DO NOT REPRINT

© FORTINET
Lab 3: Network Address Translation (NAT)

NAT is used to perform source NAT (SNAT) and destination NAT (DNAT) for the traffic passing through
FortiGate. There are two ways to configure source NAT and destination NAT:

l Firewall policy NAT

l Central NAT
In this lab, you will configure and test firewall policy NAT for SNAT using IP pool, and for DNAT using virtual IP
(VIP).

You will configure and test SNAT using the central SNAT policy and DNAT using the DNAT policy and VIPs.

Objectives
l Configure destination NAT settings using a VIP.
l Configure the source NAT settings using overload IP pools.
l Configure a central NAT policy for the source NAT.
l Configure DNAT and VIPs for the destination NAT.

Time to Complete
Estimated: 50 minutes

Prerequisites
Before starting the procedures in this lab, you must restore a configuration file on each FortiGate.

Make sure to restore the correct configuration in each FortiGate using the following
steps. Failure to restore the correct configuration on each FortiGate will prevent you
from doing the lab exercise.

To restore the Remote-FortiGate configuration file

1. On the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 10.200.3.1with the user
name admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

FortiGate Security 6.0 Lab Guide 53

Fortinet Technologies Inc.
DO NOT REPRINT Lab 3: Network Address Translation (NAT)

© FORTINET

3. Click Local PC,and then click Upload.

4. Click Desktop > Resources > FortiGate-Security > NAT > remote-nat.conf, and then click Open.
5. Click OK.
6. Click OK to reboot.

To restore the Local-FortiGate configuration file

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

3. Click Local PC,and then click Upload.

4. Click Desktop > Resources > FortiGate-Security > NAT > local-nat.conf, and then click Open.
5. Click OK.
6. Click OK to reboot.

54 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Access Through VIPs

VIP addresses are typically used to translate external or public IP addresses to internal or private IP addresses.

In this exercise, you will configure a VIP address for the Local-Windows VM. Then, you will create an egress-to-
ingress firewall policy and apply a VIP address. This will allow Internet connections to the Local-Windows VM.
You will also verify the destination NAT (DNAT) and source NAT (SNAT) behavior using CLI commands.

Create a VIP

On FortiGate, a VIP is a destination NAT (DNAT), which you can select only in a firewall policy’s destination
address field.

In this procedure, you will configure the VIP to map the Local-Windows VM (10.0.1.10) to 10.200.1.200,
which is a part of the port1 subnet. You can refer to the lab Network Topology on page 10 diagram.

To create a VIP
1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. Click Policy & Objects > Virtual IPs.
3. Click Create New, and then select Virtual IP.
4. Configure the following settings:

Field Value

Name VIP-INTERNAL-HOST

Interface port1

(port1 is connected to the Internet with IP address 10.200.1.1/24.)

External IP Address/Range 10.200.1.200 - 10.200.1.200

(This is the IP address in the same range as the port1 subnet.)

Mapped IP Address/Range 10.0.1.10

FortiGate Security 6.0 Lab Guide 55

Fortinet Technologies Inc.
DO Create
NOT REPRINT
a Firewall Policy Exercise 1: Access Through VIPs

© FORTINET

5. Click OK.

Create a Firewall Policy

You will configure a new firewall policy using the VIP that you just created as the destination address.

To create a firewall policy

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.
2. Click Create New.
3. Configure the following settings:

Field Value

Name Web-Server-Access

Incoming Interface port1

Outgoing Interface port3

Source all

Destination VIP-INTERNAL-HOST

Tip: Listed under the Virtual IP section

Schedule always

Service HTTP, HTTPS

Tip: In right pane, type the name in the search box, and then click
Services to add.

Action ACCEPT

56 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Access
REPRINT
Through VIPs Create a Firewall Policy

© FORTINET
4. In the Firewall / Network Options section, turn off the NAT switch.
5. In the Logging Options section, turn on the Log Allowed Traffic switch, and then select All Sessions.
6. Click OK.

FortiGate Security 6.0 Lab Guide 57

Fortinet Technologies Inc.
DO Test
NOT the VIPREPRINT
Firewall Policy Exercise 1: Access Through VIPs

© FORTINET

Test the VIP Firewall Policy

Now that you've configured a firewall policy with the VIP address as the destination, you can test your VIP by
accessing it from the Remote-Windows VM, which is behind the Remote-FortiGate internal network. Traffic is
routed from the Remote-FortiGate to the Local-FortiGate by a Linux machine, which acts as a router between
these two FortiGate devices. For more information, see Network Topology on page 10.

You will also test how the source address is translated by the VIP when traffic is leaving from the Local-Windows
VM.

To test VIPs (DNAT)

1. On the Remote-Windows VM, open a web browser and go to the following URL:
http://10.200.1.200

If the VIP operation is successful, a simple web page opens.

2. On the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved session.
3. At the login prompt, enter the user name admin and password password.
4. Enter the following command to check the destination NAT entries in the session table:
get system session list

Sample output:
Local-FortiGate# get system session list
PROTO EXPIRE    SOURCE    SOURCE-NAT   DESTINATION    DESTINATION-NAT
tcp   3594  10.200.3.1:49478   - 10.200.1.200:80  10.0.1.10:80

You will notice that the destination address 10.200.1.200 is translated to 10.0.1.10, which is the
mapping you configured in the VIP.

58 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Access
REPRINT
Through VIPs Test the Source NAT

© FORTINET
Test the Source NAT

As a result of the VIP (which is a static NAT), all translated outgoing connections from the Local-Windows VM (IP
address 10.0.1.10) will use the VIP address to source NAT for the ingress-to-egress firewall policy and not the
egress interface IP address.

To test SNAT
1. Continuing on Local-Windows, return to the Local-FortiGate PuTTY session and run the following command to
clear any existing sessions:

diagnose sys session clear

The CLI command diagnose sys session clear will clear all sessions
including SSH session you created using PuTTY. This is expected behavior.

The firewall is stateful, so any existing sessions will not use this new firewall policy
until they time out or are cleared for ingress-to-egress traffic.

This clears the session to the Local-FortiGate from the Local-Windows VM.

2. Close the PuTTY window.

3. Open a web browser tab and connect to a few websites, for example:
l www.fortinet.com
l www.yahoo.com
l www.bbc.com
4. Open PuTTY, and connect over SSH to the LOCAL-FORTIGATE saved session.
5. At the login prompt, enter the user name admin and password password.
6. Run the following command to view the session information:

get system session list

Sample output:

FortiGate Security 6.0 Lab Guide 59

Fortinet Technologies Inc.
DO Test
NOT REPRINT
the Source NAT Exercise 1: Access Through VIPs

© FORTINET

The outgoing connections from the Local-Windows VM are now being translated with
the VIP address 10.200.1.200, instead of the firewall egress interface IP address
(10.200.1.1).

This is a behavior of the SNAT VIP. That is, when you enable SNAT on a policy, a VIP static NAT takes
priority over the destination interface IP address.

7. Close the PuTTY session.

8. Close all browser tabs except the Local-FortiGate GUI.

60 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Dynamic NAT With IP Pools

IP pools are used to translate the source address to an address from that pool, rather than the egress interface
address.

Currently, the Local-FortiGate translates the source IP address of all traffic generated from the Local-Windows
VM to 10.200.1.200 because of the SNAT translation in the VIP.

In this exercise, you will create an IP pool, apply it to the ingress-to-egress firewall policy, and verify the SNAT
address using CLI commands.

Create an IP Pool

In this procedure, you will create an IP pool from the range of public IP addresses available on the egress port
(port1).

To create an IP pool
1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. Click Policy & Objects > IP Pools.
3. Click Create New and configure the following settings:

Field Value

Name INTERNAL-HOST-EXT-IP

Type Overload

External IP Range/Subnet 10.200.1.100 - 10.200.1.100

4. Click OK.

Edit a Firewall Policy to Use the IP Pool

Now, you will apply the IP pool to change the behavior from static NAT to dynamic NAT on the ingress-to-egress
firewall policy.

FortiGate Security 6.0 Lab Guide 61

Fortinet Technologies Inc.
DO Test
NOT REPRINT
Dynamic NAT with IP Pools Exercise 2: Dynamic NAT With IP Pools

© FORTINET
To edit the firewall policy
1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.
2. Right-click the ID column for the Full_Access firewall policy and click Edit.
3. In the Firewall / Network Options section, configure the following settings:

Field Value

NAT <enable>

IP Pool Configuration Use Dynamic IP Pool

4. Click the + that appeared when you clicked Use Dynamic IP Pool, and from the right pane, click INTERNAL-
HOST-EXT-IP.
Your configuration will look similar to the following example:

5. Click OK.

Test Dynamic NAT with IP Pools

Now that your configuration is ready, you can test dynamic NAT with IP pools by browsing to a few external sites
on the Internet. If successful, you will see that the Local-Windows VM IP address (10.0.1.10) is translated to
the IP pool address of 10.200.1.100.

62 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Dynamic
REPRINT
NAT With IP Pools Test Dynamic NAT with IP Pools

© FORTINET
To test dynamic NAT with IP pools
1. Continuing on the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved
session.
2. At the login prompt, enter the user name admin and password password.
3. Run the following command to clear any existing sessions:

diagnose sys session clear

The CLI command diagnose sys session clear will clear all sessions
including the SSH session you created using PuTTY. This is expected behavior.

The firewall is stateful, so any existing sessions will not use this updated firewall policy
until they time out or are cleared for ingress-to-egress traffic.

4. Close the PuTTY window.

5. Open several broswer tabs and connect to a few websites. For example:
l www.fortinet.com
l www.yahoo.com
l www.bbc.com
5. Open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved session.
6. At the login prompt, enter the user name admin and password password.
7. Run the following command to verify the source NAT IP address that those sessions are using:

get system session list

Sample output:

FortiGate Security 6.0 Lab Guide 63

Fortinet Technologies Inc.
DO Test
NOT REPRINT
Dynamic NAT with IP Pools Exercise 2: Dynamic NAT With IP Pools

© FORTINET

Notice that the source NAT address is now 10.200.1.100, as configured in the IP pool, and the IP pool
has overridden the static NAT VIP.

8. Close PuTTY.
9. Close all browser tabs except the Local-FortiGate GUI.

64 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Configure Central SNAT

A central SNAT policy is applied to multiple firewall policies, based on a configured central rule.

In this exercise, you will configure a central SNAT policy and test it.

Prerequisites
Before beginning this lab, you must restore a configuration for central NATfile to Local-FortiGate.

Make sure to restore the correct configuration for Local-FortiGate using the following
steps. Failure to restore the correct configuration on Local-FortiGate will prevent you
from doing the lab exercise.

To restore the Local-FortiGate configuration file

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

3. Click Local PC,and then click Upload.

4. Click Desktop > Resources > FortiGate-Security > NAT> local-central-nat.conf, and then click
Open.
5. Click OK.
6. Click OK to reboot.

FortiGate Security 6.0 Lab Guide 65

Fortinet Technologies Inc.
DO Configure
NOTCentralREPRINT
SNAT Policy Exercise 3: Configure Central SNAT

© FORTINET
When enabling central NAT, you must remove VIP and IP pool references from the
existing firewall policies first.

For example, you will see the following error if you try to enable central NAT without
removing VIP and IP pool references from the existing firewall policies.

To prevent this error from occurring during this exercise, the VIP and IP pool
references must be removed from the firewall policies.

1. The IP pool has been removed from the Full_Access firewall policy (policy ID 1),
and the VIP address has been removed from the Web-Server-Access firewall
policy (policy ID 2), because central NAT can be enabled only if none of the firewall
policies have IP pool and VIP addresses associated with them.
2. The VIP object you added in a previous exercise to test the firewall policy source
NAThas been removed.

Configure Central SNAT Policy

In this procedure, you will configure a central SNAT policy using the IP pool you created in the previous exercise.

To review IP Pool Configuration

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. Click Policy & Objects > IP Pools.
3. Review the settings of INTERNAL-HOST-EXT-IP. 

To configure a central NAT policy

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Central SNAT.
2. Click Create New and configure the following settings:

Field Value

Incoming Interface any

Outgoing Interface any

Source address all

Destination address all

NAT <enable>

66 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configure
REPRINTCentral SNAT Configure Central SNAT Policy

© FORTINET
Field Value

IP Pool Configuration Use Dynamic IP Pool

Click + and select INTERNAL-HOST-EXT-IP

Protocol ANY

3. Keep the default values for the remaining settings and click OK to save the changes.

NAT is enabled on the central SNAT policy.

If no central SNAT or matching central SNAT rule exists, FortiGate drops the
traffic.

FortiGate Security 6.0 Lab Guide 67

Fortinet Technologies Inc.
DO Review
NOT the REPRINT
Firewall Policy Exercise 3: Configure Central SNAT

© FORTINET
Review the Firewall Policy

In this procedure, you will review the firewall policy.

To verify that NAT is enabled on firewall policy

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.
2. Right-click the ID column for the Full_Access firewall policy and click Edit.
3. Review the Firewall / Network Options of the Full_Access policy.

There is no option for enabling NAT and/or using IP pools. In central SNAT, NAT on
the SNAT policy controls whether the NAT is used or not.

4. Click Cancel.

Test Central SNAT

Now that your configuration is ready, you can test the behavior of the central SNAT policy.

To test central SNAT

1. On the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved session.
2. At the login prompt, enter the user name admin and password password.

68 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configure
REPRINTCentral SNAT Create a Second IP Pool

© FORTINET
3. Run the following command to clear the existing sessions:

diagnose sys session clear

The CLI command diagnose sys session clear will clear all sessions
including the SSH session you created using PuTTY. This is expected behavior.

4. Close the PuTTY window.

5. Open multiple browser tabs and connect to a few websites. For example:
l www.fortinet.com
l www.yahoo.com
l www.bbc.com
6. Open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved session.
7. At the login prompt, enter the user name admin and password password.
8. Run the following command to verify the source NAT IP address that those sessions are using:

get system session list

Sample output:

Notice that the source NAT address is now 10.200.1.100, which matches the IP Pool configured in central
SNAT policy.

9. Close PuTTY.
10. Close all browser tabs except the Local-FortiGate GUI.

Create a Second IP Pool

Now you will create a second IP Pool, which you will use later when creating a second central SNAT policy.

FortiGate Security 6.0 Lab Guide 69

Fortinet Technologies Inc.
DO Create
NOT REPRINT
a Second SNAT Policy Exercise 3: Configure Central SNAT

© FORTINET
Take the Expert Challenge!
On the Local-FortiGate GUI, create a second IP Pool named SNAT-Pool with IP range 10.200.1.50 -
10.200.1.50 and the type as Overload.

If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Create a Second SNAT Policy on page 70

To create a second IP Pool

1. On the Local-FortiGate GUI, click Policy & Objects > IP Pools.
2. Click Create New and configure the following settings:

Field Value

Name SNAT-Pool

Type Overload

External IP Range 10.200.1.50 - 10.200.1.50

3. Click OK.

Create a Second SNAT Policy

Now you will create a more granular SNAT policy by selecting a specific destination address and protocol to
match specific traffic.

Take the Expert Challenge!

On the Local-FortiGate GUI, create a second SNAT policy for REMOTE_FORTIGATE as a destination to
allow only the TCP protocol using SNAT_Pool for traffic from port3 to port1.

If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Reorder Central SNAT Policies on page 71

To create second SNAT policy

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Central SNAT.
2. Click Create New and configure the following settings:

70 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configure
REPRINTCentral SNAT Reorder Central SNAT Policies

© FORTINET
Field Value

Incoming Interface port3

Outgoing Interface port1

Source address all

Destination address REMOTE_FORTIGATE

NAT <enable>

IP Pool Configuration Use Dynamic IP Pool

Click + and select SNAT-Pool

Protocol TCP

3. Click OK.

Reorder Central SNAT Policies

Now you will reorder the central NAT policies to put the more granular rule at the top.

Similar to firewall policies, a central SNAT policy is processed from top to bottom and, if a match is found, the
source address and source port translate based on that central SNAT policy.

FortiGate Security 6.0 Lab Guide 71

Fortinet Technologies Inc.
DO Test
NOT CentralREPRINT
SNAT Exercise 3: Configure Central SNAT

© FORTINET
To reorder central SNAT policies
1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Central SNAT.
2. Drag the newly created central SNAT policy above the previously created central SNAT policy.

Test Central SNAT

Now that your configuration is ready, you will test the central SNAT configuration.

To test central SNAT

1. On the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved session.
2. At the login prompt, enter the user name admin and password password.
3. Run the following command to clear the existing sessions:

diagnose sys session clear

4. Close the PuTTY window.

5. Open a new browser tab and log in to the Remote-FortiGate GUI at 10.200.3.1with the user name admin and
password password.
6. Open a command prompt and run a continuous ping to the Remote-FortiGate IP.

ping -t 10.200.3.1

8. Open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved session.
9. At the login prompt, enter the user name admin and password password.
10. Run the following command:

get system session list

Notice that the TCP sessions to destination 10.200.3.1 are translated to 10.200.1.50, because that
address matches the central SNAT policy.

Sample output:

72 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configure
REPRINTCentral SNAT Test Central SNAT

© FORTINET

ICMP sessions to destination 10.200.3.1 are translated to 10.200.1.100, which matches the central
SNAT policy at the bottom.

Sample output:

11. Open several browser tabs and connect to a few websites. For example:
l www.fortinet.com
l www.yahoo.com
l www.bbc.com
12. Return to LOCAL-FORTIGATE PuTTY session.
13. Run the following command:

get system session list

Also, other TCP sessions to different destinations are translated to 10.200.1.100, based on the
matching central SNAT policy at the bottom.

A Central SNAT policy is processed from top to bottom, similar to firewall policies.

14. Close the command prompt and PuTTY.

15. Close all browser tabs except the Local-FortiGate GUI.

FortiGate Security 6.0 Lab Guide 73

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 4: DNAT and VIPs

In firewall policy NAT, Virtual IPs is selected in the firewall policy as the destination address. In central NAT, as
soon as DNAT & Virtual IPs is configured, FortiGate automatically creates a rule in the kernel to allow DNAT to
occur, and no additional configuration is required.

In this exercise, you will configure and test the behavior of central DNAT.

Create DNAT and VIPs

In this procedure, you will configure DNAT and VIPs.

To create DNAT and VIPs

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. Click Policy & Objects > DNAT & Virtual IPs.
3. Click Create New, and then select DNAT & Virtual IP.
4. Configure the following settings:

Field Value

Name Central-DNAT

Interface port1

Type Static NAT (default setting)

External IP Address/Range 10.200.1.150 - 10.200.1.150

Mapped IP Address/Range 10.0.1.10

5. Click OK.

74 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: DNAT
REPRINT
and VIPs Verify the Firewall Policy Settings

© FORTINET
Verify the Firewall Policy Settings

Now, you will verify the firewall policy settings for the egress-to-ingress firewall policy.

To verify the firewall policy settings

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.
2. Right click ID column of the Web-Server-Access firewall policy, and then click Edit.
3. Review the settings of the firewall policy.
4. Try to select the DNAT & Virtual IPs address in the firewall destination address.
You will be not able to do so.

You can't select VIPs previously created in a firewall policy as a destination address.
As soon as a VIP object is created, FortiGate automatically creates a rule in the kernel
for DNAT to occur.

5. Scroll to the bottom of the page and ensure the Enable this policy switch is turned on.

6. Click OK.

Testing DNAT and VIPs

In this procedure, you will test DNAT and VIPs by accessing the Local-Windows VM.

To test DNAT and VIPs

1. On the Remote-Windows VM, open a web browser and access the following URL:

http://10.200.1.150

If the VIP operation is successful, a simple web page opens.

2. Return to the Local-Windows VM.

3. Open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved session.
4. At the login prompt, enter the user name admin and password password.
5. Run the following command to check the destination NAT entries in the session table:

get system session list

Sample output:
Local-FortiGate # get system session list
PROTO EXPIRE    SOURCE    SOURCE-NAT  DESTINATION    DESTINATION-NAT

FortiGate Security 6.0 Lab Guide 75

Fortinet Technologies Inc.
DO Testing
NOTDNAT REPRINT
and VIPs Exercise 4: DNAT and VIPs

© FORTINET
tcp   3599  10.200.3.1:49183 10.200.1.100 10.200.1.150:80  10.0.1.10:80

6. Open additional web browser tabs and try to access few websites. For example:
l www.fortinet.com
l www.yahoo.com
l www.bbc.com
7. Return to the Local-FortiGate PuTTY session and verify the SNAT IP address those sessions are using:

get system session list

Sample output:

Notice that the session originating from  source IP, 10.0.1.10, is translated to 10.200.1.150 (VIP) as
opposed to the central SNAT policy pool IP of 10.200.1.100. This is expected behavior in central NAT.

If both the SNAT and DNAT are defined, the egress traffic will source NAT to the
DNAT/VIP address, as opposed to the configured source SNAT policy.

8. Close PuTTY.
9. Close all browser tabs except the Local-FortiGate GUI.

76 FortiGate Security 6.0 Lab Guide

Fortinet Technologies Inc.