The Central NAT config did not get upgraded from 5.2 to 5.4. How do you configure this in 5.4?
Description
Upgrade:
Because the syntax of the Central NAT table has been changed in 5.4, upgrading from 5.2 to 5.4 does not support the conversion of these configs to 5.4 syntax.
Specifically, this is the table used in 5.2:
In 5.4, when you configure a firewall policy after Central NAT is enabled, these are the options that are available as opposed to 5.2:
Upgrade:
Because the syntax of the Central NAT table has been changed in 5.4, upgrading from 5.2 to 5.4 does not support the conversion of these configs to 5.4 syntax.Specifically, this is the table used in 5.2:
config firewall central-nat
And this is the table used in 5.4:
config firewall central-snat-map
In addition, new options are added into the above table, and other options are removed from the firewall policy table.
In 5.4, when you configure a firewall policy after Central NAT is enabled, these are the options that are available as opposed to 5.2:
config firewall policyedit 1set central-nat < --- removedset ippool < --- removedset poolname < --- removedset nat enable < --- control if central-nat table usedend
Enabling Central NAT:
In 5.4, there is no longer a Feature Store setting to enable Central NAT. This is now a CLI only setting, and applies per-vdom:
config system setting
set central-nat {enable | disable}
end
Once enabled and you’ve logged out and logged back into your GUI, 2 new menu items will appear under Policy&Objects:
Configuring SNAT policies:
Under the Central SNAT page, you can define your SNAT policies for Source-Natting. To apply the SNAT policies within a Firewall Policy, you must enable NAT on the firewall policy.
What is the default behaviour when Central NAT is enabled but there are no SNAT policies?
If you enabled Central NAT, and enabled the NAT option within a firewall policy even though there are no SNAT policies, the traffic will be source-natted to the IP address of the egress interface.
Caveats for Virtual IP when Central NAT is enabled:
- Defining VIP when Central NAT is enabled does not require the definition of the VIP within the DST address of the Firewall Policy. When the appropriate firewall policy has been configured, defining the VIP under DNAT & Virtual IPs will automatically add the entry to kernel.
- If additional granularity is needed such as when you need to allow certain services for one VIP and other services for another VIP, create separate Firewall Policies with a DST address of the mapped IP of each VIP.
- If both SNAT and DNAT/VIP are defined for a particular mapped IP address, its egress traffic will use the VIP address for source natting as that takes precedence over the SNAT policy.
Related Articles
Technical Note: Configuration changes regarding Central NAT and Virtual IPs in FortiOS 5.4