Skip to main content
mhrth
mhrth
Explorer II
February 24, 2022
Solved

Enabling NAT port forwarding

  • February 24, 2022
  • 4 replies
  • 15175 views

Hi, I am new to FortiGate Firewall. I created a VIP with port forwarding to one of our internal servers. Do I need to enable NAT in the firewall policy? If no, may I know why?

 

NAT.png

 

Best answer by akristof

Hello,

 

Thank you for your question. This NAT you are showing is related to SNAT. So this would SNAT the source IP address of the traffic. Usually, if the traffic is coming from internet, this is not needed. Usually, SNAT is enabled when the server, you are sending traffic has different gateway and not FortiGate, so you would SNAT the traffic to force reply back to FortiGate.

Here is KB related to VIP port-forwarding:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configuration/ta-p/198143

4 replies

akristof
Staff
akristofAnswer
Staff
February 24, 2022

Hello,

 

Thank you for your question. This NAT you are showing is related to SNAT. So this would SNAT the source IP address of the traffic. Usually, if the traffic is coming from internet, this is not needed. Usually, SNAT is enabled when the server, you are sending traffic has different gateway and not FortiGate, so you would SNAT the traffic to force reply back to FortiGate.

Here is KB related to VIP port-forwarding:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configuration/ta-p/198143

    AlexC-FTNT
    Staff
    AlexC-FTNT
    Staff
    February 24, 2022

    This image may help understand better:

    AlexCFTNT_0-1645693542653.png

     

      ede_pfau
      SuperUser
      ede_pfau
      SuperUser
      February 24, 2022

      More important here is that a VIP (for destination NAT) automatically does SNAT on reply traffic. Example:

      you create a VIP mapping 5.6.7.8 (your WAN IP) to 192.168.14.4 (internal). The internal server answers and the VIP translates the source address back to the WAN IP 5.6.7.8.

       

      Adding the NAT checkbox in the inbound policy would make the VIP use the internal interface address as source on inbound traffic, which would do no harm but would camouflage the original sender's IP address. All traffic to the internal server would appear to come from internal. Often, you prefer to know the external host's address for monitoring, statistics etc.

        Toshi_Esumi
        SuperUser
        Toshi_Esumi
        SuperUser
        February 24, 2022

        One very rare situation we had to set NAT on a VIP policy for a workaround, when a third party private network between our FGT and the end user web server was having a problem re-advertising the default route from the FGT. They don't have problem re-advertising the /30 interface subnet. We're still waiting for the problem to be resolved.

        As the result the web server can't know the source IP where the access is coming from as Ede mentioned.

         

        Toshi

          Terms & ConditionsAccessibility statement