Hello.
What is the user of Central SNAT/DNAT.
where should I apply in our organization.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @Umesh ,
You don't have to use central nat. In my opinion, central nat is like a habit. If you have experience with other firewalls ( like a checkpoint, Palo Alto, cisco, etc..), their nat configuration is similar to central nat. I think a lot of people use central nat because of that.
But in my opinion, Fortinet style nat configuration is easy to use. You can easily adapt to this style.
You can review these documents about central nat.
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/421028/central-snat
I will second what @ozkanaltas said - Central NAT is a matter of personal preference rather than any difference in functionality. The only case it becomes mandatory is when switching to the policy-based mode, instead of profile-based rules.
Hi @Umesh,
Central NAT is disabled by default on FortiGate. Most customers who use Central NAT converted their configuration from third party firewalls such as Cisco, Checkpoint, etc. You can refer to this link for comparison: https://docs.fortinet.com/document/forticonverter-service/23.1.0/online-help/924520/policy-nat-vs-ce...
Please note that in central NAT mode, FortiGate doesn’t allow dynamic NAT rules to translate a single internal address into different external addresses based on different services.
Regards,
Personally I prefer Central SNAT since it is centrally managed, it makes life more simple if you have many firewall policies using SNAT.
DNAT is different, you use it when you publish a service (Web server or other) on the WAN.
I'm same with @ozkanaltas and @Yurisk. There is a reason.
With Central NAT you have to set the conditions to match traffic in the Central NAT config. While you still need to set the same or similar conditions to match traffic in policies. To me it's a duplicate work and redundant.
However, other FW platforms use exclusively the Central NAT methods like "you-know-who"s. So if you came from those FW experiences, you would probably prefer Central NAT.
Also who use Central NAT for reason would say the same reason I said above but in opposite way, like "with Central NAT you can set sets of separate conditions from policies to match traffic. Don't have to set NAT each individual policy in case you have many NAT policies."
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.