Skip to main content
acp
Staff
acp
Staff
September 25, 2020

Technical Tip: How to disable central NAT

  • September 25, 2020
  • 0 replies
  • 16095 views

Description

 

This article describes how to disable central NAT.

 

Scope

 

FortiGate.

Solution

 

The Central NAT feature is not enabled by default. When 'central-nat' is enabled, the configured NAT under IPv4 policies is skipped, and SNAT is configured via the 'central-snat-map'.


If NGFW mode is profile-based: Go to System -> Settings -> toggle Central SNAT to disabled -> Select 'Apply'.

 

GUI_disable.PNG

 

If virtual domains are in use, Central SNAT can only be disabled from the CLI. 


Single VDOM CLI:
 
config system setting
set central-nat disable
end
 
Multi-VDOM CLI:

config vdom
edit <vdom_name>
config system settings
set central-nat disable
end
end
 
Note:
  • Central SNAT cannot be enabled if IP Pools or VIPs are used in any firewall policies.
  • In profile-based mode only, when central NAT is disabled, the firewall policies are not deleted, but NAT is disabled on all policies that were created while in Central NAT mode.
  • This means that after disabling Central NAT, any policies that existed before Central NAT was enabled will have the same NAT settings (enabled or disabled) as they did before.
 

If the NGFW mode is policy-based: Central NAT (specifically SNAT) is enabled implicitly when in policy-based NGFW mode and cannot be changed without changing to profile-based first.

Note:

Changing the NGFW mode must not be done while the network is in active use. It will remove existing firewall policies and require downtime to reconfigure the firewall. Making the NGFW mode changes below will cause a complete loss of data traffic until new firewall policies are configured. Take a configuration backup before beginning.

 

See 'Profile-based policies vs Policy-based policies' for differences between NGFW modes.


Go to System -> Settings, under 'NGFW Mode' select 'Profile-based'. This reveals the Central SNAT setting. Toggle this to disabled and select 'Apply'.

 

NGFW Mode.PNG

 

Single VDOM CLI:

 

config system setting

    set ngfw-mode profile-based

Changing to profile-based mode will remove all firewall policy/security-policy in this VDOM
Do you want to continue? (y/n)y

    set central-nat disable

end


Multi-VDOM CLI:


config vdom

edit <vdom_name>

config system settings

set ngfw-mode profile-based

Changing to profile-based mode will remove all firewall policy/security-policy in this VDOM
Do you want to continue? (y/n)y

set central-nat disable

end

end

 

Related article:
Terms & ConditionsAccessibility statement