FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jheadley_FTNT
Description
FortiOS v5.4 made several enhancements to the Central NAT table and Virtual IPs. When trying to enable Central NAT in FortiOS 5.4, users may receive the error message 'Cannot enable central-nat with firewall policy using vip'.

In addition, users will notice that Virtual IPs can no longer be selected in the firewall policies when Central NAT is enabled.  

Scope
FortiGate/FortiOS 5.4.x

Solution
The message 'Cannot enable central-nat with firewall policy using vip' may be encountered when trying to enable Central NAT.  This error message indicates that Central NAT cannot be enabled yet because virtual IPs have been created and referenced in firewall policies.

Before Central NAT can be enabled, it is necessary to delete the policies that contain the virtual IP objects or modify the policies so that they no longer reference the virtual IP.

jheadley_FD38995_tn_FD38995-1.jpg

Once all of the virtual IPs have 0 references, Central NAT can be enabled via the command line interface (CLI).
    config system settings
    set central-nat enable
    end

Now that Central NAT is enabled, there will be a Central SNAT table (source IP address translation) and a DNAT & Virtual IPs table (destination IP address translation).

It is necessary to log out and log back in to the web GUI to see these changes.

jheadley_FD38995_tn_FD38995-2.jpg

The DNAT & Virtual IPs table affects every policy on the FortiGate, without the need to specifically reference a virtual IP in the policy itself.

If VDOMs are enabled, the SNAT and DNAT tables affect all policies per-VDOM, not globally.

Since the tables affect all policies, it is no longer is necessary to explicitly choose the virtual IP object as a destination address object in the firewall policy for DNAT to be performed. Instead, the policy only needs to reference the virtual IP’s internal address (specifically, the 'Mapped IP Address') as a destination address object. See example below for further clarification.

Virtual IPs Before Enabling Central NAT:

jheadley_FD38995_tn_FD38995-3.jpg

Firewall Policy Before Enabling Central NAT:

jheadley_FD38995_tn_FD38995-4.jpg

DNAT & Virtual IPs After Enabling Central NAT:

jheadley_FD38995_tn_FD38995-5.jpg

Firewall Policy After Enabling Central NAT:

jheadley_FD38995_tn_FD38995-6.jpg


Related Articles

The Central NAT config did not get upgraded from 5.2 to 5.4. How do you configure this in 5.4?

Contributors