Hi, I am new to FortiGate Firewall. I created a VIP with port forwarding to one of our internal servers. Do I need to enable NAT in the firewall policy? If no, may I know why?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Thank you for your question. This NAT you are showing is related to SNAT. So this would SNAT the source IP address of the traffic. Usually, if the traffic is coming from internet, this is not needed. Usually, SNAT is enabled when the server, you are sending traffic has different gateway and not FortiGate, so you would SNAT the traffic to force reply back to FortiGate.
Here is KB related to VIP port-forwarding:
More important here is that a VIP (for destination NAT) automatically does SNAT on reply traffic. Example:
you create a VIP mapping 5.6.7.8 (your WAN IP) to 192.168.14.4 (internal). The internal server answers and the VIP translates the source address back to the WAN IP 5.6.7.8.
Adding the NAT checkbox in the inbound policy would make the VIP use the internal interface address as source on inbound traffic, which would do no harm but would camouflage the original sender's IP address. All traffic to the internal server would appear to come from internal. Often, you prefer to know the external host's address for monitoring, statistics etc.
Hello,
Thank you for your question. This NAT you are showing is related to SNAT. So this would SNAT the source IP address of the traffic. Usually, if the traffic is coming from internet, this is not needed. Usually, SNAT is enabled when the server, you are sending traffic has different gateway and not FortiGate, so you would SNAT the traffic to force reply back to FortiGate.
Here is KB related to VIP port-forwarding:
This image may help understand better:
More important here is that a VIP (for destination NAT) automatically does SNAT on reply traffic. Example:
you create a VIP mapping 5.6.7.8 (your WAN IP) to 192.168.14.4 (internal). The internal server answers and the VIP translates the source address back to the WAN IP 5.6.7.8.
Adding the NAT checkbox in the inbound policy would make the VIP use the internal interface address as source on inbound traffic, which would do no harm but would camouflage the original sender's IP address. All traffic to the internal server would appear to come from internal. Often, you prefer to know the external host's address for monitoring, statistics etc.
One very rare situation we had to set NAT on a VIP policy for a workaround, when a third party private network between our FGT and the end user web server was having a problem re-advertising the default route from the FGT. They don't have problem re-advertising the /30 interface subnet. We're still waiting for the problem to be resolved.
As the result the web server can't know the source IP where the access is coming from as Ede mentioned.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.