Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nnair
Staff
Staff

Created on ‎04-27-2023 01:45 AM Edited on ‎11-03-2025 12:11 AM By Moderator

Article Id 254217

Technical Tip: How to enable STUN protocol in policy

Description This article describes how to enable the STUN protocol in a policy.
Scope All versions of FortiGate.
FortiGate must be in Profile-Based Mode (with or without Central SNAT enabled).
Solution

By default, the STUN option is hidden in policies.

To enable the hidden policy:

 

config firewall policy

    edit 1

        set action accept

        set nat enable
        set permit-any-host disable
        set permit-stun-host disable
end

 

After enabling the NAT and setting the policy action to 'accept', it will be possible to see the STUN option on the same policy. See the screenshots below.

Without the NAT enabled and without a set action:

 

image.png
After enabling the NAT and setting the action to 'accept'.


image.png
Note: When this command is used in the firewall policy 'set permit-any-host enable', the FortiGate firewall will accept UDP natted packets from any host. 

Hence, to be more specific with STUN, define 'set permit-stun-host enable' in the firewall policy, which accepts UDP packets from any Session Traversal Utilities for NAT (STUN) host.
7765
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.