Central NAT is disabled by default.To toggle the feature on or off, use the following commands:
config system settings
set central-nat [enable | disable]
When Central NAT is enable the Central SNAT section will appear under the Policy & Objects heading in the GUI.
The Central SNAT window contains a table of all of the Central SNAT policies.
To configure a Central SNAT entry in the GUI
- Goto Policy & Objects > Central SNAT
The right side window will display a table of the existing Central SNAT entries.
- To edit an existing entry, double click on the policy you wish to edit
- To create a new entry, select the Create New icon in the top left side of the right window.
- Set the Source Address parameter by selecting an address from the drop down menu. One or more addresses can be selected. Additional addresses can be added later by selecting the circle icon with the "+" symbol inside it. For more information on addresses, check the Firewall Objects section called Addresses.
- Set the Destination Address parameter by selecting an address from the drop down menu. One or more addresses can be selected. Additional addresses can be added later by selecting the circle icon with the "+" symbol inside it.
- Set the Translated Address parameter by selecting an IP Pool from the drop down menu. There are four types of IP Pools. The type selected will determine which further settings are to be set.
- Set the Protocol parameter.
There are 5 options for the Protocol.
- ANY - any protocol traffic
- TCP - TCP traffic only. Protocol number set to 6
- UDP - UDP traffic only . Protocol number set to 17
- SCTP - SCTP traffic only. Protocol number set to 132
- Specify - User can specify the traffic filter protocol by setting the protocol number in the field.
- If the IP Pool is of the type: Overload, Explicit Port Mapping can be enabled.
To enable or disable, use the check box. Once enabled, the following additional parameters will appear.
- Original Source Port - in the left number field, set the starting number of the source port range.
- Translated Port - in the left number field, set the starting number of the translated port range. If it is a single port range leave the right number field alone. If the right number field is set to a number higher than the left, the right number field for the Original Source Port will change to make sure the 2 number ranges have a matching number of ports.
- Select the OK button to save the entry.
To configure Central SNAT in the CLI
- Using the CLI interface of your choice, run the following command to get to the correct context.
config firewall central-snat-map
- To edit an existing entry, run the command
show full-configurationto get a listing of all of the entries in the map. Take note of the policy ID fo the entry to be edited.
- To create a new entry the next step will use the policy ID 0 which will check for an unused ID number and create an entry with that number.
- Edit or create an entry with the correct policy ID
edit <policyID number>
Run the following commands to set the parameters of the entry:
set status enable
set orig-addr <valid address object preconfigured on the FortiGate>
set dst-addr <valid address object preconfigured on the FortiGate>
set nat-ippool <valid ippool object preconfigured on the FortiGate>
set protocol <integer for protocol number>
- Save the entry by running the command