Fortigate NAT and session

1. Firewall policy SNAT

     only in NGFW profile mode. for simply NAT deployment.

2. Central SNAT

    Can be enabled in NGFW profile mode, NGFW policy mode only supports Central SNAT.
    used in complex NAT deployment, has more granular control on NAT.

3. Virtual IP (DNAT), from Internet to internal server

    When Central SNAT is disabled,  VIP is used firewall policy.
    When  Central SNAT is enabled,  real IP is used firewall policy.

    When VIP is created for a server, outbound traffic initiated from the server will:

• if VIP has no port forwarding and Inbound FW rule referring VIP exists, and Firewall policy NAT using outgoing interface as SNAT, the VIP will be used as translated IP, but if  Firewall policy NAT using a translation pool, the translation pool will be used as translated IP.

• if VIP has port forwarding,  outgoing interface is used as translated IP.

    Virtual IP is not Address object.

To enable central NAT, VIP and IP pool reference need be removed. Without removing it, enable Central SNAT in GUI doesn't give error, but couldn't turn on.

FortiGate # config system settings

FortiGate (settings) # set central-nat enable

Cannot enable central-nat with firewall policy using vip (id=2).

FortiGate (settings) #

After enable Central SNAT, two options are available:
1. Central SNAT
2. DNAT  & Virtual IPs

4. By default, firewall address objects do not match VIPs.

    deny source:all destination:all, this doesn't deny access to a VIP.

     The default can be changed in CLI for the specific deny policy
      config firewall policy
      edit <policy ID>
      set match-vip enable
      end

      or specify VIP as destination.

5. Session Helper
   When more advanced application tracking and control is required, ALG can be used.

   show system session-helper

6.  Session Table
maynot have all sessions if FW has hardware acceleration.

Dashboard > FortiView Sessions

Default:
config system session-ttl
   set default 3600
end

config system global

    set tcp-halfclose-timer 120

    set tcp-halfopen-timer 10

    set tcp-timewait-timer 1

    set udp-idle-timer 180

end

Troubleshooting CLIs:

get system session list

diag sys session filter (clear)   ; can apply multiple filters
diag sys session list (clear)

FortiGate # diag sys session list

session info: proto=6 proto_state=11 duration=39276 expire=3564 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

state=log may_dirty f00 app_valid

statistic(bytes/packets/allow_err): org=101660/1315/1 reply=145082/662/1 tuples=3

tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 2/0

orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=192.168.2.1/172.16.1.99

hook=post dir=org act=snat 172.16.1.99:62532->13.64.180.106:443(192.168.2.110:62532)

hook=pre dir=reply act=dnat 13.64.180.106:443->192.168.2.110:62532(172.16.1.99:62532)

hook=post dir=reply act=noop 13.64.180.106:443->172.16.1.99:62532(0.0.0.0:0)

pos/(before,after) 0/(0,0), 0/(0,0)

src_mac=00:0c:29:89:2e:38

misc=0 policy_id=1 pol_uuid_idx=14739 auth_info=0 chk_client_info=0 vd=0

serial=00048b0f tos=ff/ff app_list=2000 app=41469 url_cat=0

rpdb_link_id=00000000 ngfwid=n/a

npu_state=0x001108

total session 1

FortiGate #