Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TBC
Contributor

D-Nat and S-Nat with or without Central SNAT

Hello @All,

I have to Set up some internal DNAT and SNAT Entries and on reading some guides how to do that.

I have seen that there is a feature calling Central SNAT available.

I'm not really understand for what it is.

Could someone explain to me what is the goal of Central SNAT and do I need that?

 

Many thank's

TBC

1 Solution
Yurisk
SuperUser
SuperUser

As I jokingly say - Central NAT was invented to lure Checkpoint admins to the Fortinet world :)

AS a technical feature it does not add much - mainly it separates managing NAT rules from Security Rulebase into its own, NAT Policy (OK, it does add ability to manipulate src port, but who uses it anyway :)). But it does become mandatory when working in  Policy-based Mode, i.e. when you configure UTM features directly inside each Security Rule, instead of Security Profiles.

 

Configuring it, anyway, is just as easy as doing the 'old' way. SNAT means that not only Destination IP is manipulated, but Source IP inside the packet as well. I even wrote post how to do it once - https://yurisk.info/2021/05/24/perform-snat-and-dnat-on-the-same-traffic-in-fortigate/ 

 

HTH

Yuri Slobodyanyuk

View solution in original post

Yuri Slobodyanyuk
2 REPLIES 2
Yurisk
SuperUser
SuperUser

As I jokingly say - Central NAT was invented to lure Checkpoint admins to the Fortinet world :)

AS a technical feature it does not add much - mainly it separates managing NAT rules from Security Rulebase into its own, NAT Policy (OK, it does add ability to manipulate src port, but who uses it anyway :)). But it does become mandatory when working in  Policy-based Mode, i.e. when you configure UTM features directly inside each Security Rule, instead of Security Profiles.

 

Configuring it, anyway, is just as easy as doing the 'old' way. SNAT means that not only Destination IP is manipulated, but Source IP inside the packet as well. I even wrote post how to do it once - https://yurisk.info/2021/05/24/perform-snat-and-dnat-on-the-same-traffic-in-fortigate/ 

 

HTH

Yuri Slobodyanyuk
Yuri Slobodyanyuk
TBC

Hello,
best thanks for this info!
I will then stay with the old form without Central NAT since I do not see much added value in this.

Thank you for your comments

 

Greetings

TBC

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors