FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
parthpatel
Staff
Staff
Article Id 340865
Description This article describes the steps for resolving the error 'Cannot enable central-nat error with firewall policy using ippool'.
Scope FortiGate.
Solution

While trying to enable the Central NAT setup on the firewall there should not be any reference for any IP Pool configured on the firewall.

If the IP Pool is configured on the firewall and is referenced on the firewall policy it shows the below error message while trying to enable the central-nat on the firewall.

 

NAT -2.PNG

 

The above error message shows the policy ID, where the IP Pool is referenced. If there are multiple IP Pool configured on the firewall then the reference can be viewed under 'Policy&Objects -> IP Pools' as shown below.

 

NAT - 3.PNG

 

Selecting the reference number will show all the policies where it is referenced so it will be easier to locate and remove the IP Pool object.

 

NAT - 4.PNG

 

The above error is expected while enabling Central NAT as it will change the application of VIP and IP Pool and any reference made to these objects needs to be removed before configuring the Central NAT.

 

There will be a similar error if there is any VIP applied to the firewall policy.

 

NAT-1.PNG

 

So before enabling central-nat, remove all the references to the NAT and IP Pool configured on the firewall and thereafter run the below commands and it should not show any error message.

 

FGT # config sys settings

FGT (settings) # set central-nat enable

FGT (settings) # end