Fortinet black logo

Administration Guide

Central DNAT

Central DNAT

The FortiGate unit checks the NAT table and determines if the destination IP address for incoming traffic must be changed using DNAT. DNAT is typically applied to traffic from the Internet that is going to be directed to a server on a network behind the FortiGate device. DNAT means the actual address of the internal network is hidden from the Internet. This step determines whether a route to the destination address actually exists.

DNAT must take place before routing so that the unit can route packets to the correct destination.

DNAT policies can be created, or imported from Virtual IP (VIP) objects. Virtual servers can also be imported from ADOM objects to DNAT policies. DNAT policies are automatically added to the VIP object table (Object Configurations > Firewall Objects > Virtual IPs) when they are created.

VIPs can be edited from either the DNAT or VIP object tables by double-clicking on the VIP, right-clicking on the VIP and selected Edit, or selecting the VIP and clicking Edit in the toolbar. The network type cannot be changed. DNAT policies can also be copied, pasted, cloned, and moved from the right-click or Edit menus.

Deleting a DNAT policy does not delete the corresponding VIP object, and a VIP object cannot be deleted if it is in the DNAT table.

DNAT policies support overlapping IP address ranges; VIPs do not. DNAT policies do not support VIP groups.

Central DNAT does not support Section View.

Central NAT must be enabled when creating or editing the policy package for this option to be available in the tree menu. See Create new policy packages.

To create a new central DNAT entry:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package, click Central DNAT.
  4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Virtual IP pane opens.
  5. Configure the following settings, then click OK to create the VIP:

    Name

    Enter a unique name for the DNAT.

    Comments

    Optionally, enter comments about the DNAT, such as its purpose, or the changes that have been made to it.

    Color

    Select a color.

    Interface

    Select an interface.

    Network Type

    Select the network type: Static NAT, DNS Translation, or FQDN.

    External IP Address/Range

    Enter the start and end external IP addresses in the fields. If there is only one address, enter it in both fields.

    This option is not available when the network type is FQDN.

    Mapped IP Address/Range

    Enter the mapped IP address.

    This option is not available when the network type is FQDN.

    External IP Address

    Enter the external IP address.

    This option is only available when the network type is FQDN.

    Mapped Address

    Select the mapped address.

    This option is only available when the network type is FQDN.

    Source Interface Filter

    Select a source interface filter.

    Optional Filters

    Enable or disable optional filters.

    Source Address

    Add source IP, range, or subnet filters. Multiple filters can be added using the Add icon.

    Services

    Enable and add services.

    Port Forwarding

    Enable or disable port forwarding.

    Protocol

    Select the protocol: TCP, UDP, SCTP, or ICMP.

    External Service Port

    Enter the external service port.

    This option is not available when Protocol is ICMP.

    Map to Port

    Enter the map to port.

    This option is not available when Protocol is ICMP.

    Enable ARP Reply

    Select to enable ARP reply.

    Add To Groups

    Optionally, select groups to add the virtual IP to from the list.

    Advanced Options

    Configure advanced options, see Advanced options.

    For more information on advanced option, see the FortiOS CLI Reference.

    Per-Device Mapping

    Enable or disable per-device mapping.

    If multiple imported VIP objects have the same name but different details, the object type will become Dynamic Virtual IP, and the per-device mappings will be listed here.

    Mappings can also be manually added, edited, and deleted as needed.

To import VIPs from the Virtual IP object table:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy &Objects > Policy Packages.
  3. In the tree menu for the policy package, click Central DNAT.
  4. Click Import in the toolbar. The Import dialog box will open.
  5. Select the VIP object or objects that need to be imported. If necessary, use the search box to locate specific objects.
  6. Click OK to import the VIPs to the Central DNAT table.
Advanced options

Option

Description

Default

dns-mapping-ttl

Enter time-to-live for DNS response, from 0 to 604 800. 0 means use the DNS server's response time.

0

extaddr

Select an address.

None

gratuitous-arp-interval

Set the time interval between sending of gratuitous ARP packets by a virtual IP. 0 disables this feature.

0

http-cookie-age

Set how long the browser caches cooking, from 0 to 525600 seconds.

60

http-cookie-domain

Enter the domain name to restrict the cookie to.

none

http-cookie-domain-from-host

If enabled, when the unit adds a SetCookie to the HTTP(S) response, the Domain attribute in the SetCookie is set to the value of the Host: header, if there is one.

disable

http-cookie-generation

The exact value of the generation is not important, only that it is different from any generation that has already been used.

0

http-cookie-path

Limit the cookies to a particular path.

none

http-cookie-share

Configure HTTP cookie persistence to control the sharing of cookies across more than one virtual server.

The default setting means that any cookie generated by one virtual server can be used by another virtual server in the same virtual domain.

Disable to make sure that a cookie generated for a virtual server cannot be used by other virtual servers.

same-ip

http-ip-header-name

Enter a name for the custom HTTP header that the original client IP address is added to.

none

https-cookie-secure

Enable or disable using secure cookies for HTTPS sessions.

disable

id

Custom defined ID.

0

max-embryonic-connections

The maximum number of partially established SSL or HTTP connections, from 0 to 100000.

1000

nat-source-vip

Enable to prevent unintended servers from using a virtual IP. Disable to use the actual IP address of the server (or the destination interface if using NAT) as the source address of connections from the server that pass through the device.

disable

outlook-web-access

If enabled, the Front-End-Https: on header is inserted into the HTTP headers, and added to all HTTP requests.

disable

ssl-algorithm

Set the permitted encryption algorithms for SSL sessions according to encryption strength:

  • high: permit only high encryption algorithms: AES or 3DES.
  • medium: permit high or medium (RC4) algorithms.
  • low: permit high, medium, or low (DES) algorithms.
  • custom: only allow some preselected cipher suites to be used.

high

ssl-client-fallback

Enable to prevent Downgrade Attacks on client connections.

enable

ssl-client-renegotiation

Select the SSL secure renegotiation policy.

  • allow: allow, but do not require secure renegotiation.
  • deny: do not allow renegotiation.
  • secure: require secure renegotiation.

allow

ssl-client-session-state-max

The maximum number of SSL session states to keep for the segment of the SSL connection between the client and the unit, from 0 to 100000.

1000

ssl-client-session-state-timeout

The number of minutes to keep the SSL session states for the segment of the SSL connection between the client and the unit, from 1 to 14400.

30

ssl-client-session-state-type

The method to use to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.

  • both: expire SSL session states when either ssl-client-session-state-max or ssl-client-session-state-timeout is exceeded, regardless of which occurs first.
  • count: expire SSL session states when ssl-client-session-state-max is exceeded.
  • disable: expire all SSL session states.
  • time: expire SSL session states when ssl-client-session-state-timeout is exceeded.

both

ssl-dh-bits

The number of bits used in the Diffie-Hellman exchange for RSA encryption of the SSL connection: 768, 1024, 1536, 2048, 3072, or 4096.

2048

ssl-hpkp

Enable or disable including HPKP header in response.

disable

ssl-hpkp-age

The number of seconds that the client should honor the HPKP setting (60 - 157680000).

5184000

ssl-hpkp-backup

Certificate to generate the backup HPKP pin from (size = 35, datasource(s) = vpn.certificate.local.name,vpn.certificate.ca.name).

None

ssl-hpkp-include-subdomains

Enable or disable indicating that the HPKP header applies to all subdomains.

disable

ssl-hpkp-primary

Certificate to generate the primary HPKP pin from (size = 35, datasource(s) = vpn.certificate.local.name,vpn.certificate.ca.name).

None

ssl-hpkp-report-uri

URL to report HPKP violations to (size = 255).

ssl-hsts

Enable or disable including HSTS header in response.

disable

ssl-hsts-age

The number of seconds that the client should honour the HSTS setting (60 - 157680000).

5184000

ssl-hsts-include-subdomains

Enable or disable indicating that the HSTS header applies to all subdomains.

disable

ssl-http-location-conversion

Enable to replace http with https in the reply’s Location HTTP header field.

disable

ssl-http-match-host

Enable to apply Location conversion to the reply’s HTTP header only if the host name portion of Location matches the request’s Host field or, if the Host field does not exist, the host name portion of the request’s URI.

disable

ssl-max-version

The highest version of SSL/TLS to allow in SSL sessions: ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.

tls-1.2

ssl-min-version

The lowest version of SSL/TLS to allow in SSL sessions: ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.

tls-1.0

ssl-pfs

Select the handling of Perfect Forward Secrecy (PFS) by controlling the cipher suites that can be selected.

  • allow: allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.
  • deny: allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
  • require: allow only Diffie-Hellman cipher-suites, so PFS is applied.

allow

ssl-send-empty-frags

Enable to precede the record with empty fragments to thwart attacks on CBC IV.

Disable this option if SSL acceleration will be used with an old or buggy SSL implementation which cannot properly handle empty fragments.

enable

ssl-server-algorithm

Set the permitted encryption algorithms for SSL server sessions according to encryption strength:

  • high: permit only high encryption algorithms: AES or 3DES.
  • medium: permit high or medium (RC4) algorithms.
  • low: permit high, medium, or low (DES) algorithms.
  • custom: only allow some preselected cipher suites to be used.

client

ssl-server-max-version

The highest version of SSL/TLS to allow in SSL server sessions: client, ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.

client

ssl-server-min-version

The lowest version of SSL/TLS to allow in SSL server sessions: client, ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.

client

ssl-server-session-state-max

The maximum number of SSL session states to keep for the segment of the SSL connection between the client and the unit, from 0 to 100000.

100

ssl-server-session-state-timeout

The number of minutes to keep the SSL session states for the segment of the SSL connection between the client and the unit, from 1 to 14400.

60

ssl-server-session-state-type

The method to use to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.

  • both: expire SSL session states when either ssl-client-session-state-max or ssl-client-session-state-timeout is exceeded, regardless of which occurs first.
  • count: expire SSL session states when ssl-client-session-state-max is exceeded.
  • disable: expire all SSL session states.
  • time: expire SSL session states when ssl-client-session-state-timeout is exceeded.

both

weblogic-server

Enable or disable adding an HTTP header to indicate SSL offloading for a WebLogic server.

disable

websphere-server

Enable or disable adding an HTTP header to indicate SSL offloading for a WebSphere server.

disable

Central DNAT

The FortiGate unit checks the NAT table and determines if the destination IP address for incoming traffic must be changed using DNAT. DNAT is typically applied to traffic from the Internet that is going to be directed to a server on a network behind the FortiGate device. DNAT means the actual address of the internal network is hidden from the Internet. This step determines whether a route to the destination address actually exists.

DNAT must take place before routing so that the unit can route packets to the correct destination.

DNAT policies can be created, or imported from Virtual IP (VIP) objects. Virtual servers can also be imported from ADOM objects to DNAT policies. DNAT policies are automatically added to the VIP object table (Object Configurations > Firewall Objects > Virtual IPs) when they are created.

VIPs can be edited from either the DNAT or VIP object tables by double-clicking on the VIP, right-clicking on the VIP and selected Edit, or selecting the VIP and clicking Edit in the toolbar. The network type cannot be changed. DNAT policies can also be copied, pasted, cloned, and moved from the right-click or Edit menus.

Deleting a DNAT policy does not delete the corresponding VIP object, and a VIP object cannot be deleted if it is in the DNAT table.

DNAT policies support overlapping IP address ranges; VIPs do not. DNAT policies do not support VIP groups.

Central DNAT does not support Section View.

Central NAT must be enabled when creating or editing the policy package for this option to be available in the tree menu. See Create new policy packages.

To create a new central DNAT entry:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package, click Central DNAT.
  4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Virtual IP pane opens.
  5. Configure the following settings, then click OK to create the VIP:

    Name

    Enter a unique name for the DNAT.

    Comments

    Optionally, enter comments about the DNAT, such as its purpose, or the changes that have been made to it.

    Color

    Select a color.

    Interface

    Select an interface.

    Network Type

    Select the network type: Static NAT, DNS Translation, or FQDN.

    External IP Address/Range

    Enter the start and end external IP addresses in the fields. If there is only one address, enter it in both fields.

    This option is not available when the network type is FQDN.

    Mapped IP Address/Range

    Enter the mapped IP address.

    This option is not available when the network type is FQDN.

    External IP Address

    Enter the external IP address.

    This option is only available when the network type is FQDN.

    Mapped Address

    Select the mapped address.

    This option is only available when the network type is FQDN.

    Source Interface Filter

    Select a source interface filter.

    Optional Filters

    Enable or disable optional filters.

    Source Address

    Add source IP, range, or subnet filters. Multiple filters can be added using the Add icon.

    Services

    Enable and add services.

    Port Forwarding

    Enable or disable port forwarding.

    Protocol

    Select the protocol: TCP, UDP, SCTP, or ICMP.

    External Service Port

    Enter the external service port.

    This option is not available when Protocol is ICMP.

    Map to Port

    Enter the map to port.

    This option is not available when Protocol is ICMP.

    Enable ARP Reply

    Select to enable ARP reply.

    Add To Groups

    Optionally, select groups to add the virtual IP to from the list.

    Advanced Options

    Configure advanced options, see Advanced options.

    For more information on advanced option, see the FortiOS CLI Reference.

    Per-Device Mapping

    Enable or disable per-device mapping.

    If multiple imported VIP objects have the same name but different details, the object type will become Dynamic Virtual IP, and the per-device mappings will be listed here.

    Mappings can also be manually added, edited, and deleted as needed.

To import VIPs from the Virtual IP object table:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy &Objects > Policy Packages.
  3. In the tree menu for the policy package, click Central DNAT.
  4. Click Import in the toolbar. The Import dialog box will open.
  5. Select the VIP object or objects that need to be imported. If necessary, use the search box to locate specific objects.
  6. Click OK to import the VIPs to the Central DNAT table.
Advanced options

Option

Description

Default

dns-mapping-ttl

Enter time-to-live for DNS response, from 0 to 604 800. 0 means use the DNS server's response time.

0

extaddr

Select an address.

None

gratuitous-arp-interval

Set the time interval between sending of gratuitous ARP packets by a virtual IP. 0 disables this feature.

0

http-cookie-age

Set how long the browser caches cooking, from 0 to 525600 seconds.

60

http-cookie-domain

Enter the domain name to restrict the cookie to.

none

http-cookie-domain-from-host

If enabled, when the unit adds a SetCookie to the HTTP(S) response, the Domain attribute in the SetCookie is set to the value of the Host: header, if there is one.

disable

http-cookie-generation

The exact value of the generation is not important, only that it is different from any generation that has already been used.

0

http-cookie-path

Limit the cookies to a particular path.

none

http-cookie-share

Configure HTTP cookie persistence to control the sharing of cookies across more than one virtual server.

The default setting means that any cookie generated by one virtual server can be used by another virtual server in the same virtual domain.

Disable to make sure that a cookie generated for a virtual server cannot be used by other virtual servers.

same-ip

http-ip-header-name

Enter a name for the custom HTTP header that the original client IP address is added to.

none

https-cookie-secure

Enable or disable using secure cookies for HTTPS sessions.

disable

id

Custom defined ID.

0

max-embryonic-connections

The maximum number of partially established SSL or HTTP connections, from 0 to 100000.

1000

nat-source-vip

Enable to prevent unintended servers from using a virtual IP. Disable to use the actual IP address of the server (or the destination interface if using NAT) as the source address of connections from the server that pass through the device.

disable

outlook-web-access

If enabled, the Front-End-Https: on header is inserted into the HTTP headers, and added to all HTTP requests.

disable

ssl-algorithm

Set the permitted encryption algorithms for SSL sessions according to encryption strength:

  • high: permit only high encryption algorithms: AES or 3DES.
  • medium: permit high or medium (RC4) algorithms.
  • low: permit high, medium, or low (DES) algorithms.
  • custom: only allow some preselected cipher suites to be used.

high

ssl-client-fallback

Enable to prevent Downgrade Attacks on client connections.

enable

ssl-client-renegotiation

Select the SSL secure renegotiation policy.

  • allow: allow, but do not require secure renegotiation.
  • deny: do not allow renegotiation.
  • secure: require secure renegotiation.

allow

ssl-client-session-state-max

The maximum number of SSL session states to keep for the segment of the SSL connection between the client and the unit, from 0 to 100000.

1000

ssl-client-session-state-timeout

The number of minutes to keep the SSL session states for the segment of the SSL connection between the client and the unit, from 1 to 14400.

30

ssl-client-session-state-type

The method to use to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.

  • both: expire SSL session states when either ssl-client-session-state-max or ssl-client-session-state-timeout is exceeded, regardless of which occurs first.
  • count: expire SSL session states when ssl-client-session-state-max is exceeded.
  • disable: expire all SSL session states.
  • time: expire SSL session states when ssl-client-session-state-timeout is exceeded.

both

ssl-dh-bits

The number of bits used in the Diffie-Hellman exchange for RSA encryption of the SSL connection: 768, 1024, 1536, 2048, 3072, or 4096.

2048

ssl-hpkp

Enable or disable including HPKP header in response.

disable

ssl-hpkp-age

The number of seconds that the client should honor the HPKP setting (60 - 157680000).

5184000

ssl-hpkp-backup

Certificate to generate the backup HPKP pin from (size = 35, datasource(s) = vpn.certificate.local.name,vpn.certificate.ca.name).

None

ssl-hpkp-include-subdomains

Enable or disable indicating that the HPKP header applies to all subdomains.

disable

ssl-hpkp-primary

Certificate to generate the primary HPKP pin from (size = 35, datasource(s) = vpn.certificate.local.name,vpn.certificate.ca.name).

None

ssl-hpkp-report-uri

URL to report HPKP violations to (size = 255).

ssl-hsts

Enable or disable including HSTS header in response.

disable

ssl-hsts-age

The number of seconds that the client should honour the HSTS setting (60 - 157680000).

5184000

ssl-hsts-include-subdomains

Enable or disable indicating that the HSTS header applies to all subdomains.

disable

ssl-http-location-conversion

Enable to replace http with https in the reply’s Location HTTP header field.

disable

ssl-http-match-host

Enable to apply Location conversion to the reply’s HTTP header only if the host name portion of Location matches the request’s Host field or, if the Host field does not exist, the host name portion of the request’s URI.

disable

ssl-max-version

The highest version of SSL/TLS to allow in SSL sessions: ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.

tls-1.2

ssl-min-version

The lowest version of SSL/TLS to allow in SSL sessions: ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.

tls-1.0

ssl-pfs

Select the handling of Perfect Forward Secrecy (PFS) by controlling the cipher suites that can be selected.

  • allow: allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.
  • deny: allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
  • require: allow only Diffie-Hellman cipher-suites, so PFS is applied.

allow

ssl-send-empty-frags

Enable to precede the record with empty fragments to thwart attacks on CBC IV.

Disable this option if SSL acceleration will be used with an old or buggy SSL implementation which cannot properly handle empty fragments.

enable

ssl-server-algorithm

Set the permitted encryption algorithms for SSL server sessions according to encryption strength:

  • high: permit only high encryption algorithms: AES or 3DES.
  • medium: permit high or medium (RC4) algorithms.
  • low: permit high, medium, or low (DES) algorithms.
  • custom: only allow some preselected cipher suites to be used.

client

ssl-server-max-version

The highest version of SSL/TLS to allow in SSL server sessions: client, ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.

client

ssl-server-min-version

The lowest version of SSL/TLS to allow in SSL server sessions: client, ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.

client

ssl-server-session-state-max

The maximum number of SSL session states to keep for the segment of the SSL connection between the client and the unit, from 0 to 100000.

100

ssl-server-session-state-timeout

The number of minutes to keep the SSL session states for the segment of the SSL connection between the client and the unit, from 1 to 14400.

60

ssl-server-session-state-type

The method to use to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.

  • both: expire SSL session states when either ssl-client-session-state-max or ssl-client-session-state-timeout is exceeded, regardless of which occurs first.
  • count: expire SSL session states when ssl-client-session-state-max is exceeded.
  • disable: expire all SSL session states.
  • time: expire SSL session states when ssl-client-session-state-timeout is exceeded.

both

weblogic-server

Enable or disable adding an HTTP header to indicate SSL offloading for a WebLogic server.

disable

websphere-server

Enable or disable adding an HTTP header to indicate SSL offloading for a WebSphere server.

disable