Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSOAR
- FortiSIEM
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Incoming NAT
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Incoming NAT
Hi,
We migrated from another brand to Fortigate but facing a problem creating Nat Policies. The old firewall had separate places for Firewall Rules and Nat Policies but Fortigate has both at the same place.
We need to source nat the incoming traffic coming from the DMZ Interface and reach a server behind the LAN Interface. How to do it in Fortigate?
Incoming Interface: DMZ
Outgoing Interface: LAN
Source Network: All (must be translated to another IP which is allowed for our network)
Destination: A Server behind LAN Zone
Do we need to enable the NAT option? If yes then which IP should be used as IP Pool Configuration?
Thanks.
Labels:
- Labels:
-
FortiGate
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi There,
Since you are migrating from different product, you may refer to this link below which may help you to understand about SNAT on the Fortigate
I also want to let you know that we do have features to separate NAT from firewall policy which called Central SNAT
https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/421028/central-snat
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In FortiGate, NAT (Network Address Translation) and firewall policies are combined into a single configuration. To achieve source NAT for incoming traffic from the DMZ interface to a server behind the LAN interface, you'll need to create a firewall policy with the appropriate NAT settings. Here's a step-by-step guide:
-
Log in to the FortiGate Web Interface:
- Open a web browser and enter the IP address of your FortiGate unit.
-
Navigate to Policy & Objects > Policy > IPv4:
- In the left navigation pane, go to "Policy & Objects" and then select "Policy."
-
Create a New Policy:
- Click on the "+ Create New" button to create a new policy.
-
Configure General Settings:
- Set the following parameters:
- Incoming Interface: DMZ
- Outgoing Interface: LAN
- Source: All
- Destination: Select the server behind the LAN zone.
- Set the following parameters:
-
Enable NAT:
- Under the "NAT" section, check the box to enable NAT.
- Choose "Use Destination Interface Address" or "Use Central NAT Table" based on your requirements.
-
Configure NAT Settings:
- If you choose "Use Destination Interface Address," the source IP will be translated to the IP address of the outgoing interface (LAN).
- If you choose "Use Central NAT Table," you may need to configure a NAT rule in Policy & Objects > NAT.
-
Enable Security Profiles (if needed):
- If you have security profiles (like antivirus, web filtering) configured, ensure they are appropriate for your traffic.
- Save and confirm to apply the policy.
Please do refer how the policy order works:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-policy-order-in-works-on-FortiGate/ta-...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this will expose your complete lan to the wan side without any way to find the original source due to snat.
I would more recommend to use some vip as destination in your policy to expose only the ports of your server you need to access from wan side and not the hole lan subnet!
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Can I ask why do you need to NAT traffic from DMZ to LAN?
In normal situation we don't do that, unless you have a routing issue, and in this case it is much better design to fix you routing than to enable NAT.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The DMZ Interface is connected to another private network which needs access to our server on LAN.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Seems you are moving to the new product, we do have the feature you mentioned.
The difference is we call it as central NAT , it is up to you how you want to utilize it.
If you operate in central NAT mode you can have all your NAT rules in one place.
However other option is you can have it directly in the firewall policy.
Lan-->WAN you can use SNAT in the policy or in the central table.
From outside or from a different zone it would be better to use D-NAT ( referred as VIP) if you want to protect server access.
Thank you.
Regards,
Prince
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @create_share,
If you need to source nat the incoming traffic coming from the DMZ Interface to a server behind the LAN Interface, you need to enable NAT on the firewall policy and 'Use Outgoing Interface Address' will be enough. Source IP address will be NATed to the IP address of the LAN interface.
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the replies. It worked after I configured a virtual IP.
Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Head to "Policy & Objects," hit "IPv4 Policy," and craft a new policy with DMZ as the incoming interface, LAN as outgoing. Set source to "All" and destination to your LAN server. Don't forget to tick the NAT box. Opt for "Source NAT," choose "Use Static IP," and toss in the IP allowed for your network.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,750 -
FortiClient
1,778 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
477 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
323 -
6.2
251 -
SSL-VPN
249 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
208 -
5.0
196 -
FortiNAC
191 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
106 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
84 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
60 -
Fortivoice
56 -
High Availability
56 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1737 | |
| 1107 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.