[Last Call] Learn how to a build a cloud-first strategyRegister Now


Fortigate 80C - If in NAT operating mode why have additional NAT option in a firewall policy?

Posted on 2010-11-18
Medium Priority
Last Modified: 2012-05-10
Just setting up a Fortigate 80C.  It is running in NAT mode.
When creating firewall policies, I see that there is an option to select "NAT".

Bearing in mind that the router is already in NAT mode, so...
Why would this NAT option exist when creating a firewall policy?
What is the significance of this option in a firewall policy as opposed to the router's primary operating mode?
The NAT option is there for inbound policies as well, but why would I want to NAT inbound traffic?

Please enlighten me o great ones!
Question by:blokeman
  • 2

Accepted Solution

askitgetit earned 1000 total points
ID: 34170696

When Fortigate is in NAT/Route mode, it means you can configure the box for NATing and Routing

You can use the NAT option to do Source NAT. If you are not choosing NAT the internal or external source address would remain same.

When you send a traffic from inside from private range this can be NATed with public IP. Also if any traffic coming from external if needed you can change it with required IP

So this option is needed very much :)


Assisted Solution

iworks-uworks earned 1000 total points
ID: 34173231
The two modes that the Fortigate can operate in are NAT and Transparent. This is just how the unit will function. In Transparent mode you can place the fortigate between an existing firewall and your lan and still scan traffic without any reconfiguring. The other option of NAT is more likely what most people will be using it for. The interfaces are named to help people keep them straight, but you you can have your internet connection come in through the DMZ and make your LAN the WAN1 port. For this reason, the Fortigate does not restrict what policies can have NAT enabled, as it only sees the interface and doesn't care about what it's named. Hope that helps.

Author Comment

ID: 34178123
I understand what NAT is, that is not the problem. I guess I am thinking from the perspective of configuring simple, two interface, SOHO adsl routers which have NAT enabled by default, and no option to turn it on in a firewall policy.  Applying this experience to the Fortigate 80C I thought that if it was running in NAT mode, then NAT was ON (like a SOHO router) and so it looked strange that I had the option to enable it in all my outbound firewall policies.

Eureka momnent!...
From your comments, it makes sense now that the option to NAT is there because, in a multi-interface router, as opposed to a dual interface SOHO ADSL router, NAT would not be required on all intefaces, for example routing between two internal LANs would likely not need NAT, but LAN --> internet traffic would.  Correct?

The predominant use of NAT is then for  LAN --> internet traffic, so in the case of Internet --> LAN firewall policies, besides a port forwarding scenario, does NAT ever need to be enabled?

Expert Comment

ID: 34186260

Basically NAT is required when you need to proxy/hide your original IP.

NAT would use in port translation as well as IP translation


Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question