Source NAT - Firewall Performance decision

Forum|Forum|4 years ago
September 16, 2021
1 reply
2635 views

Hi All,

I am in process of migrating a cisco ASA into Fortigate 100F.

On ASA, all VLANS, are source NATed through a single public IP (other than the outside interface IP).

On Fortigate I have to configure a NAT pool (single-IP) which needs to be applied to any configured policy.

Did you prefer the central nat configuration instead of the above mentioned configuration?

Which is the best option regarding the firewall performance?

Best Regards.

6.4

lobstercreed

New Member

Interesting question about performance. It didn't occur to me that performance might be affected by this, but it's a reasonable possibility. I'd ask your sales engineer or open a ticket with TAC.

As far as preference, there is no question in my mind that Central NAT is the way to go. I've used FortiGates for almost a decade now and didn't know Central NAT was an *option* until a few years ago. I always hated the way policy NAT worked because the same host might NAT to completely different addresses depending on what policy they hit. It also required me to make a ton of duplicate policies just to get different sources to present different public IPs.

I finally got a chance to rebuild my configuration with Central NAT and I love it. I recommend it to anyone coming from ASA's especially because the Fortinet way is mind-bending to a Cisco person in my experience.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded