the Log Allowed Traffic parameter by toggling the slider button (gray means it is disabled).

    If the Log Allowed Traffic setting is enabled, choose whether to log just Security Events or All Sessions and determine whether or not to keep a record of the packets by toggling the Capture Packets setting on or off.

  4. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  5. Toggle whether or not to Enable this policy.The default is enabled.
  6. Select the OK button to save the policy.

Settings if the DENY action is selected

  1. Enable the Log Violation Traffic setting by toggling the slider button.
  2. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  3. Toggle whether or not to Enable this policy.The default is enabled.
  4. Select the OK button to save the policy.

NAT64 policy

To configure a NAT64 policy in the GUI

  1. Go to Policy & Objects > NAT64 Policy

    The right side window will display a table of the existing NAT64 Policies.

    • To edit an existing policy, double click on the policy you wish to edit
    • To create a new policy, select the Create New icon in the top left side of the right window.
  2. Set the Incoming Interface parameter by selecting the field with the "+" next to the field label. Selecting the field will slide out a window from the right where you can select from the available interfaces. You can select one or more specific interfaces or you can select the any option. Choosing the any option will remove any other interfaces. For more information on interfaces, check the Concepts section called Interfaces and zones.
  3. Set the Outgoing Interface parameter by selecting the field with the "+" next to the field label. (Same rules apply as with the above step.)
  4. Set the Source Address parameter by selecting the field with the "+" next to the field label. The source in this case is an IPv6 Address object of the initiating traffic. When the field is selected a window will slide out from the right. In order to be able to select one of these options it needs to be configured as a firewall object before hand. The "+" icon next to the Search field is a shortcut for creating a new firewall object based on the tab that is currently selected. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  5. Set the Destination Address parameter by selecting the field with the "+" next to the field label. This field is similar to the Source Addressfield. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  6. Set the Schedule parameter by using the drop down menu to select a preconfigured schedule. The "+" icon next to the Search field is a shortcut for creating a new schedule object. For more information on addresses, check the Firewall Objects section called Schedules
  7. Set the Service parameter by selecting the field with the "+" next to the field label. (Same mechanics for selection apply as with the other similar fields in this window.) Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  8. Set the Action parameter. Select one of the following options for the action:
    • ACCEPT - lets the traffic through to the next phase of analysis
    • DENY - drops the session

    While there are not as many Action options as with the IPv4 policy, because the choice of Action determines the settings and options below this parameter in the window the rest of the step are associated with a specific Action.

Settings if the ACCEPT action is selected.

Firewall / Network Options

  1. Skip the NAT setting. This type of policy is intended only for traffic that is being NATed from IPv6 to IPv4, because without NATing the traffic couldn't reach its destination, so disabling NAT would be pointless.
  2. Set the IP Pool Configuration by selection one of the options of:
    • Use Outgoing Interface Address
    • Use Dynamic IP Pool

    If the Use Dynamic IP Pool option is selected, an additional field will appear with the + icon. Selecting this field will slide out a window from the right where a preexisting IP Pool can be chosen. One or more IP Pools can be chosen and the "+" icon next to the Search field is a shortcut for creating a new IP Pool.

  3. Set the Log Allowed Traffic parameter by toggling the slider button (gray means it is disabled).

    If the Log Allowed Traffic setting is enabled, choose whether to log just Security Events or All Sessions and determine whether or not to keep a record of the packets by toggling the Capture Packets setting on or off.

  4. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  5. Toggle whether or not to Enable this policy.The default is enabled.
  6. Select the OK button to save the policy.

Settings if the DENY action is selected

  1. Enable the Log Violation Traffic setting by toggling the slider button.
  2. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  3. Toggle whether or not to Enable this policy.The default is enabled.
  4. Select the OK button to save the policy.