| Description | This article describes how to configure the destination port for the Central SNAT table. |
| Scope | 7.4.x onwards. |
| Solution |
Central NAT is a very useful feature on FortiGate on which it can be defined how to control the NAT. The Central NAT table is disabled by default. To enable it, use the following CLI:
config system settings set central-nat [enable | disable] end
Once the Central NAT table is enabled it will show a new section under 'Policy & Objects'. With the Central NAT table, it is possible to define which group of addresses and which SNAT pool to use based on the traffic or protocol.
Up to FortiOS 7.2.x, it is possible to configure NAT rule based on the incoming interface, outgoing interface, source IP(group), destination IP(group), and protocol. With this configuration, it is possible to steer the traffic based on protocol, source IP, and destination IP addresses.
On FortiOS 7.4.x is introduced a new feature which will allow adding a destination-port as a criterion to config a firewall Central-NAT rule. Below is provided an example of how looks one SNAT rule for protocol No6(TCP) and the destination port range between 80-4000:
config firewall central-snat-map edit 1 set uuid b5f7ea0e-eda9-51ed-5ec5-28057310f95c set srcintf "port3" set dstintf "port2" set orig-addr "all" set dst-addr "all" set protocol 6 set dst-port 80-4000 next end
To configure a dst-port it is only possible to use CLI, the destination port is not visible on the GUI. As shown on this example, it is possible to configure a range between 80-4000 or only one port. |
