FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
keithli_FTNT
Staff
Staff
Article Id 190193
Description

Upgrade:

Because the syntax of the Central NAT table has been changed in 5.4, upgrading from 5.2 to 5.4 does not support the conversion of these configs to 5.4 syntax.

Specifically, this is the table used in 5.2:
config firewall central-nat
And this is the table used in 5.4:
config firewall central-snat-map
In addition, new options are added into the above table, and other options are removed from the firewall policy table.

In 5.4, when you configure a firewall policy after Central NAT is enabled, these are the options that are available as opposed to 5.2:
config firewall policy
  edit 1
        set central-nat  < --- removed
        set ippool   < --- removed
        set poolname < --- removed
        set nat enable    < --- control if central-nat table used
end

Enabling Central NAT:

In 5.4, there is no longer a Feature Store setting to enable Central NAT. This is now a CLI only setting, and applies per-vdom:
config system setting
    set central-nat {enable | disable}
end
Once enabled and you’ve logged out and logged back into your GUI, 2 new menu items will appear under Policy&Objects:
VIPDNAT-KB-Menu.jpg

Configuring SNAT policies:

Under the Central SNAT page, you can define your SNAT policies for Source-Natting. To apply the SNAT policies within a Firewall Policy, you must enable NAT on the firewall policy.


What is the default behaviour when Central NAT is enabled but there are no SNAT policies?

If you enabled Central NAT, and enabled the NAT option within a firewall policy even though there are no SNAT policies, the traffic will be source-natted to the IP address of the egress interface.

 

Caveats for Virtual IP when Central NAT is enabled:

  • Defining VIP when Central NAT is enabled does not require the definition of the VIP within the DST address of the Firewall Policy. When the appropriate firewall policy has been configured, defining the VIP under DNAT & Virtual IPs will automatically add the entry to kernel.

  • If additional granularity is needed such as when you need to allow certain services for one VIP and other services for another VIP, create separate Firewall Policies with a DST address of the mapped IP of each VIP.

  • If both SNAT and DNAT/VIP are defined for a particular mapped IP address, its egress traffic will use the VIP address for source natting as that takes precedence over the SNAT policy.


Related Articles

Technical Note: Configuration changes regarding Central NAT and Virtual IPs in FortiOS 5.4

Contributors