Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff & Editor
Staff & Editor

Created on ‎04-17-2023 10:23 PM Edited on ‎09-20-2023 09:55 AM By Community Manager

Article Id 252830

Technical Tip: Configuring NAT46/NAT64 with NGFW Policy-Mode enabled (FortiOS 7.0.1 and later)

Description
 
This article describes the general requirements for configuring NAT46 and NAT64 when using NGFW Policy-mode (which also includes Central-SNAT) on FortiOS 7.0.1 and later.
 
In FortiOS 7.0.1, the NAT46/NAT64 features underwent a major redesign, such that their fundamental configuration and their underlying behavior were changed significantly.
Notably, existing NAT46/NAT64 configurations designed in FortiOS 6.4 and earlier were not compatible with this new design, and these configurations would need to be rebuilt after administrator upgrades to FortiOS 7.0.
 
 
Scope
 
FortiGate v7.0.1 and later; NGFW Policy-Mode enabled.
 
Solution
 
The following is the minimum number of objects/configurations required for setting up NAT46 and/or NAT64 when using NGFW Policy-mode (i.e. to specifically allow this traffic and only this traffic).
Both types are configured very similarly, though the incoming and outgoing IP versions will be different.
 
Note that example CLI configurations have been attached to this article for reference purposes and can be found at the bottom of the article (see attached: 'NAT46+NAT64 in NGFW Mode - Sample Configs.zip').
 
  1. A Virtual IP (VIP) for translating traffic from the starting IP version to the target IP version:
  • For NAT46, create an IPv4 VIP (config firewall vip) with nat44 disabled and nat46 enabled.
  • For NAT64, create an IPv6 VIP (config firewall vip6) with nat66 disabled and nat64 enabled.
  • Both VIP types allow for either individual IPs to be specified (i.e. one-to-one mappings) or a range of IPs to be specified.
  • Notably, NAT64 VIPs have the unique ability to extract the destination IPv4 address from the last 2 hextets in the IPv6 address (set embedded-ipv4-address enable).
 
  1. An IP Pool to perform Source NAT on the outgoing traffic:
  • For NAT46, create an IPv6 IP Pool (config firewall ippool6) with nat46 enabled.
  • For NAT64, create an IPv4 IP Pool (config firewall ippool) with nat64 enabled.
  • Currently, only the Overload-type IP Pool supports NAT46/64.
 
  1. A Security Policy with the following parameters:
  • NAT46: IPv4 Source + True IPv6 Destination** + nat46 enable.
  • The IPv6 Source and IPv4 Destination fields are unused and may be set to the 'none' Address Object.
  • NAT64: IPv6 Source + True IPv4 Destination** + nat46 enable.
  • The IPv4 Source and IPv6 Destination fields are unused and may be set to the 'none' Address Object.
  • ** The 'True' address is the same as the mapped address configured for the corresponding VIP.
 
  1. A Central SNAT Policy to perform the IP Pool-based SNAT:
  • NAT46: IPv4 Source + External IPv4 Destination + nat46 enable + the nat46-enabled IP Pool created earlier.
  • NAT64: IPv6 Source + External IPv6 Destination + nat64 enable + the nat64-enabled IP Pool created earlier.
  • The External address is the same as the external address configured on the corresponding VIP.
  • Note: As part of the NAT46/NAT64 redesign in FortiOS 7.0, a new per-VDOM virtual interface was introduced called 'naf.<vdom>'. NAT46/NAT64 traffic is implicitly routed to this new virtual interface, though policies do not need to specifically reference this new interface (i.e. it happens 'behind the scenes').
  • As part of this change, Destination Interfaces are no longer taken into consideration for NAT46-/NAT64-based Central SNAT policies (i.e. the FortiGate only checks the Source Interface and the Source/Destination Address), and this can lead to scenarios where the wrong Central SNAT policy/IP Pool is used.
  • In future FortiOS versions, the Destination Interface field will be removed from NAT46/NAT64 Central SNAT policies. In the meantime, ensure that Central SNAT policies are configured to match very specific sets of Source/Destination addresses, otherwise traffic may be Source NAT'd to the wrong IP Pool address.
  1.  An SSL Inspection and Authentication Policy with NAT46/NAT64 enabled:
  • This policy type requires including both the IPv4 and IPv6 Source/Destination sets (four Address Objects minimum).
  • It is fine to utilize the 'all' Address Object for both IPv4 and IPv6 in this scenario to avoid configuration mistakes, especially since Security Policies will be used to refine the actual network access.
 
Notably, the NAT46/NAT64 VIP objects must be created, but they are not referenced directly in any of the policies being created.
This is consistent with general Central SNAT operation, as Central SNAT will automatically perform incoming Destination NAT after the VIPs have been configured.
 
This is also why Security Policies utilize the true/mapped IP address in the Destination fields, as the policy assesses the traffic after Destination NAT is performed.
NAT46+NAT64 in NGFW Mode - Sample Configs.zip
2774
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.