Enabling central NAT table in v5.4

I remeber there was an architectural change to 5.4

The central NAT table can be there, but has to be activated - But all NAT features will only be in the Central NAT Table then and not in the policies any more!!

You will have to change that setting to "central-nat enable" in "system settings" for the running VDOM as I remember...

Br,

Roman

Hi all

the case with the central-nat table is horrible and fully not understandable which means acutally following:

- Officially out of a ticket following was comunicated from Fortinet: "The support for the central-nat table was fully dropped" and will not be supported in the future!

From this point of view can be understood for what reason ever! What is absolutly inacceptable is that NOTHIGN is mentioned in the Release Notes or wherever Whats-New etc. From this point of view the TAC engineer promised me to deliver Fortinet responsibles that they MUST mention this behaviour somewhere because if you have a lot of policies based on the central-nat table and you go to 5.4 you will receive after reboot in the "diagnose debug config-error-log read" log following message for every policy which is based on central-nat table:

>>>  "set" "central-nat" "enable" @ root.firewall.policy.10:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.16:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.18:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.20:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.21:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.22:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.23:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.30:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.24:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.25:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.26:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.27:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.28:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.29:command parse error (error -61)

This means within a upgrade the FortiOS removes the central-nat table configuration completely and replaces every Firewall Policy Rule with central-nat table enabled with the NAT position "Use outgoing Interface address".

This means after or better before upgrade you have to change to "use dynamice ip pool" configuration this means actually you can still use your IP Pool object but for every Firewall Policy Rule you have to activate "use dynamic ip pool" and define the corresponding IP Pool object. On cli this means:

# config firewall policy

# edit [Policy ID]

# set ippool enable

# set poolname “[Object Name IP Pool aus der Central-NAT Table]

# end

That's it actually.....horrible without notice within Release Notes etc. inacceptable. There is actually a possibility to activate central-nat table again but I'm not 100% sure if it is actually a bug or "it works as designed". What you have to do is following:

--> Go to your Firewall Policies and remove in every Policy where you find a VIP object these objects (Do not ask me why it is as it is)

--> As soon as you did this you can enable central-nat menue again with:

# config system settings

# set central-nat enable

# end

--> After that you can actually configure central-nat table again but fully not understandable you CAN NOT CONFIGURE anymore in a Firewall Policy Rule a VIP Object?!

--> If you enable central-nat table again and you look to a Firewall Policy Rule you will find there nothing else as NAT enable/disable no more positiions like "use dynamic ip pool" etc.

--> If you like to configure central-nat table itself on cli you have to use:

# config firewall central-snat-map

# edit 1

# set orig-addr "[Define a Object for Source or Orig"

# set dst-addr "[Define a Object for Destination]"

# set nat-ippool "[Define a Object for IP Pool]"

# next

# end

By the way  if you like to modify the Firewall Policy Rule seperatly meanign within a txt file like:

--> show firewall policy (copy content in txt file)

--> delete all policy rules:

# config firewall policy

# purge

yes

--> Modify the txt file that it reflects a new configuration like for dynamic ip pool

--> copy back the contect from txt file to the cli that you get back all policies

--> Result: Error message regarding UID which is not a pain but title and section are gone

Sorry but this is also inacceptable. From this point of view I recommend really BEFORE upgrade to modify all Firewall Policy Rules with central-nat table to dynamic ip pool and after that DO A UPGRADE.

As I understood central-nat table is gone not anymore supported and will not come back. Change your config to dynamic ip pool and keep specially finger from 5.4 except for testing is fully not useable for production use full of bugs.

hope this helps

have fun

Andrea