FortiGate I

Network Address Translation (NAT)

FortiGate 5.4.1
© Copyright Fortinet Inc. All rights reserved. Last Modified: 5 May 2019
1
Objectives
• Choose between firewall policy NAT vs. central NAT
• Configure firewall policy source NAT and destination NAT
(Virtual IP)
o Apply source NAT with IP pool (overload vs. one-to-one, fixed port range
and port block allocation)
o Configure destination NAT with virtual IPs or a virtual server

• Configure central NAT

o Configure source NAT with central SNAT policy
o Configure destination NAT with DNAT & Virtual IPs
• Use a SIP session helper for VoIP
• Understand the session table

2
NAT and PAT
• Network Address Translation – NAT
o Change an IP layer address of a packet
• Some protocols like SIP also have addresses
at the application layer, requiring session helpers/proxies
o Source Network Address Translation – SNAT Destination IP address
o Destination Network Address Translation – DNAT Destination port

• Port Address Translation – PAT

o Change the IP layer port number of a packet

Source IP address
Source port

3
Firewall Policy NAT vs. Central NAT
• Two ways to configure source / destination NAT
• Firewall policy NAT
o Source NAT and destination NAT must be configured for each firewall policy
• Source NAT uses outgoing interface address or configured IP pool
• Destination NAT uses configured Virtual IP as destination address
• Central NAT
o Source NAT and destination NAT configurations are per virtual domain –
applies to multiple firewall policies based on SNAT and DNAT rules
• Source NAT rule is configured from central SNAT policy
• Destination NAT is configured from DNAT & Virtual IPs

4
Firewall Policy NAT
 Firewall Policy NAT Using Outbound Interface
Firewall policy
with NAT enabled 192.168.10.10
wan1 IP address: 172.20.20.200

wan1
172.20.20.200

Source IP address:
internal 172.20.20.200
10.10.10.10
Source port: 30912

Source IP address: Destination IP address:

10.10.10.10 192.168.10.10
Source port: 1025 Destination Port: 80

Destination IP address:
192.168.10.10
Destination Port: 80

6
 IP Pool Type: Overload
Firewall policy 192.168.10.10
with NAT + IP pool enabled
wan1 IP pool: 172.20.20.2- 172.20.20.10

wan1
172.20.20.200

Source IP address:
172.20.20.?
internal Source port: 30957
10.10.10.10
Destination IP address:
192.168.10.10
Source IP address: Destination Port: 80
10.10.10.10
Source port: 1025
Destination IP address:
192.168.10.10
Destination Port: 80

7
IP Pool Type: One-to-One
• Default type is Overload
• Type One-to-one associates an internal IP with a pool IP on a
first-come, first-served basis
o Port address translation is disabled

• Refuses connection if no unallocated address

8
IP Pool Type: Fixed Port Range
• Type Fixed Port Range associates an internal IP range with an
external IP range
o Port address translation is disabled

9
IP Pool Type: Port Block Allocation
• Type Port Block Allocation assigns a block size and number
per host for a range of external IP addresses
o Using a small 64-block size and 1 block
hping --faster –p 80 –S 10.200.1.254

o Using an overload type

hping --faster –p 80 –S 10.200.1.254

10
Virtual IPs (VIPs)
• Destination NAT objects
• Default type is static NAT
o Can be restricted to forward only certain ports
• From the CLI, you can select either load-balance or
server-load-balance
• VIPs should be routable to the external facing (ingress)
interface for return traffic

11
VIP Example

Firewall policy
with destination address virtual IP + Static NAT 192.168.10.10
wan1 IP address: 172.20.20.200

wan1

internal
10.10.10.10 Source IP address:
192.168.10.10
Destination IP address:
172.20.20.222
Destination Port: 80

VIP translates destination

172.20.20.222 -> 10.10.10.10

12
 Policy Fall Through Exceptions – VIP
• Default behavior “If this policy does not match, try the next”
o Doesn’t block egress-to-ingress connection even deny policy is top of list
• Virtual IP policy (WAN to LAN)
config firewall policy
edit <policy ID for deny>
Action =Deny set match-vip enable
end

OR

config firewall policy

edit <policy ID for deny>
set dstaddr “Virtual IP object”
Still can access VIP from below
policy, even deny policy is on top of VIP end
the list

13
Central NAT
Central NAT
• Enabled or disabled from the CLI (only)
config system settings
set central-nat {enable|disable} Source NAT
end
o Must remove VIP and IP pool references from existing policies

config system settings

set central-nat enable
Cannot enable central-nat with firewall policy using vip (id=2).

• Once enabled, can configure from GUI

o Central SNAT: Source network address translation
o DNAT & Virtual IPs: Destination network address translation

• If upgrading FortiGate firmware from 5.2 to 5.4

o Must reconfigure central SNAT policy Destination NAT

15
Central SNAT
• SNAT configuration changes when central NAT is enabled
o Per Virtual Domain based

Central NAT Enabled Steps to Configure

Source NAT 1. Define IP pool
2. Configure central SNAT policy
3. Enable NAT on firewall policy

• If no matching central SNAT rule exists, FortiGate uses default destination interface address
o Processed from top to bottom
• Matching criteria based on Policy &Objects > Central SNAT
o Source address
o Destination address
o Protocol
o Source port
• Most protocols don’t need this

16
 Central SNAT Example

Central SNAT Policy Source IP: 172.20.20.10

Source port: 12543
Source all Destination IP: 192.168.10.10
Destination port: 80
Destination 192.168.10.10
Firewall Policy NAT enabled
Translated Address 172.20.20.10
(IP Pool)
Protocol TCP (6)
192.168.10.10

wan1
172.20.20.200

internal
Source IP: 10.10.10.1 192.168.10.20
Source port: 1050
Destination IP: 192.168.10.10 Source IP :172.20.20.200
Destination port: 80 Source port: 2456

Destination IP: 192.168.10.20 Destination IP: 192.168.10.20

Destination port: 80 Destination port: 80

17
Central DNAT & Virtual IPs
• Enabling central NAT changes Destination NAT configuration
o Per Virtual Domain based
Central NAT Enabled Steps to Configure
Destination NAT (VIP) 1. Define DNAT & Virtual IPs
(No additional configurations
required)

• As soon as Virtual IP is created, a rule is created in kernel to

allow DNAT to occur
o Firewall policy destination address – all or mapped IP of VIP
• VIP cannot be selected in firewall policy as destination address

18
 DNAT & Virtual IPs Example

DNAT & Virtual IPs Firewall policy destination address

External 172.20.20.222 – all or mapped IP of VIP
IP/Address Range
192.168.10.10
Mapped IP 10.10.10.10
Address/Range

wan1
172.20.20.200

Source IP address:
192.168.10.10
VIP translates destination internal
172.20.20.222 -> 10.10.10.10 Destination IP address:
172.20.20.222
Destination Port: 80

10.10.10.10

19
Disabling Central NAT
• If central NAT is enabled and configured for SNAT and DNAT,
and then disabled:
o Outgoing traffic may SNAT to egress interface IP address
o Incoming traffic previously configured with DNAT & Virtual IPs will stop
working

20
21
Session Helpers
Session Helpers
• Some traffic types require more packet modification for the
application to work
o Configurable via CLI
• For example:
o Handlingof FTP passive mode connections: control connection is separate
from data connection
o Header rewrites in SIP SDP payloads required because of NAT actions
• To show configured session helpers:
show system session-helper

23
Session Helpers: SIP Example
• Stateful firewall with NAT of 172.16.1.2 to 201.11.1.3
Firewall opens a “pinhole”
to allow the traffic that will IP address inside the
come to port 12546 payload is NATed
Send the media traffic to Send the media traffic to
IP address 172.16.1.2, IP address 201.11.1.3,
UDP port 12546 UDP port 12546

172.16.1.1 201.11.1.3

172.16.1.2
Media traffic to 172.16.1.2, Media traffic to 201.11.1.3,
port 12546 port 12546

Incoming media traffic is

allowed even when no
firewall policy has been
explicitly configured

24
Sessions
Session Table
• Accepted IP sessions tracked in kernel’s session table
o Hardware acceleration affects this
• Stores information about the session
o Source and destination addresses, port number pairs, state, timeout
o Source and destination interfaces
o Source and destination NAT actions
• Performance metrics FortiView > All Sessions
o Max. concurrent sessions
o New sessions per second

26
Session TTL (time to live)
• Reducing timers may improve performance when session table
is full by closing sessions earlier
o Don’t close too soon, though… Can cause connection errors

Specific state timers

TCP default TTL
config system global
config system session-ttl set tcp-halfclose-timer 120
set default 3600 set tcp-halfopen-timer 10
end set tcp-timewait-timer 1
set udp-idle-timer 60
end

• Timers can be applied in policies and objects, and have

precedence:
o Firewall Services > Firewall Policies > Global Sessions

27
diagnose sys session
• The session table also indicates policy actions
o Clear any previous filter
diagnose sys session filter clear
o Set the filter
diagnose sys session filter ?
dport destination port
dst destination IP address
policy policy id
sport source port
src source ip address
o List all entries matching the configured filter
diagnose sys session list
o Purge all entries matching the configured filter
diagnose sys session clear

28
Session Table: TCP Example
# diagnose sys session filter dst 10.200.1.254
# diag sys session filter dport 80
TCP state
# diag sys session list Session TTL
session info: proto=6 proto_state=05 duration=2 expire=78 timeout=3600 flags=00000000
sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper= Routing operation
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=538/6/1 reply=5407/6/0 tuples=2 speed(Bps/kbps):2596/20
orgin->sink: org pre->post, reply pre->post dev=5->3/3->5 gwy=10.200.1.254/10.0.1.10
hook=post dir=org act=snat 10.0.1.10:64624->10.200.1.254:80(10.200.1.1:64624)
hook=pre dir=reply act=dnat 10.200.1.254:80->10.200.1.1:64624(10.0.1.10:64624)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 NAT operation
serial=00023a22 tos=ff/ff ips_view=0 app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
Policy ID

29
TCP States
proto_state=05
o First digit: client-side state SYN
• 0 if not proxy-based inspection
o Second digit: server-side state SYN / ACK 02

TCP State Value Expire Timer in sec (default) ACK 03

NONE 0 10
ESTABLISHED 1 3600
SYN_SENT 2 120
01
SYN & SYN/ACK 3 60
FIN_WAIT 4 120 FIN
TIME_WAIT 5 120
CLOSE 6 10 FIN / ACK 04
CLOSE_WAIT 7 120
LAST_ACK 8 30 05
LISTEN 9 120

30
ICMP and UDP Protocol States

• Even though UDP is stateless, UDP

FortiGate still uses two session UDP
state values: 00
UDP State Value
UDP
UDP traffic one way only 0
UDP traffic both ways 1 UDP
UDP

UDP 01
• ICMP has no state
o proto_state is always 00 UDP

31
Review
 Choose between firewall policy NAT and central NAT
 Different types of IP pools configuration for source NAT
 Virtual IPs configuration for destination NAT
 Central SNAT policy configuration for source NAT
 DNAT & Virtual IPs
 Use a SIP session helper for VoIP
 How to interpret the session table

32