- FortiGate 60E
- version 7.0.2
NAT settings in FortiGate
NAT settings in FortiGate are set as one of the settings in the Firewall policy settings.
You can use the following as the translated IP address:
- Outgoing interface IP address (used for source NAT)
- IP Pool (used for source NAT)
- Virtual IP (used for destination NAT)
Source NAT settings
Translation to the outbound interface IP address
When setting from the GUI, set in the Firewall / Network Options field of the Firewall policy setting screen.
Enable NAT and select Use Outgoing Interface Address as the IP Pool Configuration.
When you enable the Preserve Source Port, the source port is fixed untranslated. If you have multiple clients, you need to disable this.
If set in the CLI, set in the edit hierarchy of the target policy in the
config firewall policy.
The correspondence between GUI and CLI setting items is as follows.
- NAT —>
- IP Pool Configuration —>
- Set disable for Use Outgoing Interface Address.
- Preserve Source Port —>
config firewall policy edit <n> set nat enable set ippool disable set fixedport disable next end
Translation using IP Pool
First, create an IP Pool.
If set in the GUI, click Create New on the Policy & Objects > IP Pools screen.
The following screen will be displayed.
IP Pool Type
- In addition to the IP address translation, the port address translation (PAT) is also performed. With 60,416 available port numbers for each IP, the IP pool can handle 60,416 * internal IP addresses.
- An IP Pool that does not perform port address translation (PAT).
- Fixed Port Range
- PAT is executed. Specifying the Internal IP Range also determines the range of translated port numbers used for each Internal IP.
- Port Block Allocation
- PAT is executed. You can manually set the block size (number of ports) and the number of blocks per user (IP).
IP Pool setting in CLI
configuration firewall ippool.
FortiGate-60E # show full-configuration firewall ippool config firewall ippool edit "Pool_Overload" set type overload set startip 10.1.10.100 set endip 10.1.10.102 set arp-reply enable set arp-intf '' set associated-interface '' set comments '' set nat64 disable next end
NAT settings in Firewall Policy
In IP Pool Configuration, select Use Dynamic IP Pool and select the IP Pool to use from the list.
When setting with CLI, it is as follows.
config firewall policy set nat enable set ippool enable set poolname "Pool_Overload" next end
NAT session confirmation command
get system session list
FortiGate-60E # get system session list PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT tcp 25 10.1.20.10:52119 10.1.10.9:52119 188.8.131.52:993 - tcp 0 10.1.20.10:64855 10.1.10.110:64855 184.108.40.206:110 - udp 123 10.1.20.10:53791 10.1.10.110:53791 220.127.116.11:443 - udp 125 10.1.20.10:56930 10.1.10.110:56930 18.104.22.168:443 - udp 172 10.1.20.10:53013 10.1.10.110:53013 22.214.171.124:53 - udp 113 10.1.20.10:58681 10.1.10.110:58681 126.96.36.199:53 - udp 162 10.1.20.10:58674 10.1.10.110:58674 188.8.131.52:443 - udp 172 10.1.20.10:62289 10.1.10.110:62289 184.108.40.206:53 - udp 130 10.1.20.10:62629 10.1.10.110:62629 220.127.116.11:53 -