• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3812
  • Last Modified:

Fortigate 80C - If in NAT operating mode why have additional NAT option in a firewall policy?

Just setting up a Fortigate 80C.  It is running in NAT mode.
When creating firewall policies, I see that there is an option to select "NAT".

Bearing in mind that the router is already in NAT mode, so...
Why would this NAT option exist when creating a firewall policy?
What is the significance of this option in a firewall policy as opposed to the router's primary operating mode?
The NAT option is there for inbound policies as well, but why would I want to NAT inbound traffic?

Please enlighten me o great ones!
  • 2
2 Solutions

When Fortigate is in NAT/Route mode, it means you can configure the box for NATing and Routing

You can use the NAT option to do Source NAT. If you are not choosing NAT the internal or external source address would remain same.

When you send a traffic from inside from private range this can be NATed with public IP. Also if any traffic coming from external if needed you can change it with required IP

So this option is needed very much :)

The two modes that the Fortigate can operate in are NAT and Transparent. This is just how the unit will function. In Transparent mode you can place the fortigate between an existing firewall and your lan and still scan traffic without any reconfiguring. The other option of NAT is more likely what most people will be using it for. The interfaces are named to help people keep them straight, but you you can have your internet connection come in through the DMZ and make your LAN the WAN1 port. For this reason, the Fortigate does not restrict what policies can have NAT enabled, as it only sees the interface and doesn't care about what it's named. Hope that helps.
blokemanAuthor Commented:
I understand what NAT is, that is not the problem. I guess I am thinking from the perspective of configuring simple, two interface, SOHO adsl routers which have NAT enabled by default, and no option to turn it on in a firewall policy.  Applying this experience to the Fortigate 80C I thought that if it was running in NAT mode, then NAT was ON (like a SOHO router) and so it looked strange that I had the option to enable it in all my outbound firewall policies.

Eureka momnent!...
From your comments, it makes sense now that the option to NAT is there because, in a multi-interface router, as opposed to a dual interface SOHO ADSL router, NAT would not be required on all intefaces, for example routing between two internal LANs would likely not need NAT, but LAN --> internet traffic would.  Correct?

The predominant use of NAT is then for  LAN --> internet traffic, so in the case of Internet --> LAN firewall policies, besides a port forwarding scenario, does NAT ever need to be enabled?

Basically NAT is required when you need to proxy/hide your original IP.

NAT would use in port translation as well as IP translation

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now