Fortigate - Central NAT vs Policy NAT

Рет қаралды 9,533

Күн бұрын

In this video we jump into the world of central NAT. If your coming from Palo Alto, Cisco, Checkpoint et al this might be a really familiar idea for you. If not, this is going to a primer video that will get you talking "central NAT" in no time flat.
Config Commands used in the video:
1) #Enable central NAT
conf sys settings
set central-nat enable
end
Key Take Aways:
1) Central NAT pulls the NAT configuration out of the firewall policy and creates a new menu item/table of all your NAT rules.
2) Keep in mind, this is for SOURCE NAT (SNAT) only; we are not talking about DESTINATION NAT (DNAT aka VIP)
3) Central NAT is not the default setting for Fortigate; you must enable it via the CLI using the command referenced above. Then refresh your interface and look up "Policy and Objects" to find "Central NAT"
Hey there, my name is Chris and I like to help people learn tech! Specifically, cyber security. If you found this video while looking for Fortinet NSE4 (Fortigate) study materials, congrats! I decided to make these videos after passing the NSE4 and wanting to help others do the same.
Check out my socials!
/ infosecforhuman
/ chris-ray-i4h
infosecforhumans.com/

Пікірлер: 27

@MC-wb1mm 2 жыл бұрын

I'm currently doing the NSE4 training from Fortinet. I needed a better understanding of the concepts. Your video couldn't be better. Answered my questions on the why's of central nat. Thanks man.

@MrHCars 2 жыл бұрын

Best video i could find to explain this, thanks!

@jamesmyers777 Жыл бұрын

there are definately situations where you need Central SNAT. We have multiple interfaces that require outbound NATing and are in a zone, in this case Central SNAT is required. Great video thanks

@malikgenius4u 2 жыл бұрын

why did you stop posting new videos, i just found out your channel today and i am already in love with your way of teaching, couldnt find any better NSE4 videos ..

@chrisgrlitzjensen3847 2 жыл бұрын

It's a long time since this video was posted, but for people interested there are also 2 different modes in which the firewall can be 'run' profile mode and policy based mode, the profile mode is enabled by default. If you enable policy based mode, you will also have central nat enabled by default. I'd recommend looking into it, not necessarily doing the switch depends on the needs of the environment ofcourse. In terms of central NAT, i see no reason as to why you wouldnt want it enabled, having the possibility of granularly doing NAT rules can be a lifesaver in a hosted environment. furthermore the visual segmentation by having a dedicated view for solely NAT is also way appreciated. When an environment is big enough and several thousand policies are in place central NAT is very convenient.

@TmurphyIT 3 жыл бұрын

Perfect. This cleared up things for me.

@rizwanmahmood1407 3 жыл бұрын

Absolutely spot on! nice!!

@Liv4IT 2 жыл бұрын

Pretty nice i like your explanation 😀

@amadoucoulibaly6439 3 жыл бұрын

Good explanation. I like and subscribe

@jeffersoncastro700 2 ай бұрын

good video!!

@salmanchirackalibrahim1810 2 жыл бұрын

Good one.

@felipecosta8280 3 жыл бұрын

Tks.

@he6904 2 жыл бұрын

THANKS

@gianniskleanthous3268 Жыл бұрын

You just earned a sub, good explanation, i do have a question though (not just for you but anyone reading these comments), what if i have a /30 public address from my isp, that means 1 address is for the network, 1 for the wan, 1 for the gateway and 1 for broadcast, leaving me with 0 available addresses, so in this case i cannot use ip pools unless i get bigger subnet correct? thanks in advance

@user-uw2ml1si7u Жыл бұрын

Would it be worth it to do an update video/series, collaborating this NSE4 series to v7.2

@Carlandall 3 жыл бұрын

Regarding SNAT - you mention that you can't configure the ports on the policies but what about the One-to-one and Fixed Port Range options? (And Port block allocation)

@InfoSecforHumans 3 жыл бұрын

The only SNAT option you can map port-to-port is using Central SNAT. Using either Static or Dynamic does not give you that capability. More info on this can be found here: docs.fortinet.com/document/fortigate/6.4.0/administration-guide/898655/static-snat docs.fortinet.com/document/fortigate/6.4.0/administration-guide/29961/dynamic-snat docs.fortinet.com/document/fortigate/6.4.0/administration-guide/421028/central-snat

@Carlandall 3 жыл бұрын

Thanks - I didn't realise it you were talking about port-to-port, I still have some figuring out to do but thanks for the links!

@InfoSecforHumans 3 жыл бұрын

@@Carlandall I am still working on delivering a sharp message too :D Glad I could help!

@michalchachula9041 2 жыл бұрын

What will happend if I enable Central Snat while I already have Firewal Policys in place with Nat enabled? Is it save in production environment?

@chrisgrlitzjensen3847 2 жыл бұрын

it is not safe in a production environment, it will discard previous NAT rules.

@mohammedabdulmoizqureshi8227 3 жыл бұрын

this concludes there is no point of using policy NAT when you have granular control and you are already familiar with central natting.

@InfoSecforHumans 3 жыл бұрын

If your coming from a vendor that only does central NAT than this gives you the option to stick with a familiar NATing setup. While CNAT gives more granular control, it can be viewed as a more complicated management scenario (IMO).