Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chibby
New Contributor

Enabling central NAT table in v5.4

Greeting all,

 

this is my first post so I'll make it quick.

 

Is central NAT table been removed with new fortiOS or is there any way to enable it via CLI?

 

Thank you all in advance

8 REPLIES 8
romanr
Valued Contributor

I remeber there was an architectural change to 5.4

 

The central NAT table can be there, but has to be activated - But all NAT features will only be in the Central NAT Table then and not in the policies any more!!

 

You will have to change that setting to "central-nat enable" in "system settings" for the running VDOM as I remember...

 

Br,

Roman

JohnAgora

This can help:

http://help.fortinet.com/...ll-52/Examples/Example - Central NAT Table.htm?Highlight=central nat

chibby

i tried that but didn't help.

 

in CLI i cannot write "config firewall central-nat" because the only function that i can write is "config firewall central-snat-map"

romanr
Valued Contributor

Hi,

 

the feature has changed - there is only source nat available in the central NAT table ....

 

After setting:

 

FG100D3xxxxxxx # config system settings FG100Dxxxxxxx3 (settings) # show config system settings     set central-nat enable ....... end

I get:

 

Jim_Perry

I desperately need this feature and I get the message :

 

"Cannot enable central-nat with firewall policy using vip (id=50)"

 

Policy 50?  My policy 50 has nothing to do with central nat, it's an inbound web server policy.  I have 1 (ONE!!) policy that needs to go outbound to an extranet biz partner, and it had central nat table in the old firmware.  That is what was enabled on the previous firmware (5.2.x) for this one policy.  Surprise - that's the one policy that will not work for me.

 

I am still researching but I can't find anything in my config other than policy 50, which as I stated, is for inbound port 443 to a web server.

 

Thanks!

 

Jim

------------------------------------------------------------ Jim Perry, CISSP, ITIL Security Manager Alabama Housing Finance Authority jperry@ahfa.com 334-478-0502 (C) 334-244-9200 (W) ---------------------------------------------------------
ping
New Contributor

Hi, I have the same problem after upgrade the my Fortigate 100D to FortiOs 5.4. I have made a downgrade to the previous firmware version to resolved the problem. In this days I doing some test in my lab with FortiOs 5.4 and I notice that with this release the source nat is managed in a different way when central-nat is enable. For example you can't select the type of the source nat (use outgoing Interface Address, Use Dynamic IP Pool and Use Central NAT Table) when the nat is enable on the policy. I think that with FortiOs5.4 the source NAT is completely managed by the Central-Nat-Table when it's is enable. In the document "What's new FortiOs 5.4" I haven't found nothing about some change about central-nat-table. Do you found some information about this issue? Thanks!     Elliot

AndreaSoliva
Contributor III

Hi all

 

the case with the central-nat table is horrible and fully not understandable which means acutally following:

 

- Officially out of a ticket following was comunicated from Fortinet: "The support for the central-nat table was fully dropped" and will not be supported in the future!

 

From this point of view can be understood for what reason ever! What is absolutly inacceptable is that NOTHIGN is mentioned in the Release Notes or wherever Whats-New etc. From this point of view the TAC engineer promised me to deliver Fortinet responsibles that they MUST mention this behaviour somewhere because if you have a lot of policies based on the central-nat table and you go to 5.4 you will receive after reboot in the "diagnose debug config-error-log read" log following message for every policy which is based on central-nat table:

 

>>>  "set" "central-nat" "enable" @ root.firewall.policy.10:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.16:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.18:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.20:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.21:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.22:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.23:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.30:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.24:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.25:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.26:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.27:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.28:command parse error (error -61) >>>  "set" "central-nat" "enable" @ root.firewall.policy.29:command parse error (error -61)

 

This means within a upgrade the FortiOS removes the central-nat table configuration completely and replaces every Firewall Policy Rule with central-nat table enabled with the NAT position "Use outgoing Interface address".

 

This means after or better before upgrade you have to change to "use dynamice ip pool" configuration this means actually you can still use your IP Pool object but for every Firewall Policy Rule you have to activate "use dynamic ip pool" and define the corresponding IP Pool object. On cli this means:

 

# config firewall policy

# edit [Policy ID]

# set ippool enable

# set poolname “[Object Name IP Pool aus der Central-NAT Table]

# end

 

That's it actually.....horrible without notice within Release Notes etc. inacceptable. There is actually a possibility to activate central-nat table again but I'm not 100% sure if it is actually a bug or "it works as designed". What you have to do is following:

 

--> Go to your Firewall Policies and remove in every Policy where you find a VIP object these objects (Do not ask me why it is as it is)

--> As soon as you did this you can enable central-nat menue again with:

 

# config system settings

# set central-nat enable

# end

 

--> After that you can actually configure central-nat table again but fully not understandable you CAN NOT CONFIGURE anymore in a Firewall Policy Rule a VIP Object?!

 

--> If you enable central-nat table again and you look to a Firewall Policy Rule you will find there nothing else as NAT enable/disable no more positiions like "use dynamic ip pool" etc.

 

--> If you like to configure central-nat table itself on cli you have to use:

 

# config firewall central-snat-map

# edit 1

# set orig-addr "[Define a Object for Source or Orig"

# set dst-addr "[Define a Object for Destination]"

# set nat-ippool "[Define a Object for IP Pool]"

# next

# end

 

By the way  if you like to modify the Firewall Policy Rule seperatly meanign within a txt file like:

 

--> show firewall policy (copy content in txt file)

--> delete all policy rules:

# config firewall policy

# purge

yes

 

--> Modify the txt file that it reflects a new configuration like for dynamic ip pool

--> copy back the contect from txt file to the cli that you get back all policies

--> Result: Error message regarding UID which is not a pain but title and section are gone

 

Sorry but this is also inacceptable. From this point of view I recommend really BEFORE upgrade to modify all Firewall Policy Rules with central-nat table to dynamic ip pool and after that DO A UPGRADE.

 

As I understood central-nat table is gone not anymore supported and will not come back. Change your config to dynamic ip pool and keep specially finger from 5.4 except for testing is fully not useable for production use full of bugs.

 

hope this helps

 

have fun

 

Andrea

 

 

 

 

keithli_FTNT

I realize this is an old thread, but in regards to the last post by Andrea:

- Officially out of a ticket following was comunicated from Fortinet: "The support for the central-nat table was fully dropped" and will not be supported in the future!

 

I don't believe anyone in TAC would communicate to the customer that central-nat table was fully dropped. In fact, when I look up the ticket, the message that was provided was:

Central NAT feature is not upgrade-able from v5.2. to v5.4.

 

This is correct, and we have a KB article written to address this question:

The Central NAT config did not get upgraded from 5.2 to 5.4. How do you configure this in 5.4?

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD37587

 

In terms of the changes to the behaviour you would expect in 5.4 when Central NAT is enabled:

Source NAT:

- must define under the Central SNAT policy

- for SNAT to take effect, enable NAT on the policy

Destination NAT (VIP):

- define DNAT & Virtual IPs

- no additional configurations required

- FOS backend will handle installing the VIPs to the kernel

 

Hope this clarifies the stance from Fortinet.

 

Regards,

 

Keith

Director, Product Management