Hi,
In a simple policy to allow packets from a host on one internal private network to a host another internal private network, what is the effect of the directive "set nat enable" in the policy?
Thanks
M
Hello, and welcome to the Forums. Simple spoken with Nat enabled, you see as source (on the destination, e.g. some logs) the firewall interface ip. With Nat disabled, you see the "real" source IP.
________________________________________________________
--- NSE 4 ---
________________________________________________________
As Markus said, and I will add an educated opinion:
You should never enable NAT on a policy unless it is a policy that controls outbound access to your Internet connection. So LAN -> WAN yes, but LAN -> LAN no, LAN -> DMZ no, and WAN -> LAN absolutely not.
There are corner case exceptions, but by the time you need them you should have a better understanding of NAT to know exactly when/why/how. (Mainly for certain VPN scenarios between organizations.)
Thanks for the great answers. I suspected as much. Did some testing and yes...the packet arrives at the destination with the firewall egress interface IP as the source.
Thanks again!
M
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.