Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Fortigate 80C - If in NAT operating mode why have additional NAT option in a firewall policy?

Posted on 2010-11-18
Medium Priority
Last Modified: 2012-05-10
Just setting up a Fortigate 80C.  It is running in NAT mode.
When creating firewall policies, I see that there is an option to select "NAT".

Bearing in mind that the router is already in NAT mode, so...
Why would this NAT option exist when creating a firewall policy?
What is the significance of this option in a firewall policy as opposed to the router's primary operating mode?
The NAT option is there for inbound policies as well, but why would I want to NAT inbound traffic?

Please enlighten me o great ones!
Question by:blokeman
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

askitgetit earned 1000 total points
ID: 34170696

When Fortigate is in NAT/Route mode, it means you can configure the box for NATing and Routing

You can use the NAT option to do Source NAT. If you are not choosing NAT the internal or external source address would remain same.

When you send a traffic from inside from private range this can be NATed with public IP. Also if any traffic coming from external if needed you can change it with required IP

So this option is needed very much :)


Assisted Solution

iworks-uworks earned 1000 total points
ID: 34173231
The two modes that the Fortigate can operate in are NAT and Transparent. This is just how the unit will function. In Transparent mode you can place the fortigate between an existing firewall and your lan and still scan traffic without any reconfiguring. The other option of NAT is more likely what most people will be using it for. The interfaces are named to help people keep them straight, but you you can have your internet connection come in through the DMZ and make your LAN the WAN1 port. For this reason, the Fortigate does not restrict what policies can have NAT enabled, as it only sees the interface and doesn't care about what it's named. Hope that helps.

Author Comment

ID: 34178123
I understand what NAT is, that is not the problem. I guess I am thinking from the perspective of configuring simple, two interface, SOHO adsl routers which have NAT enabled by default, and no option to turn it on in a firewall policy.  Applying this experience to the Fortigate 80C I thought that if it was running in NAT mode, then NAT was ON (like a SOHO router) and so it looked strange that I had the option to enable it in all my outbound firewall policies.

Eureka momnent!...
From your comments, it makes sense now that the option to NAT is there because, in a multi-interface router, as opposed to a dual interface SOHO ADSL router, NAT would not be required on all intefaces, for example routing between two internal LANs would likely not need NAT, but LAN --> internet traffic would.  Correct?

The predominant use of NAT is then for  LAN --> internet traffic, so in the case of Internet --> LAN firewall policies, besides a port forwarding scenario, does NAT ever need to be enabled?

Expert Comment

ID: 34186260

Basically NAT is required when you need to proxy/hide your original IP.

NAT would use in port translation as well as IP translation


Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question