Friday, December 3, 2021

FortiGate Network Address Translation (NAT)

You can use either Source NAT (SNAT) or Destination NAT (DNAT) for traffic passing through a FortiGate. There are two ways to configure Source NAT and Destination NAT:

  1. Firewall Policy NAT
  2. Central NAT

 

NAT via a Virtual IP (VIP)

 

Virtual IP (VIP) are used to translate an external or public IP address (Internet) to an internal or private IP address.

 

A VIP is a Destination NAT (DNAT), which you can only select in a Firewall Policy destination address field.

 

To create a VIP, go to Policy & Objects > Virtual IPs > Create New > Virtual IP.

 

Type a Name: FTP_SERVER_VIP > optionally type a Comment > select Interface: port1 > leave default Type: Static NAT > type External IP address/range: 192.168.1.200 > type Mapped IP address/range: 172.16.1.100 > click OK.

Create a Firewall Policy using the VIP created as destination address.

 

Go to Firewall Policy > Create New.

 

Type a Name: FTP_ACCESS > select Incoming Interface: port1 > select Outgoing Interface: port2 > select Source: all (from Internet) > select/search Destination: FTP_SERVER_VIP (under VIRTUAL IP/SERVER).

Leave default Schedule: Always > select Service: HTTP > leave default Action: ACCEPT > leave default Inspection Mode: Flow based > disable NAT

Select Log Allowed Traffic: All Sessions > leave the other settings in default > click OK.


I was able to FTP from 192.168.1.100 (Windows 10) to 192.168.1.200 (NAT VIP for Windows 7 VM).


To view the FortiGate NAT session entries, use the get system session list command.

 

Notice the 192.168.1.200 was translated (DESTINATION-NAT) to 172.16.1.100.

 

FG-1 #  get system session

list      List the current VDOM IPv4 sessions.

status    List the current VDOM IPv4 session count.

 

FG-1 #  get system session list

PROTO   EXPIRE SOURCE           SOURCE-NAT       DESTINATION      DESTINATION-NAT

tcp     3599   192.168.1.100:53070 -                192.168.1.160:80 -              

tcp     3600   192.168.1.100:53068 -                192.168.1.160:22 -              

tcp     3512   192.168.1.100:53045 -                192.168.1.200:21 172.16.1.100:21

udp     179    192.168.1.160:1772 -                208.91.112.52:53 -              

udp     179    192.168.1.160:1772 -                208.91.112.53:53 -              

tcp     3599   192.168.1.100:53069 -                192.168.1.160:80 -              

tcp     0      192.168.1.160:6686 -                173.243.132.27:443 -   

 

 

Use the diagnose sys session clear command to clear all existing sessions (including the SSH session).

 

FG-1 # diagnose sys session

sync         List session sync.

list         List session.

clear        Clear the sessions defined by filter.

stat         Stat session.

full-stat    Fully stat session.

exp-stat     Expectation session statistics.

ttl          TTL session.

filter       List session with filters.

help         Session help.

 

FG-1 # diagnose sys session clear

 

 

Notice the previous FTP session was cleared.

 

FG-1 # get system session list

PROTO   EXPIRE SOURCE           SOURCE-NAT       DESTINATION      DESTINATION-NAT

tcp     3599   192.168.1.100:53099 -                192.168.1.160:22 -              

tcp     3595   192.168.1.100:53101 -                192.168.1.160:80 -

 

 

I tested Source NAT from 172.16.1.100 (Windows 7 VM). All egress or outgoing connections used the VIP 192.168.1.200.

 

Notice the 172.16.1.100 (Windows 7 VM) uses the VIP 192.168.1.200 for Source NAT instead of the IP address on egress/port1 (192.168.1.160).

 

FG-1 # get system session list

PROTO   EXPIRE SOURCE           SOURCE-NAT       DESTINATION      DESTINATION-NAT

tcp     3600   192.168.1.100:53099 -                192.168.1.160:22 -              

udp     134    172.16.1.100:54959 192.168.1.200:54959 172.217.160.14:443 -

udp     146    172.16.1.100:54973 192.168.1.200:54973 74.125.24.95:443 -

udp     146    172.16.1.100:54955 192.168.1.200:54955 8.8.8.8:443      -

udp     133    172.16.1.100:54963 192.168.1.200:54963 157.240.7.26:443 -

udp     103    172.16.1.100:54954 192.168.1.200:54954 8.8.8.8:53       -

udp     108    172.16.1.100:54958 192.168.1.200:54958 157.240.13.35:443 -

udp     17     172.16.1.100:59660 192.168.1.200:59660 8.8.8.8:53       -              

udp     160    192.168.1.160:1772 -                208.91.112.52:53 -              

udp     173    192.168.1.160:1772 -                208.91.112.53:53 -              

udp     136    172.16.1.100:54956 192.168.1.200:54956 172.217.160.36:443 -


Dynamic NAT with IP Pools

IP Pools are used to translate the source address to an address from that pool, rather than the FortiGate egress interface IP address.

 

To create an IP pool, go to Policy & Objects > IP Pools > Create New.

Type a Name: IP_POOL_1 > leave default Type: Overload > type External IP address/range: 192.168.1.201-192.168.1.201 > leave the default ARP Reply enabled > click OK.


Edit the Firewall Policy to use the IP pool, go to Policy & Objects > Firewall Policy.

 

I temporarily disabled the Firewall Policies: FTP_ACCESS and DENY_PING_DNS by doing a right-click > Set Status > Disable.

 

Select the Firewall Policy: FG_LAN_INTERNET > click Edit (or just double-click it).

Select IP Pool Configuration > Use Dynamic IP Pool > select IP_POOL_1 created earlier > click Close.

Click OK.


I can access support.fortinet.com from 172.16.1.100 (Windows 7 VM).

 

To view the FortiGate NAT session table, use the get system session list command.

 

Notice the SOURCE-NAT is using the IP address 192.168.1.201 instead of the FortiGate egress interface IP address 192.168.1.160.

 

FG-1 # get system session list

PROTO   EXPIRE SOURCE           SOURCE-NAT       DESTINATION      DESTINATION-NAT

tcp     3594   172.16.1.100:56543 192.168.1.201:56543 63.137.229.1:443 -

tcp     3594   172.16.1.100:56542 192.168.1.201:56542 63.137.229.1:443 -

udp     168    172.16.1.100:64393 192.168.1.201:64393 8.8.8.8:53       -

udp     173    172.16.1.100:64394 192.168.1.201:64394 8.8.4.4:443      -

tcp     3594   172.16.1.100:56541 192.168.1.201:56541 63.137.229.1:443 -              

tcp     3600   192.168.1.100:57481 -                192.168.1.160:22 -              

udp     174    172.16.1.100:64395 192.168.1.201:64395 74.125.24.103:443 -              

udp     145    192.168.1.160:1940 -                208.91.112.52:53 -              

udp     150    192.168.1.160:1940 -                208.91.112.53:53 -


Central Source NAT (SNAT)

A Central Source NAT (SNAT) policy is applied to multiple firewall policies, based on a configured central rule. You use the set central-nat enable command to enable Central SNAT in FortiGate.

 

When enabling Central SNAT, make sure to remove first the VIP and IP pool references from the existing Firewall Policies. Notice an error was prompted due to a VIP used in policy ID 3 even though it's currently disabled.

 

FG-1 # config sys setting

 

FG-1 (settings) # set central-nat enable

Cannot enable central-nat with firewall policy using vip (id=3).


I removed all the configured Firewall Policy except for Implicit Deny.

I was able to issue the set central-nat enable command afterwards.

 

FG-1 # config sys setting

 

FG-1 (settings) # set central-nat enable

 

FG-1 (settings) # end

 

 

I logout and re-login the FortiGate GUI in order to display the Central SNAT option.

 

Go to Policy & Objects > Central SNAT > Create New.

 

Select Incoming Interface: any > select Outgoing Interface: any > select Source Address: all > select Destination Address: all.

Leave the NAT option enabled > IP Pool Configuration > Use Dynamic IP Pool > select IP_POOL_1 (192.168.1.201) > select Protocol: any > click OK.


Create a Firewall Policy to allow LAN traffic to the Internet. Go to Policy & Objects > Firewall Policy > Create New.

Type a Name: LAN_TO_INTERNET > select Incoming Interface: port2 > select Outgoing Interface: port1 > select Source: all > select Destination: all > select Service: ALL > leave the Action: Accept > leave the Inspection Mode: Flow based.

 

Notice there's no option to enable NAT within the Firewall Policy.

 

Select Log Allowed Traffic: All Sessions > leave the other settings in default > click OK.

To test the Central SNAT policy, I tried to go to docs.fortinet.com from 172.16.1.100 (Windows 7 VM).

To view the FortiGate NAT session table, issue a get system session list command.

 

Notice the IP 172.16.1.100 (Windows 7 VM) was translated using the SOURCE-NAT address 192.168.1.201 (IP_POOL_1).

 

FG-1 # get system session list

PROTO   EXPIRE SOURCE           SOURCE-NAT       DESTINATION      DESTINATION-NAT

tcp     3595   192.168.1.100:60902 -                192.168.1.160:80 -              

tcp     3600   192.168.1.100:60899 -                192.168.1.160:22 -              

udp     148    172.16.1.100:53737 192.168.1.201:53737 74.125.24.139:443 -              

udp     138    172.16.1.100:55522 192.168.1.201:55522 8.8.8.8:53       -              

tcp     3595   192.168.1.100:60903 -                192.168.1.160:80 -              

tcp     3595   192.168.1.100:60900 -                192.168.1.160:80 -              

tcp     4      192.168.1.100:60904 -                192.168.1.160:80 -              

udp     137    172.16.1.100:53739 192.168.1.201:53739 172.253.118.102:443 -              

udp     139    172.16.1.100:55524 192.168.1.201:55524 8.8.8.8:53       -              

tcp     3      192.168.1.100:60901 -                192.168.1.160:80 -              

udp     159    172.16.1.100:55538 192.168.1.201:55538 74.125.68.95:443 -              

udp     151    172.16.1.100:53734 192.168.1.201:53734 74.125.24.103:443 -              

udp     139    172.16.1.100:55523 192.168.1.201:55523 8.8.8.8:53       -              

udp     159    172.16.1.100:53736 192.168.1.201:53736 8.8.4.4:443      -              

udp     176    192.168.1.160:4301 -                208.91.112.53:53 -              

udp     161    192.168.1.160:4301 -                208.91.112.52:53 - 

 

 

Create a second IP Pool to be used for the second Central SNAT policy. Go to Policy & Objects > IP Pools > Create New.

 

Type a Name: IP_POOL_2 > leave default Type: Overload > type External IP address/range: 192.168.1.202-192.168.1.202 > click OK.



Create a second Central SNAT policy, go to Policy & Objects > Central SNAT > Create New.

Select Incoming Interface: port2 > select Outgoing Interface: port1 > select Source Address: all > select Destination Address: PUBLIC_DNS (4.2.2.2)

Leave NAT enabled > IP Pool Configuration > Use Dynamic IP Pool > select IP_POOL_2 > select Protocol: any > click OK.

Like the Firewall Policy, a Central SNAT policy is processed from top to bottom. Re-order the newly created Central SNAT  policy (ID 2) and move it to the top.


I tried to ping the pubic DNS 4.2.2.2 from 172.16.1.100 (Windows 7 VM).

 

Notice the ICMP session was translated using the IP_POOL_2 (192.168.1.202).

 

FG-1 # get system session list

PROTO   EXPIRE SOURCE           SOURCE-NAT       DESTINATION      DESTINATION-NAT

tcp     3599   192.168.1.100:61282 -                192.168.1.160:80 -              

tcp     0      192.168.1.160:7767 -                173.243.132.27:443 -              

tcp     3599   192.168.1.100:61280 -                192.168.1.160:80 -              

tcp     3599   192.168.1.100:61281 -                192.168.1.160:80 -              

tcp     3599   192.168.1.100:61270 -                192.168.1.160:22 -              

icmp    46     172.16.1.100:1   192.168.1.202:60417 4.2.2.2:8        -              

udp     163    192.168.1.160:1289 -                208.91.112.53:53 -              

udp     179    192.168.1.160:1289 -                208.91.112.52:53 - 

 

Central Destination NAT (DNAT) and VIP

In Firewall Policy NAT, a Virtual IP (VIP) is selected in the Firewall Policy as the destination address. In Central NAT, as soon as DNAT & Virtual IPs is configured, the FortiGate automatically creates a rule in the kernel to allow DNAT to occur with no additional configuration.

 

To create DNAT and VIP, go to Policy & Objects > DNAT & Virtual IPs.

 

Notice the previous DNAT configured: FTP_SERVER_VIP, which mapped the External IP address: 192.168.1.200 to Internal IP: 172.16.1.100 (Windows 7 VM).

 

Create an Egress-to-Ingress Firewall Policy, go to Policy & Objects > Firewall Policy > Create New.

Type a Name: DNAT_FTP_VIP > select Incoming Interface: port1 > select Outgoing Interface: port2 > select Source: all.

 

Notice you can't select the FTP_SERVER_VIP as the Destination since the FortiGate automatically creates a rule in the kernel for DNAT to occur.

 

Select Destination: all > select Service: FTP > leave default Action: Accept.

Select Log Allowed Traffic: All Sessions > click OK.


I tried to FTP from 192.168.1.100 (Windows 10) to 192.168.1.200 (NAT for Windows 7 VM).


To view the FortiGate NAT session table, issue a get system session list command.

 

Notice the 192.168.1.100 (Windows 10) was translated using DESTINATION_NAT 192.168.1.200 (VIP) to 172.16.1.100 (Windows 7 VM) without creating a DNAT policy.

 

FG-1 # get system session list

PROTO   EXPIRE SOURCE           SOURCE-NAT       DESTINATION      DESTINATION-NAT

tcp     3595   192.168.1.100:49166 -                192.168.1.160:80 -              

tcp     3571   192.168.1.100:49155 192.168.1.201:49155 192.168.1.200:21 172.16.1.100:21

tcp     3595   192.168.1.100:49167 -                192.168.1.160:80 -              

tcp     3595   192.168.1.100:49164 -                192.168.1.160:80 -              

udp     143    192.168.1.160:2896 -                208.91.112.52:53 -              

udp     176    192.168.1.160:2896 -                208.91.112.53:53 -              

tcp     3595   192.168.1.100:49165 -                192.168.1.160:80 -              

tcp     3599   192.168.1.100:65529 -                192.168.1.160:22 -

 

I tried to access fortinet.com from 172.16.1.100 (Windows 7 VM).

View the NAT table again. Notice the 172.16.1.100 used the Central SNAT IP_POOL_1 (192.168.1.201).

 

FG-1 # get system session list

PROTO   EXPIRE SOURCE           SOURCE-NAT       DESTINATION      DESTINATION-NAT

udp     92     172.16.1.100:53315 192.168.1.201:53315 172.217.194.103:443 -

udp     167    172.16.1.100:53329 192.168.1.201:53329 74.125.200.95:443 -

udp     179    172.16.1.100:61271 192.168.1.201:61271 172.217.194.95:443 -              

tcp     4      192.168.1.100:49226 -                192.168.1.160:80 -              

tcp     3593   172.16.1.100:56672 192.168.1.201:56672 91.199.212.52:80 -              

tcp     3342   192.168.1.100:49155 192.168.1.201:49155 192.168.1.200:21 172.16.1.100:21

udp     164    172.16.1.100:53337 192.168.1.201:53337 74.125.24.155:443 -              

udp     163    172.16.1.100:53333 192.168.1.201:53333 74.125.24.100:443 -              

tcp     3599   172.16.1.100:56677 192.168.1.201:56677 52.84.224.40:443 -              

tcp     3598   172.16.1.100:56673 192.168.1.201:56673 52.84.224.58:443 -              

udp     167    172.16.1.100:49759 192.168.1.201:49759 157.240.13.35:443 -              

udp     166    172.16.1.100:53343 192.168.1.201:53343 8.8.4.4:443      -              

tcp     3599   172.16.1.100:56675 192.168.1.201:56675 50.16.7.188:443  -              

udp     173    172.16.1.100:54230 192.168.1.201:54230 8.8.8.8:53       -              

udp     167    172.16.1.100:49758 192.168.1.201:49758 172.217.194.157:443 -              

tcp     3598   172.16.1.100:56671 192.168.1.201:56671 13.107.4.50:80   -              

tcp     3599   172.16.1.100:56676 192.168.1.201:56676 18.141.80.142:443 -              

udp     179    172.16.1.100:61272 192.168.1.201:61272 74.125.24.94:443 -              

tcp     4      172.16.1.100:56668 192.168.1.201:56668 50.116.239.150:443 -              

udp     92     172.16.1.100:53314 192.168.1.201:53314 8.8.4.4:443      -              

udp     50     172.16.1.100:56677 192.168.1.201:56677 8.8.8.8:53