FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that customers can report the nat64 feature stop because the configuration of IPpool is not accepted in 7.0.x.
Scope
FortiGate v6.4.x and v7.0.x
Solution
In v6.4.x IPpool configuration does not include subnet and broadcast IP addresses.
But in v7.0.x this configuration is not valid.
config firewall ippool
(ippool) # edit pool-nat new entry 'pool-nat' added
(pool-nat) # set startip 177.220.15.1<---
(pool-nat) # set endip 177.220.15.254<--
(pool-nat) # set comments nat64
(pool-nat) # set nat64 enable
(pool-nat) # end
IP range must be a subnet for NAT64 object check operator error, -139, discard the setting Command fail. Return code -139
In 7.0.x, it is necessary to configure the 'subnetwork address and broadcast IP address' and setting set subnet-broadcast-in-ippool to disable.
edit "pool-nat" set type overload set startip 177.220.15.0 set endip 177.220.15.255 set arp-reply enable set arp-intf '' set associated-interface '' set comments '' set nat64 enable set add-nat64-route enable set subnet-broadcast-in-ippool disable <----- Do not include the subnetwork address and broadcast IP address in the NAT64 IP pool. It means the range will be 177.220.15.1-177.220.15.254. next
FortiGate-101F (1) # set subnet-broadcast-in-ippool ?
Disable: Do not include the subnetwork address and broadcast IP address in the NAT64 IP pool.
Enable: Include the subnetwork address and broadcast IP address in the NAT64 IP pool.
