Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
darth_kittycat
New Contributor

Effect of "set nat enable" in a firewall policy

Hi,

 

In a simple policy to allow packets from a host on one internal private network to a host another internal private network, what is the effect of the directive "set nat enable" in the policy?

 

Thanks

 

M

3 REPLIES 3
Markus
Valued Contributor

Hello, and welcome to the Forums. Simple spoken with Nat enabled, you see as source (on the destination, e.g. some logs) the firewall interface ip. With Nat disabled, you see the "real" source IP.


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
lobstercreed
Valued Contributor

As Markus said, and I will add an educated opinion:

You should never enable NAT on a policy unless it is a policy that controls outbound access to your Internet connection.  So LAN -> WAN yes, but LAN -> LAN no, LAN -> DMZ no, and WAN -> LAN absolutely not.

 

There are corner case exceptions, but by the time you need them you should have a better understanding of NAT to know exactly when/why/how.  (Mainly for certain VPN scenarios between organizations.)

darth_kittycat
New Contributor

Thanks for the great answers. I suspected as much. Did some testing and yes...the packet arrives at the destination with the firewall egress interface IP as the source.

 

Thanks again!

 

M

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors