FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Alex_Yap_FTNT

Description

This article explains the configuration of the Central NAT Table which can be found in FGT > Firewall > Central NAT Table.

Scope

FortiOS v4.0 and above.


Solution

 

Definition

 

The Central NAT Table allows the Administrator to have more control over source port mapping, it allows the control over source port range mapping with fixed port behaviour.

For example by using source port mapping from 1000-1500 to 5000-5500, this feature will make sure the source port mapped from 1000->5000, 1001->5001,..,1501->5501. Unlike conventional IP-Pool mapping, it only allows control of a fixed/dynamic port and there is no option to control source port range mapping.

With IP-Pool fixed port enabled this allows the same source port number to be translated into the same source port number.

Considerations

-
Since the Central NAT Table feature inherits fixed port behavior, it means that the environment setup for Central NAT Table must make sure that the range of IP is mapped uniquely like one-to-one static NAT.

- If Many-to-One source NAT is desired, this feature will not be suitable for such an environment, because there is likelihood that incoming port from different PCs may use the same source port number to access the same Internet public server.

How to configure the Central NAT Table:

1) Firewall > Policy > IP-Pool

- Define the IP mapping from internal to External

2) Firewall > Policy > Central NAT Table


-
Configure Central NAT Table with source port mapping

3) Firewall > Policy > Policy

- Define firewall policy with Central NAT Table enable

Note: That in FortiOS v4.3, the Central NAT Table is disabled by default.

To enable the Central NAT Table go to System > Admin > Display Options in GUI, and check the "Central NAT Table".

The Central NAT Table will then appear as shown in the screenshots below:-

jbody_FD33380_a_FD33380-2.jpg

jbody_FD33380_a_FD33380-1.jpg

 

jbody_FD33380_a_FD33380-3.jpg

 

It should be noted that the Central NAT Table in FortiOS v4.0 MR3 will only appear once step 3 has been applied, this being valid for Policy usage and for using Web-Based Manager for the Central NAT Table.