Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TBC
Contributor

D-Nat and S-Nat with or without Central SNAT

Hello @All,

I have to Set up some internal DNAT and SNAT Entries and on reading some guides how to do that.

I have seen that there is a feature calling Central SNAT available.

I'm not really understand for what it is.

Could someone explain to me what is the goal of Central SNAT and do I need that?

 

Many thank's

TBC

1 Solution
Yurisk
SuperUser
SuperUser

As I jokingly say - Central NAT was invented to lure Checkpoint admins to the Fortinet world :)

AS a technical feature it does not add much - mainly it separates managing NAT rules from Security Rulebase into its own, NAT Policy (OK, it does add ability to manipulate src port, but who uses it anyway :)). But it does become mandatory when working in  Policy-based Mode, i.e. when you configure UTM features directly inside each Security Rule, instead of Security Profiles.

 

Configuring it, anyway, is just as easy as doing the 'old' way. SNAT means that not only Destination IP is manipulated, but Source IP inside the packet as well. I even wrote post how to do it once - https://yurisk.info/2021/05/24/perform-snat-and-dnat-on-the-same-traffic-in-fortigate/ 

 

HTH

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.

View solution in original post

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
2 REPLIES 2
Yurisk
SuperUser
SuperUser

As I jokingly say - Central NAT was invented to lure Checkpoint admins to the Fortinet world :)

AS a technical feature it does not add much - mainly it separates managing NAT rules from Security Rulebase into its own, NAT Policy (OK, it does add ability to manipulate src port, but who uses it anyway :)). But it does become mandatory when working in  Policy-based Mode, i.e. when you configure UTM features directly inside each Security Rule, instead of Security Profiles.

 

Configuring it, anyway, is just as easy as doing the 'old' way. SNAT means that not only Destination IP is manipulated, but Source IP inside the packet as well. I even wrote post how to do it once - https://yurisk.info/2021/05/24/perform-snat-and-dnat-on-the-same-traffic-in-fortigate/ 

 

HTH

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
TBC

Hello,
best thanks for this info!
I will then stay with the old form without Central NAT since I do not see much added value in this.

Thank you for your comments

 

Greetings

TBC

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors