Retreiving NAT history from the traffic log
Description
When NAT is active on a firewall policy the history can be retreived from the traffic log information. Note that this is a per-firewall policy option.
Scope
FortiGate running NAT mode.
Solution
Activate the ''raw'' format in the traffic log information on the GUI, the traffic log can then be visualised in the following way:
2008-03-18 10:36:33 log_id=0021010001
type=traffic subtype=allowed
pri=notice vd=root SN=1336878
duration=10 user=N/A group=N/A rule=2 policyid=2 proto=6
duration=10 user=N/A group=N/A rule=2 policyid=2 proto=6
service=80/tcp app_type=N/A
status=accept src=192.168.3.12 srcname=192.168.3.12 dst=131.107.115.28 dstname=131.107.115.28 src_int="port7" dst_int="port6“
sent=523 rcvd=1963
sent_pkt=6 rcvd_pkt=4
src_port=1028 dst_port=80 vpn=N/A tran_ip=10.1.1.11 tran_port=43992
status=accept src=192.168.3.12 srcname=192.168.3.12 dst=131.107.115.28 dstname=131.107.115.28 src_int="port7" dst_int="port6“
sent=523 rcvd=1963
sent_pkt=6 rcvd_pkt=4
src_port=1028 dst_port=80 vpn=N/A tran_ip=10.1.1.11 tran_port=43992
dir_disp=org tran_disp=snat
src=192.168.3.12 corresponds to the original src IP.
src_port=1028 corresponds to the original source port.
tran_ip=10.1.1.11 tran_port=43992 is the NAT translated address.
src_port=1028 corresponds to the original source port.
tran_ip=10.1.1.11 tran_port=43992 is the NAT translated address.