Figure 215: NAT 64 Policy
Select Display Options in the Policy & Objects tab, and toggle the NAT64 Policy switch to display this option in the Policy Package tab bar. |
Source Interface | Select the source interface from the drop-down list. | |
Source Address | Select the source address from the drop-down list. You can select to create a new address or address group in the Source Address dialog box. | |
Destination Interface | Select the destination interface from the drop-down list. | |
Destination Address | Select the destination address from the drop-down list. You can create a new address or address group in the Add Destination Address dialog box. | |
Schedule | Select a schedule or schedules for the policy. Schedules can also be created by selecting Create New in the dialog box. See “Create a new object” for more information. | |
Service | Select the service from the drop-down list. You can create a new service or service group in the Add Service dialog box. | |
Action | Select an action for the policy to take, whether ACCEPT or DENY. When Action is set to Accept, you can configure NAT and Traffic Shaping. | |
Log Allowed Traffic Log Violation Traffic | Select to log allowed traffic/violation traffic. This setting is dependent on the Action setting. | |
NAT | NAT is enabled by default for this policy type. | |
Use Destination Interface Access | Select to use the destination interface address. | |
Fixed Port | Select to enable fixed port. | |
Dynamic IP Pool | Select to enable dynamic IP pool and select the dynamic IP pool from the drop-down list. | |
Traffic Shaping | Select to enable traffic shaping and select a default or custom traffic shaper object from the drop-down list. | |
Reverse Direction Traffic Shaping | Select to enable reverse direction traffic shaping and select a default or custom traffic shaper object from the drop-down list. | |
Per-IP Traffic Shaping | Select to enable per-IP traffic shaping and select the related object from the drop-down list. | |
Tags | You can add tags for tag management. Enter a tag in the text field and select the plus (+) icon to apply the tag to the policy. | |
Comments | Enter optional comments for the policy. | |
Name | Edit the schedule name as required. |
Color | Select the icon to select an custom icon to display next to the schedule name. |
Day | Select the days of the week for the custom schedule. |
Start | Select the schedule start time. |
End | Select the schedule end time. |
Name | Edit the service name as required. | |
Comments | Enter an optional comment. | |
Color | Select the icon to select an custom icon to display next to the service name. | |
Protocol | Select the protocol from the drop-down list. Select one of the following: TCP/UDP/SCTP, ICMP, ICMP6, or IP. | |
IP/FQDN | Enter the IP or FQDN. Note: This menu item is available when Protocol is set to TCP/UDP/SCTP. You can then define the protocol, source port and destination port in the table. | |
Type | Enter the type in the text field. Note: This menu item is available when Protocol is set to ICMP and ICMP6. | |
Code | Enter the code in the text field. Note: This menu item is available when Protocol is set to ICMP and ICMP6. | |
Protocol Number | Enter the protocol number in the text field. Note: This menu item is available when Protocol is set to IP. | |
Advanced Options | For more information on advanced option, see the FortiOS 5.0 CLI Reference. | |
check-reset-range | Configure ICMP error message verification. • disable — The FortiGate unit does not validate ICMP error messages. • strict — If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. If is enabled the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets. • default — Use the global setting defined in system global. Note: This field is available when protocol is TCP/UDP/SCTP. Note: This field is not available if explicit-proxy is enabled. | |
session-ttl | Enter the default session timeout in seconds. The valid range is from 300 - 604 800 seconds. Enter 0 to use either the per-policy session-ttl or per-VDOM session-ttl, as applicable. Note: This is available when protocol is TCP/UDP/SCTP | |
tcp-halfclose-timer | Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded. The valid range is from 1 to 86400 seconds. Enter 0 to use the global setting defined in system global. Note: This is available when protocol is TCP/UDP/SCTP. | |
tcp-halfopen-timer | Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded. The valid range is from 1 to 86400 seconds. Enter 0 to use the global setting defined in system global. Note: This is available when protocol is TCP/UDP/SCTP. | |
tcp-timewait-timer | Set the length of the TCP TIME-WAIT state in seconds. As described in RFC 793, the “TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request”. Reducing the time of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster which means more new sessions can be opened before the session limit is reached. The valid range is 0 to 300 seconds. A value of 0 sets the TCP TIME-WAIT to 0 seconds. Enter 0 to use the global setting defined in system global. Note: This is available when protocol is TCP/UDP/SCTP. | |
udp-idle-timer | Enter the number of seconds before an idle UDP connection times out. The valid range is from 1 to 86400 seconds. Enter 0 to use the global setting defined in system global. Note: This is available when protocol is TCP/UDP/SCTP. | |
