My Cybersecurity Journal: December 2021

You can use either Source NAT (SNAT) or Destination NAT (DNAT) for traffic passing through a FortiGate. There are two ways to configure Source NAT and Destination NAT:

Firewall Policy NAT
Central NAT

NAT via a Virtual IP (VIP)

Virtual IP (VIP) are used to translate an external or public IP address (Internet) to an internal or private IP address.

A VIP is a Destination NAT (DNAT), which you can only select in a Firewall Policy destination address field.

To create a VIP, go to Policy & Objects > Virtual IPs > Create New > Virtual IP.

Type a Name: FTP_SERVER_VIP > optionally type a Comment > select Interface: port1 > leave default Type: Static NAT > type External IP address/range: 192.168.1.200 > type Mapped IP address/range: 172.16.1.100 > click OK.

Create a Firewall Policy using the VIP created as destination address.

Go to Firewall Policy > Create New.

Type a Name: FTP_ACCESS > select Incoming Interface: port1 > select Outgoing Interface: port2 > select Source: all (from Internet) > select/search Destination: FTP_SERVER_VIP (under VIRTUAL IP/SERVER).

Leave default Schedule: Always > select Service: HTTP > leave default Action: ACCEPT > leave default Inspection Mode: Flow based > disable NAT

Select Log Allowed Traffic: All Sessions > leave the other settings in default > click OK.

I was able to FTP from 192.168.1.100 (Windows 10) to 192.168.1.200 (NAT VIP for Windows 7 VM).

To view the FortiGate NAT session entries, use the get system session list command.

Notice the 192.168.1.200 was translated (DESTINATION-NAT) to 172.16.1.100.

FG-1 # get system session

list List the current VDOM IPv4 sessions.

status List the current VDOM IPv4 session count.

FG-1 # get system session list

PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT

tcp 3599 192.168.1.100:53070 - 192.168.1.160:80 -

tcp 3600 192.168.1.100:53068 - 192.168.1.160:22 -

tcp 3512 192.168.1.100:53045 - 192.168.1.200:21 172.16.1.100:21

udp 179 192.168.1.160:1772 - 208.91.112.52:53 -

udp 179 192.168.1.160:1772 - 208.91.112.53:53 -

tcp 3599 192.168.1.100:53069 - 192.168.1.160:80 -

tcp 0 192.168.1.160:6686 - 173.243.132.27:443 -

Use the diagnose sys session clear command to clear all existing sessions (including the SSH session).

FG-1 # diagnose sys session

sync List session sync.

list List session.

clear Clear the sessions defined by filter.

stat Stat session.

full-stat Fully stat session.

exp-stat Expectation session statistics.

ttl TTL session.

filter List session with filters.

help Session help.

FG-1 # diagnose sys session clear

Notice the previous FTP session was cleared.

FG-1 # get system session list

PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT

tcp 3599 192.168.1.100:53099 - 192.168.1.160:22 -

tcp 3595 192.168.1.100:53101 - 192.168.1.160:80 -

I tested Source NAT from 172.16.1.100 (Windows 7 VM). All egress or outgoing connections used the VIP 192.168.1.200.

Notice the 172.16.1.100 (Windows 7 VM) uses the VIP 192.168.1.200 for Source NAT instead of the IP address on egress/port1 (192.168.1.160).

FG-1 # get system session list

PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT

tcp 3600 192.168.1.100:53099 - 192.168.1.160:22 -

udp 134 172.16.1.100:54959 192.168.1.200:54959 172.217.160.14:443 -

udp 146 172.16.1.100:54973 192.168.1.200:54973 74.125.24.95:443 -

udp 146 172.16.1.100:54955 192.168.1.200:54955 8.8.8.8:443 -

udp 133 172.16.1.100:54963 192.168.1.200:54963 157.240.7.26:443 -

udp 103 172.16.1.100:54954 192.168.1.200:54954 8.8.8.8:53 -

udp 108 172.16.1.100:54958 192.168.1.200:54958 157.240.13.35:443 -

udp 17 172.16.1.100:59660 192.168.1.200:59660 8.8.8.8:53 -

udp 160 192.168.1.160:1772 - 208.91.112.52:53 -

udp 173 192.168.1.160:1772 - 208.91.112.53:53 -

udp 136 172.16.1.100:54956 192.168.1.200:54956 172.217.160.36:443 -

Dynamic NAT with IP Pools

IP Pools are used to translate the source address to an address from that pool, rather than the FortiGate egress interface IP address.

To create an IP pool, go to Policy & Objects > IP Pools > Create New.

Type a Name: IP_POOL_1 > leave default Type: Overload > type External IP address/range: 192.168.1.201-192.168.1.201 > leave the default ARP Reply enabled > click OK.

Edit the Firewall Policy to use the IP pool, go to Policy & Objects > Firewall Policy.

I temporarily disabled the Firewall Policies: FTP_ACCESS and DENY_PING_DNS by doing a right-click > Set Status > Disable.

Select the Firewall Policy: FG_LAN_INTERNET > click Edit (or just double-click it).

Select IP Pool Configuration > Use Dynamic IP Pool > select IP_POOL_1 created earlier > click Close.

Click OK.

I can access support.fortinet.com from 172.16.1.100 (Windows 7 VM).

To view the FortiGate NAT session table, use the get system session list command.

Notice the SOURCE-NAT is using the IP address 192.168.1.201 instead of the FortiGate egress interface IP address 192.168.1.160.

FG-1 # get system session list

PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT

tcp 3594 172.16.1.100:56543 192.168.1.201:56543 63.137.229.1:443 -

tcp 3594 172.16.1.100:56542 192.168.1.201:56542 63.137.229.1:443 -

udp 168 172.16.1.100:64393 192.168.1.201:64393 8.8.8.8:53 -

udp 173 172.16.1.100:64394 192.168.1.201:64394 8.8.4.4:443 -

tcp 3594 172.16.1.100:56541 192.168.1.201:56541 63.137.229.1:443 -

tcp 3600 192.168.1.100:57481 - 192.168.1.160:22 -

udp 174 172.16.1.100:64395 192.168.1.201:64395 74.125.24.103:443 -

udp 145 192.168.1.160:1940 - 208.91.112.52:53 -

udp 150 192.168.1.160:1940 - 208.91.112.53:53 -

Central Source NAT (SNAT)

A Central Source NAT (SNAT) policy is applied to multiple firewall policies, based on a configured central rule. You use the set central-nat enable command to enable Central SNAT in FortiGate.

When enabling Central SNAT, make sure to remove first the VIP and IP pool references from the existing Firewall Policies. Notice an error was prompted due to a VIP used in policy ID 3 even though it's currently disabled.

FG-1 # config sys setting

FG-1 (settings) # set central-nat enable

Cannot enable central-nat with firewall policy using vip (id=3).

I removed all the configured Firewall Policy except for Implicit Deny.

I was able to issue the set central-nat enable command afterwards.

FG-1 # config sys setting

FG-1 (settings) # set central-nat enable

FG-1 (settings) # end

I logout and re-login the FortiGate GUI in order to display the Central SNAT option.

Go to Policy & Objects > Central SNAT > Create New.

Select Incoming Interface: any > select Outgoing Interface: any > select Source Address: all > select Destination Address: all.

Leave the NAT option enabled > IP Pool Configuration > Use Dynamic IP Pool > select IP_POOL_1 (192.168.1.201) > select Protocol: any > click OK.

Create a Firewall Policy to allow LAN traffic to the Internet. Go to Policy & Objects > Firewall Policy > Create New.

Type a Name: LAN_TO_INTERNET > select Incoming Interface: port2 > select Outgoing Interface: port1 > select Source: all > select Destination: all > select Service: ALL > leave the Action: Accept > leave the Inspection Mode: Flow based.

Notice there's no option to enable NAT within the Firewall Policy.

Select Log Allowed Traffic: All Sessions > leave the other settings in default > click OK.

To test the Central SNAT policy, I tried to go to docs.fortinet.com from 172.16.1.100 (Windows 7 VM).

To view the FortiGate NAT session table, issue a get system session list command.

Notice the IP 172.16.1.100 (Windows 7 VM) was translated using the SOURCE-NAT address 192.168.1.201 (IP_POOL_1).

FG-1 # get system session list

PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT

tcp 3595 192.168.1.100:60902 - 192.168.1.160:80 -

tcp 3600 192.168.1.100:60899 - 192.168.1.160:22 -

udp 148 172.16.1.100:53737 192.168.1.201:53737 74.125.24.139:443 -

udp 138 172.16.1.100:55522 192.168.1.201:55522 8.8.8.8:53 -

tcp 3595 192.168.1.100:60903 - 192.168.1.160:80 -

tcp 3595 192.168.1.100:60900 - 192.168.1.160:80 -

tcp 4 192.168.1.100:60904 - 192.168.1.160:80 -

udp 137 172.16.1.100:53739 192.168.1.201:53739 172.253.118.102:443 -

udp 139 172.16.1.100:55524 192.168.1.201:55524 8.8.8.8:53 -

tcp 3 192.168.1.100:60901 - 192.168.1.160:80 -

udp 159 172.16.1.100:55538 192.168.1.201:55538 74.125.68.95:443 -

udp 151 172.16.1.100:53734 192.168.1.201:53734 74.125.24.103:443 -

udp 139 172.16.1.100:55523 192.168.1.201:55523 8.8.8.8:53 -

udp 159 172.16.1.100:53736 192.168.1.201:53736 8.8.4.4:443 -

udp 176 192.168.1.160:4301 - 208.91.112.53:53 -

udp 161 192.168.1.160:4301 - 208.91.112.52:53 -

Create a second IP Pool to be used for the second Central SNAT policy. Go to Policy & Objects > IP Pools > Create New.

Type a Name: IP_POOL_2 > leave default Type: Overload > type External IP address/range: 192.168.1.202-192.168.1.202 > click OK.

Create a second Central SNAT policy, go to Policy & Objects > Central SNAT > Create New.

Select Incoming Interface: port2 > select Outgoing Interface: port1 > select Source Address: all > select Destination Address: PUBLIC_DNS (4.2.2.2)

Leave NAT enabled > IP Pool Configuration > Use Dynamic IP Pool > select IP_POOL_2 > select Protocol: any > click OK.

Like the Firewall Policy, a Central SNAT policy is processed from top to bottom. Re-order the newly created Central SNAT policy (ID 2) and move it to the top.

I tried to ping the pubic DNS 4.2.2.2 from 172.16.1.100 (Windows 7 VM).

Notice the ICMP session was translated using the IP_POOL_2 (192.168.1.202).

FG-1 # get system session list

PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT

tcp 3599 192.168.1.100:61282 - 192.168.1.160:80 -

tcp 0 192.168.1.160:7767 - 173.243.132.27:443 -

tcp 3599 192.168.1.100:61280 - 192.168.1.160:80 -

tcp 3599 192.168.1.100:61281 - 192.168.1.160:80 -

tcp 3599 192.168.1.100:61270 - 192.168.1.160:22 -

icmp 46 172.16.1.100:1 192.168.1.202:60417 4.2.2.2:8 -

udp 163 192.168.1.160:1289 - 208.91.112.53:53 -

udp 179 192.168.1.160:1289 - 208.91.112.52:53 -

Central Destination NAT (DNAT) and VIP

In Firewall Policy NAT, a Virtual IP (VIP) is selected in the Firewall Policy as the destination address. In Central NAT, as soon as DNAT & Virtual IPs is configured, the FortiGate automatically creates a rule in the kernel to allow DNAT to occur with no additional configuration.

To create DNAT and VIP, go to Policy & Objects > DNAT & Virtual IPs.

Notice the previous DNAT configured: FTP_SERVER_VIP, which mapped the External IP address: 192.168.1.200 to Internal IP: 172.16.1.100 (Windows 7 VM).

Create an Egress-to-Ingress Firewall Policy, go to Policy & Objects > Firewall Policy > Create New.

Type a Name: DNAT_FTP_VIP > select Incoming Interface: port1 > select Outgoing Interface: port2 > select Source: all.

Notice you can't select the FTP_SERVER_VIP as the Destination since the FortiGate automatically creates a rule in the kernel for DNAT to occur.

Select Destination: all > select Service: FTP > leave default Action: Accept.

Select Log Allowed Traffic: All Sessions > click OK.

I tried to FTP from 192.168.1.100 (Windows 10) to 192.168.1.200 (NAT for Windows 7 VM).

To view the FortiGate NAT session table, issue a get system session list command.

Notice the 192.168.1.100 (Windows 10) was translated using DESTINATION_NAT 192.168.1.200 (VIP) to 172.16.1.100 (Windows 7 VM) without creating a DNAT policy.

FG-1 # get system session list

PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT

tcp 3595 192.168.1.100:49166 - 192.168.1.160:80 -

tcp 3571 192.168.1.100:49155 192.168.1.201:49155 192.168.1.200:21 172.16.1.100:21

tcp 3595 192.168.1.100:49167 - 192.168.1.160:80 -

tcp 3595 192.168.1.100:49164 - 192.168.1.160:80 -

udp 143 192.168.1.160:2896 - 208.91.112.52:53 -

udp 176 192.168.1.160:2896 - 208.91.112.53:53 -

tcp 3595 192.168.1.100:49165 - 192.168.1.160:80 -

tcp 3599 192.168.1.100:65529 - 192.168.1.160:22 -

I tried to access fortinet.com from 172.16.1.100 (Windows 7 VM).

View the NAT table again. Notice the 172.16.1.100 used the Central SNAT IP_POOL_1 (192.168.1.201).

FG-1 # get system session list

PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT

udp 92 172.16.1.100:53315 192.168.1.201:53315 172.217.194.103:443 -

udp 167 172.16.1.100:53329 192.168.1.201:53329 74.125.200.95:443 -

udp 179 172.16.1.100:61271 192.168.1.201:61271 172.217.194.95:443 -

tcp 4 192.168.1.100:49226 - 192.168.1.160:80 -

tcp 3593 172.16.1.100:56672 192.168.1.201:56672 91.199.212.52:80 -

tcp 3342 192.168.1.100:49155 192.168.1.201:49155 192.168.1.200:21 172.16.1.100:21

udp 164 172.16.1.100:53337 192.168.1.201:53337 74.125.24.155:443 -

udp 163 172.16.1.100:53333 192.168.1.201:53333 74.125.24.100:443 -

tcp 3599 172.16.1.100:56677 192.168.1.201:56677 52.84.224.40:443 -

tcp 3598 172.16.1.100:56673 192.168.1.201:56673 52.84.224.58:443 -

udp 167 172.16.1.100:49759 192.168.1.201:49759 157.240.13.35:443 -

udp 166 172.16.1.100:53343 192.168.1.201:53343 8.8.4.4:443 -

tcp 3599 172.16.1.100:56675 192.168.1.201:56675 50.16.7.188:443 -

udp 173 172.16.1.100:54230 192.168.1.201:54230 8.8.8.8:53 -

udp 167 172.16.1.100:49758 192.168.1.201:49758 172.217.194.157:443 -

tcp 3598 172.16.1.100:56671 192.168.1.201:56671 13.107.4.50:80 -

tcp 3599 172.16.1.100:56676 192.168.1.201:56676 18.141.80.142:443 -

udp 179 172.16.1.100:61272 192.168.1.201:61272 74.125.24.94:443 -

tcp 4 172.16.1.100:56668 192.168.1.201:56668 50.116.239.150:443 -

udp 92 172.16.1.100:53314 192.168.1.201:53314 8.8.4.4:443 -

udp 50 172.16.1.100:56677 192.168.1.201:56677 8.8.8.8:53 -

My Cybersecurity Journal

Friday, December 3, 2021

FortiGate Network Address Translation (NAT)