Description
Upgrade:
Because the syntax of the Central NAT table has been changed
in 5.4, upgrading from 5.2 to 5.4 does not support the conversion of these
configs to 5.4 syntax.
Specifically, this is the table used in 5.2:
config firewall central-nat
And this is the table used in 5.4:
config firewall central-snat-map
In addition, new options are added into the above table, and
other options are removed from the firewall policy table.
In 5.4, when you configure a firewall policy after Central
NAT is enabled, these are the options that are available as opposed to 5.2:
config firewall policy
edit 1
set
central-nat < --- removed
set
ippool < --- removed
set
poolname < --- removed
set
nat enable < --- control if
central-nat table used
end
Enabling Central NAT:
In 5.4, there is no longer a Feature Store setting to enable
Central NAT. This is now a CLI only setting, and applies per-vdom:
config system setting
set central-nat {enable | disable}
end
Once enabled and you’ve logged out and logged back into your
GUI, 2 new menu items will appear under Policy&Objects:
Configuring SNAT
policies:
Under the Central SNAT page, you can define your SNAT
policies for Source-Natting. To apply the SNAT policies within a Firewall
Policy, you must enable NAT on the firewall policy.
What is the default
behaviour when Central NAT is enabled but there are no SNAT policies?
If you enabled Central NAT, and enabled the NAT option
within a firewall policy even though there are no SNAT policies, the traffic
will be source-natted to the IP address of the egress interface.
Caveats for Virtual
IP when Central NAT is enabled:
- Defining VIP when Central NAT is enabled does
not require the definition of the VIP within the DST address of the Firewall
Policy. When the appropriate firewall policy has been configured, defining the
VIP under DNAT & Virtual IPs will automatically add the entry to kernel.
- If additional granularity is needed such as when
you need to allow certain services for one VIP and other services for another
VIP, create separate Firewall Policies with a DST address of the mapped IP of each
VIP.
- If both SNAT and DNAT/VIP are defined for a
particular mapped IP address, its egress traffic will use the VIP address for
source natting as that takes precedence over the SNAT policy.
Related Articles
Technical Note: Configuration changes regarding Central NAT and Virtual IPs in FortiOS 5.4