Fortinet Firewall Live!
Objective:
Understand and configure Central NAT on Fortinet, which gives you full control over address translation separate from firewall policies. You’ll configure Central NAT for outbound internet access.
Why Central NAT?
By default, FortiGate performs NAT within firewall policies (called Policy NAT). However, for complex networks, it's better to use Central NAT, which separates NAT logic from security policies. This makes NAT easier to manage and troubleshoot.
Scenario Overview:
Central NAT will be enabled.
● We'll define NAT rules for Inside and DMZ traffic to the Untrusted (Internet).
● Source NAT will use the Fortinet Untrusted IP (192.168.100.1) for all outbound traffic.
Step 1: Enable Central NAT Mode
From GUI:
1. Go to System > Feature Visibility
2. Enable Central NAT under Additional Features
3. Click Apply
From CLI:
Note: Now your NAT rules are managed under Policy & Objects > Central NAT instead of being embedded in policies.
Step 2: Create Central SNAT Rule for Inside Users
From GUI:
1. Go to Policy & Objects > Central NAT
2. Click Create New
● Original Source: Inside-LAN (192.168.1.0/24)
● Original Destination: all
● Original Service: ALL
● Translated Source IP: Use Interface Address
● Outgoing Interface: port1 (WAN)
3. Click OK
From CLI:
Step 3: Create Firewall Policy without NAT Enabled
From GUI:
1. Go to Policy & Objects > Firewall Policy
2. Edit the Inside-to-Internet policy (created in Lab 4)
3. Uncheck "Enable NAT"
4. Click OK
Note: This tells FortiGate not to perform NAT here — NAT will be handled by Central NAT rules.
Step 4: Verification
From Inside PC:
1. Open a browser and try http://google.com or ping 8.8.8.8
2. Traffic should still go through, now using Central NAT rule
On Fortinet:
1. Go to Log & Report > Forward Traffic and inspect sessions
2. You should see traffic being SNAT’d using the Central NAT rule
