Fortinet black logo

Administration Guide

Central SNAT

Central SNAT

The Central SNAT (Secure NAT) table enables you to define and control (with more granularity) the address translation performed by the FortiGate unit. With the NAT table, you can define the rules which dictate the source address or address group, and which IP pool the destination address uses.

While similar in functionality to IP pools, where a single address is translated to an alternate address from a range of IP addresses, with IP pools there is no control over the translated port. When using the IP pool for source NAT, you can define a fixed port to guarantee the source port number is unchanged. If no fixed port is defined, the port translation is randomly chosen by the FortiGate unit. With the central NAT table, you have full control over both the IP address and port translation.

The FortiGate unit reads the NAT rules in a top-down methodology, until it hits a matching rule for the incoming address. This enables you to create multiple NAT policies that dictate which IP pool is used based on the source address. The NAT policies can be rearranged within the policy list as well. NAT policies are applied to network traffic after a security policy.

The Central SNAT table allows you to create, edit, delete, and clone central SNAT entries.

Central SNAT does not support Section View.

Central NAT must be enabled when creating or editing the policy package for this option to be available in the tree menu. See Create new policy packages.

Central SNAT must be enabled in Tools > Display Options as well for the option to be visible in the tree menu. See Display options.

To create a new central SNAT entry:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package, click Central SNAT.
  4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Central SNAT pane opens.
  5. Configure the following settings, then click OK to create the policy:

    Incoming Interface

    Click the field then select interfaces from the Object Selector frame, or drag and drop the address from the object pane.

    Select the remove icon to remove values.

    Outgoing Interface

    Select outgoing interfaces.

    Source Address

    Select source addresses.

    Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    NAT

    Select to enable NAT.

    IP Pool Configuration

    Select either Use Outgoing Interface Address, or Use Dynamic IP Pool. If using a dynamic IP pool, select the pool from the Object Selector frame.

    This option is only available when NAT is selected.

    Protocol

    Select the protocol: ANY, TCP, UDP, SCTP, or Specify. If Specify is selected, specify the protocol number.

    This option is only available when NAT is selected.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Meta Fields

    If configured, enter values for the required meta fields, and optionally for the optional fields. See Meta Fields.

    Advanced Options

    Enable or disable nat.

Central SNAT

The Central SNAT (Secure NAT) table enables you to define and control (with more granularity) the address translation performed by the FortiGate unit. With the NAT table, you can define the rules which dictate the source address or address group, and which IP pool the destination address uses.

While similar in functionality to IP pools, where a single address is translated to an alternate address from a range of IP addresses, with IP pools there is no control over the translated port. When using the IP pool for source NAT, you can define a fixed port to guarantee the source port number is unchanged. If no fixed port is defined, the port translation is randomly chosen by the FortiGate unit. With the central NAT table, you have full control over both the IP address and port translation.

The FortiGate unit reads the NAT rules in a top-down methodology, until it hits a matching rule for the incoming address. This enables you to create multiple NAT policies that dictate which IP pool is used based on the source address. The NAT policies can be rearranged within the policy list as well. NAT policies are applied to network traffic after a security policy.

The Central SNAT table allows you to create, edit, delete, and clone central SNAT entries.

Central SNAT does not support Section View.

Central NAT must be enabled when creating or editing the policy package for this option to be available in the tree menu. See Create new policy packages.

Central SNAT must be enabled in Tools > Display Options as well for the option to be visible in the tree menu. See Display options.

To create a new central SNAT entry:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package, click Central SNAT.
  4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Central SNAT pane opens.
  5. Configure the following settings, then click OK to create the policy:

    Incoming Interface

    Click the field then select interfaces from the Object Selector frame, or drag and drop the address from the object pane.

    Select the remove icon to remove values.

    Outgoing Interface

    Select outgoing interfaces.

    Source Address

    Select source addresses.

    Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    NAT

    Select to enable NAT.

    IP Pool Configuration

    Select either Use Outgoing Interface Address, or Use Dynamic IP Pool. If using a dynamic IP pool, select the pool from the Object Selector frame.

    This option is only available when NAT is selected.

    Protocol

    Select the protocol: ANY, TCP, UDP, SCTP, or Specify. If Specify is selected, specify the protocol number.

    This option is only available when NAT is selected.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Meta Fields

    If configured, enter values for the required meta fields, and optionally for the optional fields. See Meta Fields.

    Advanced Options

    Enable or disable nat.