Fortinet black logo

Administration Guide

Network address translation (NAT)

Network address translation (NAT)

You can set firewall SNAT and DNAT policies to translate the source IP addresses or destination IP addresses for the packets coming in FortiWeb. They are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating modes. FortiWeb supports modifying the firewall configurations even if the license is expired.

FortiWeb applies a firewall SNAT or DNAT policy only if IP forwarding is enabled. To check whether IP forwarding is enabled, enter this command in the CLI:

get router setting

If ip-forward is set to enable, IP forwarding is enabled, and FortiWeb is applying the firewall SNAT policy.

If ip-forward is set to disable, IP forwarding isn't enabled, and FortiWeb isn't applying the firewall SNAT policy. To enable IP forwarding, enter these commands in the CLI:

config router setting

set ip-forward enable

end

For details about these CLI commands, see the FortiWeb CLI Reference:

https://docs.fortinet.com/fortigate/reference

To configure a firewall SNAT policy
  1. Go to System > Firewall > NAT policy and select the Firewall SNAT Policy tab.

    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

  2. Click Create New.
  3. Configure these settings:

    Name

    Enter a name that identifies the firewall SNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

    Source Range

    Enter the IP address range to match the source IP address in the packet header that you want to translate. The IP address must be an IPv4 address.

    Destination Range

    Enter the IP address range to match the destination IP address in the packet header. The IP address must be an IPv4 address.

    Egress interface

    Select the interface that FortiWeb will use to forward traffic that matches the Network address translation (NAT).

    Translation Type

    Select one of the following:

    Translation to IP Address

    Enter the IP address that you want to translate the Network address translation (NAT) to. An example IP address is 192.0.2.2. The IP address must be an IPv4 address.

    This option is available only when the Network address translation (NAT) is set to IP Address.

    Pool Address Range

    Enter the first IP address in the SNAT pool. An example IP address is 192.0.2.3. The IP address must be an IPv4 address.

    This option is available only when the Network address translation (NAT) is set to Pool.

    To

    Enter the last IP address in the SNAT pool. An example IP address is 192.0.2.4. The IP address must be an IPv4 address.

    This option is available only when the Network address translation (NAT) is set to Pool.

To configure a firewall DNAT policy
  1. Go to System > Firewall > NAT policy and select the Firewall DNAT Policy tab.

    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

  2. Click Create New.
  3. Configure these settings:

    Name

    Enter a name that identifies the firewall DNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

    External Address Range

    Enter the IP address range to match the destination IP address in the packet header that you want to translate. The external addresses must be one-to-one mapped to the translated addresses. For example, if the External Address Range contains 10 addresses, the Mapped Address Range must also contain 10 addresses.

    You need to first configure the Mapped Address Range, then enter the first address for the External Address Range, the system will calculate how many addresses should be included and automatically fill the last address in External Address Range.

    The IP address must be IPv4.

    Mapped Address Range

    Enter the IP address range that you want to translate the External Address Range to. The IP address must be IPv4.

    Ingress interface

    Select the interface to match the network interface through which the packet comes in FortiWeb. The IP address must be IPv4.

    Protocol

    Select the protocol type of the packets that you want to translate.

    Port Forwarding

    Enable to translate the port in destination IP address.

    External Port Range

    Enter the port range to match the port in destination IP address.

    This option is available only when Port Forwarding is enabled.

    Mapped Port Range

    Enter the port range to translate the External Port Range to.

    This option is available only when Port Forwarding is enabled.

  4. Click OK.

Network address translation (NAT)

You can set firewall SNAT and DNAT policies to translate the source IP addresses or destination IP addresses for the packets coming in FortiWeb. They are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating modes. FortiWeb supports modifying the firewall configurations even if the license is expired.

FortiWeb applies a firewall SNAT or DNAT policy only if IP forwarding is enabled. To check whether IP forwarding is enabled, enter this command in the CLI:

get router setting

If ip-forward is set to enable, IP forwarding is enabled, and FortiWeb is applying the firewall SNAT policy.

If ip-forward is set to disable, IP forwarding isn't enabled, and FortiWeb isn't applying the firewall SNAT policy. To enable IP forwarding, enter these commands in the CLI:

config router setting

set ip-forward enable

end

For details about these CLI commands, see the FortiWeb CLI Reference:

https://docs.fortinet.com/fortigate/reference

To configure a firewall SNAT policy
  1. Go to System > Firewall > NAT policy and select the Firewall SNAT Policy tab.

    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

  2. Click Create New.
  3. Configure these settings:

    Name

    Enter a name that identifies the firewall SNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

    Source Range

    Enter the IP address range to match the source IP address in the packet header that you want to translate. The IP address must be an IPv4 address.

    Destination Range

    Enter the IP address range to match the destination IP address in the packet header. The IP address must be an IPv4 address.

    Egress interface

    Select the interface that FortiWeb will use to forward traffic that matches the Network address translation (NAT).

    Translation Type

    Select one of the following:

    Translation to IP Address

    Enter the IP address that you want to translate the Network address translation (NAT) to. An example IP address is 192.0.2.2. The IP address must be an IPv4 address.

    This option is available only when the Network address translation (NAT) is set to IP Address.

    Pool Address Range

    Enter the first IP address in the SNAT pool. An example IP address is 192.0.2.3. The IP address must be an IPv4 address.

    This option is available only when the Network address translation (NAT) is set to Pool.

    To

    Enter the last IP address in the SNAT pool. An example IP address is 192.0.2.4. The IP address must be an IPv4 address.

    This option is available only when the Network address translation (NAT) is set to Pool.

To configure a firewall DNAT policy
  1. Go to System > Firewall > NAT policy and select the Firewall DNAT Policy tab.

    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

  2. Click Create New.
  3. Configure these settings:

    Name

    Enter a name that identifies the firewall DNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

    External Address Range

    Enter the IP address range to match the destination IP address in the packet header that you want to translate. The external addresses must be one-to-one mapped to the translated addresses. For example, if the External Address Range contains 10 addresses, the Mapped Address Range must also contain 10 addresses.

    You need to first configure the Mapped Address Range, then enter the first address for the External Address Range, the system will calculate how many addresses should be included and automatically fill the last address in External Address Range.

    The IP address must be IPv4.

    Mapped Address Range

    Enter the IP address range that you want to translate the External Address Range to. The IP address must be IPv4.

    Ingress interface

    Select the interface to match the network interface through which the packet comes in FortiWeb. The IP address must be IPv4.

    Protocol

    Select the protocol type of the packets that you want to translate.

    Port Forwarding

    Enable to translate the port in destination IP address.

    External Port Range

    Enter the port range to match the port in destination IP address.

    This option is available only when Port Forwarding is enabled.

    Mapped Port Range

    Enter the port range to translate the External Port Range to.

    This option is available only when Port Forwarding is enabled.

  4. Click OK.