Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff

Created on ‎12-30-2021 10:52 PM Edited on ‎03-04-2025 04:27 AM By Moderator

Article Id 202269

Technical Tip: Enabling and Configuring Central SNAT on the FortiGate

Description This article describes how to enable Central SNAT on FortiGate and configure basic Central SNAT rules.
Scope

FortiGate.
Solution

For context, Central SNAT is a feature that allows outgoing Source NAT configurations to be decoupled from the Firewall Policy configs. This can be useful since it allows administrators to define multiple Source NAT rules without needing to create additional separate Firewall Policies. For example, there could be one outgoing Internet Firewall Policy and multiple Source NAT rules that apply different addresses to different Sources/Destinations.

 

Notably, Central SNAT is disabled on the FortiGate when running in the default NGFW profile-based mode (though it can be toggled on), whereas in NGFW policy-mode it is enabled by default and cannot be disabled.

 

Central SNAT can be enabled via the FortiGate Web GUI or the CLI, though note that the procedure changes somewhat depending on whether or not multi-VDOM mode is enabled:

 

When VDOMs are not being used:

  • Web GUI Method: System -> Settings -> View Settings, then toggle on Central SNAT and select Apply.
  • CLI Method: Run the following CLI commands:


config system settings

    set central-snat enable

end

 

If the FortiOS is in v7.4.x, try the below commands :

config system settings

    set central-nat enable

end


When VDOMs are being used: 

  • Web GUI Method: In the Global VDOM, navigate to System -> VDOM, Edit/Create the VDOM, and then toggle on Central SNAT. Select OK to confirm the change.
  • CLI Method: Run the following commands within the traffic VDOM itself:

config vdom

    edit <vdom name>

        config system settings

        set central-snat enable

end

 

Note: It is not possible to enable Central SNAT on an NGFW profile-mode FortiGate/VDOM that has Virtual IPs applied to Firewall Policies. This is because Central SNAT does not require Virtual IPs to be placed within Firewall Policies, and instead, it implicitly performs the Destination NAT as long as the VIP exists.

 

With that in mind, make sure to remove any Virtual IPs from existing Firewall Policies before proceeding, otherwise, the following errors will be observed and Central SNAT will not be enabled successfully:

 

When enabling from the CLI, an error message like the following will be observed:

 

FortiGate # config system settings

FortiGate (settings) # set central-nat enable


Cannot enable central-nat with firewall policy using vip (id=<First Firewall Policy ID containing a VIP>).
Command fail. Return code -651

 

When enabling from the Web GUI, the behavior differs depending on whether or not VDOMs are enabled. When VDOMs are not enabled, an error message stating 'Administration settings failed to save: Input value is invalid' will be triggered after attempting to enable Central SNAT:

 

VDOM not enabled error.png

 

When VDOMs are being used, the FortiGate will appear to indicate that the change was accepted, stating 'Your settings have been saved'. However, checking the VDOM's configuration will show that Central SNAT was not enabled after all. The GUI errors share the same root cause as the CLI error message, so take care to remove VIPs from existing Firewall Policies before enabling Central SNAT.

 

Sample Central SNAT Configuration.

 

From the CLI: Navigate to config firewall central-snat-map to add new Central SNAT rules.

 

config firewall central-snat-map

    edit 1

        set srcintf "port4"

        set dstintf "port5"

        set orig-addr "all"

        set dst-addr "all"

    next

end

 

From the GUI: Navigate to Policy & Objects -> Central SNAT and select the Create New button to create new rules.

 

acvaldez_0-1640913693084.png

 

Just like with SNAT in Firewall Policies, Central SNAT rules can Source NAT traffic to either the IP Address of the Outgoing Interface or using an IP Pool. Refer to the following KB article for more information regarding IP Pools: Technical Tip: How to configure SNAT with IP pool.

 

123131.JPG

 

Notes regarding NGFW Policy-based Mode.

 

As noted above, the NGFW policy-based mode has Central SNAT enabled by default. This mode also splits Firewall Policies into two sub-types: Security Policies (config firewall security-policy, where security-inspection profiles are defined) and SSL Inspection & Authentication Policies (config firewall policy).

 

Crucially, an SSL Inspection & Authentication Policy must be present that allows a given set of traffic to flow, otherwise, the Security Policies and Central SNAT Policies will not take effect and traffic will not be allowed through the FortiGate. By default an any/any interface rule will exist to satisfy this requirement, but if it is not present then an appropriate policy must be created: 

 

CNAT_SSL.PNG

 

config firewall policy

    edit 2

        set name "Test"

        set srcintf "port4"

        set dstintf "port5"

        set srcaddr "all"

        set dstaddr "all"

        set service "ALL"

end


As of FortiOS v7.6.1, it is possible to specify an SD-WAN zone as an interface in the Central SNAT map.
Labels:
8914
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.