Fortinet black logo

Administration Guide

Home FortiProxy 7.2.0 Administration Guide
7.2.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.0
7.0.17
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0

Create or edit a central SNAT policy

Create or edit a central SNAT policy

Select Create New to open the Create Central SNAT window. To change a central SNAT policy, select the policy and then click Edit.

Configure the following settings in the Create Central SNAT window or the Edit Central SNAT window and then click OK:

Status

Select Enable make the central SNAT policy is active.

Action

Select one of the following options for the central SNAT action:

  • Bypass—Do not perform network address translation (NAT).

  • Masquerade—Use a single IP address to protect multiple IP addresses in a LAN.

  • IP Pools—Use an IP address from an IP pool. An IP pool defines a single IP address or a range of IP addresses to be used as the source address for the duration of the session. These assigned addresses are used instead of the IP address assigned to that FortiProxy interface.

Type

Select IPv4 or IPv6.

Source Interface

Select one of the available interfaces from the drop-down list.

Destination Interface

Select one of the available interfaces from the drop-down list.

Source Address

Source IPv6 Address

Click +. A window slides out from the right. Here, you can select from the available addresses and address groups. Select one or more items to add to the field. Clicking on an object in this window while it is highlighted removes it from the field. Multiple selections are allowed. For more information on addresses, see Addresses.

Destination Address

Destination IPv6 Address

Click +. A window slides out from the right. Here, you can select from the available addresses and address groups. Select one or more items to add to the field. Clicking on an object in this window while it is highlighted removes it from the field. Multiple selections are allowed. For more information on addresses, see Addresses.

API Preview

The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.
To use the API Preview:

  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.

  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.

  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.

  4. Click Close to leave the preview.

To create a central SNAT policy in the CLI:

config firewall central-snat-map

edit <policy_identifier>

set status {enable | disable}

set action {bypass | masquerade | ippool}

set ipv6 {enable | disable}

set srcintf <source_interface_name>

set dstintf <destination_interface_name>

set src-addr <original_address>

set dst-addr <original_address>

end

For example, to create an IPv4 central SNAT policy:

config firewall central-snat-map

edit 1

set status enable

set action masquerade

set ipv6 disable

set srcintf port2

set dstintf port1

set src-addr "all"

set dst-addr "all"

end

For example, to create an IPv6 central SNAT policy:

config firewall central-snat-map

edit 1

set status enable

set action ippool

set ipv6 enable

set srcintf port1

set dstintf port3

set src-addr6 "all"

set dst-addr6 "all"

set nat-ippool6 "pool6"

end

Previous
Next

Create or edit a central SNAT policy

Select Create New to open the Create Central SNAT window. To change a central SNAT policy, select the policy and then click Edit.

Configure the following settings in the Create Central SNAT window or the Edit Central SNAT window and then click OK:

Status

Select Enable make the central SNAT policy is active.

Action

Select one of the following options for the central SNAT action:

  • Bypass—Do not perform network address translation (NAT).

  • Masquerade—Use a single IP address to protect multiple IP addresses in a LAN.

  • IP Pools—Use an IP address from an IP pool. An IP pool defines a single IP address or a range of IP addresses to be used as the source address for the duration of the session. These assigned addresses are used instead of the IP address assigned to that FortiProxy interface.

Type

Select IPv4 or IPv6.

Source Interface

Select one of the available interfaces from the drop-down list.

Destination Interface

Select one of the available interfaces from the drop-down list.

Source Address

Source IPv6 Address

Click +. A window slides out from the right. Here, you can select from the available addresses and address groups. Select one or more items to add to the field. Clicking on an object in this window while it is highlighted removes it from the field. Multiple selections are allowed. For more information on addresses, see Addresses.

Destination Address

Destination IPv6 Address

Click +. A window slides out from the right. Here, you can select from the available addresses and address groups. Select one or more items to add to the field. Clicking on an object in this window while it is highlighted removes it from the field. Multiple selections are allowed. For more information on addresses, see Addresses.

API Preview

The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.
To use the API Preview:

  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.

  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.

  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.

  4. Click Close to leave the preview.

To create a central SNAT policy in the CLI:

config firewall central-snat-map

edit <policy_identifier>

set status {enable | disable}

set action {bypass | masquerade | ippool}

set ipv6 {enable | disable}

set srcintf <source_interface_name>

set dstintf <destination_interface_name>

set src-addr <original_address>

set dst-addr <original_address>

end

For example, to create an IPv4 central SNAT policy:

config firewall central-snat-map

edit 1

set status enable

set action masquerade

set ipv6 disable

set srcintf port2

set dstintf port1

set src-addr "all"

set dst-addr "all"

end

For example, to create an IPv6 central SNAT policy:

config firewall central-snat-map

edit 1

set status enable

set action ippool

set ipv6 enable

set srcintf port1

set dstintf port3

set src-addr6 "all"

set dst-addr6 "all"

set nat-ippool6 "pool6"

end

Previous
Next