Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.1 Administration Guide
    7.2.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Central DNAT

    Central DNAT

    Central NAT allows for the central configuration of SNAT (source NAT) and DNAT (destination NAT).

    To enable central NAT in the GUI:

    1. Go to System > Settings.

    2. In the System Operation Settings, enable Central SNAT.

    3. Click Apply.

    To enable central NAT in the CLI:
    config system settings
    set central-nat {enable | disable}
end

    When central NAT is enabled, virtual IPs (VIPs) are not configured in the firewall policy. The VIPs are configured as separate objects where their status must be enabled.

    Note

    This option is only available for IPv4 VIP and VIP46 objects.

    Configuring a DNAT and VIP object in central NAT mode is similar to configuring a VIP when central NAT is disabled. See Static virtual IPs for more information on each setting.

    VIP objects can carry over when switching from non-central NAT mode to central NAT mode or vice-versa. However, if a VIP is assigned to a firewall policy in non-central NAT mode, it must be unassigned before switching to central NAT mode.

    In this example, a DNAT and VIP are configured to forward traffic from 10.1.100.130 to 172.16.200.44. This example assumes that the firewall address, Addr_172.16.200.44/32, has already been configured.

    To configure DNAT and a VIP in the GUI:

    1. Configure the VIP:

      1. Go to Policy & Objects > DNAT & Virtual IPs and click Create New > DNAT & Virtual IP.

      2. Enter a name (test-vip44-1).

      3. Set the External IP address/range to 10.1.100.130.

      4. Set the Map to IPv4 address/range to 172.16.200.44.

      5. Click OK.

    2. Configure a firewall policy that allows traffic in the direction of the VIP:

      1. Go to Policy & Objects > Firewall Policy and click Create New.

      2. Configure the following settings:

        Name

        VIP-port2toport3

        Source

        all

        Destination

        Addr_172.16.200.40

        Schedule

        always

        Service

        ALL

        Action

        ACCEPT

      3. Configure the other settings as needed. There is no SNAT configuration section, so central SNAT policies will be applied.

      4. Click OK.

    To configure DNAT and a VIP in the CLI:
    1. Configure the VIP: 
      config firewall vip
    edit "test-vip44-1"
        set extip 10.1.100.130
        set mappedip "172.16.200.44"
        set extintf "any"
        set status enable
    next
end
    2. Configure a firewall policy that allows traffic in the direction of the VIP: 
      config firewall policy
    edit 3
        set name "VIP-port2toport3"
        set srcintf "port2"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "Addr_172.16.200.40"
        set schedule "always"
        set service "ALL"
    next
end
    To verify the DNAT and VIP:

    If the VIP status is enabled, it will appear in the VIP table:

    # diagnose firewall iprope list 100000
policy index=7 uuid_idx=625 action=accept
flag (8000104): f_p nat pol_stats
cos_fwd=0  cos_rev=0
group=00100000 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 0 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
dest(1): 10.1.100.130-10.1.100.130, uuid_idx=625,
service(1):
        [0:0x0:0/(0,0)->(0,0)] helper:auto
nat(1): flag=0 base=10.1.100.130:0 172.16.200.44-172.16.200.44(0:0)

    If the VIP status is disabled, it will not appear in the VIP table.

    In this example, a one-to-one static NAT is enabled. Send a ping to 10.1.100.130, and the traffic will be forwarded to the destination 172.16.200.44.

    Previous
    Next

    Central DNAT

    Central DNAT

    Central NAT allows for the central configuration of SNAT (source NAT) and DNAT (destination NAT).

    To enable central NAT in the GUI:

    1. Go to System > Settings.

    2. In the System Operation Settings, enable Central SNAT.

    3. Click Apply.

    To enable central NAT in the CLI:
    config system settings
    set central-nat {enable | disable}
end

    When central NAT is enabled, virtual IPs (VIPs) are not configured in the firewall policy. The VIPs are configured as separate objects where their status must be enabled.

    Note

    This option is only available for IPv4 VIP and VIP46 objects.

    Configuring a DNAT and VIP object in central NAT mode is similar to configuring a VIP when central NAT is disabled. See Static virtual IPs for more information on each setting.

    VIP objects can carry over when switching from non-central NAT mode to central NAT mode or vice-versa. However, if a VIP is assigned to a firewall policy in non-central NAT mode, it must be unassigned before switching to central NAT mode.

    In this example, a DNAT and VIP are configured to forward traffic from 10.1.100.130 to 172.16.200.44. This example assumes that the firewall address, Addr_172.16.200.44/32, has already been configured.

    To configure DNAT and a VIP in the GUI:

    1. Configure the VIP:

      1. Go to Policy & Objects > DNAT & Virtual IPs and click Create New > DNAT & Virtual IP.

      2. Enter a name (test-vip44-1).

      3. Set the External IP address/range to 10.1.100.130.

      4. Set the Map to IPv4 address/range to 172.16.200.44.

      5. Click OK.

    2. Configure a firewall policy that allows traffic in the direction of the VIP:

      1. Go to Policy & Objects > Firewall Policy and click Create New.

      2. Configure the following settings:

        Name

        VIP-port2toport3

        Source

        all

        Destination

        Addr_172.16.200.40

        Schedule

        always

        Service

        ALL

        Action

        ACCEPT

      3. Configure the other settings as needed. There is no SNAT configuration section, so central SNAT policies will be applied.

      4. Click OK.

    To configure DNAT and a VIP in the CLI:
    1. Configure the VIP: 
      config firewall vip
    edit "test-vip44-1"
        set extip 10.1.100.130
        set mappedip "172.16.200.44"
        set extintf "any"
        set status enable
    next
end
    2. Configure a firewall policy that allows traffic in the direction of the VIP: 
      config firewall policy
    edit 3
        set name "VIP-port2toport3"
        set srcintf "port2"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "Addr_172.16.200.40"
        set schedule "always"
        set service "ALL"
    next
end
    To verify the DNAT and VIP:

    If the VIP status is enabled, it will appear in the VIP table:

    # diagnose firewall iprope list 100000
policy index=7 uuid_idx=625 action=accept
flag (8000104): f_p nat pol_stats
cos_fwd=0  cos_rev=0
group=00100000 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 0 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
dest(1): 10.1.100.130-10.1.100.130, uuid_idx=625,
service(1):
        [0:0x0:0/(0,0)->(0,0)] helper:auto
nat(1): flag=0 base=10.1.100.130:0 172.16.200.44-172.16.200.44(0:0)

    If the VIP status is disabled, it will not appear in the VIP table.

    In this example, a one-to-one static NAT is enabled. Send a ping to 10.1.100.130, and the traffic will be forwarded to the destination 172.16.200.44.

    Previous
    Next