1 Fortinet Confidential
FortiGate NAT
Deep Dive
John León – SE Andean Region
Marcelo Mayorga – Mgr., System Engineering CALA
2 Fortinet Confidential
Setting expectations…
• Mainly this is a hands-on
track
• We expect that you know
what NAT is and how to
configure basic NAT on
FortiOS
• You’re here not only to listen
but to ask questions, share
experiences and participate!
3 Fortinet Confidential
April 18, 2023
Some initial words on NAT
4 Fortinet Confidential
What is NAT?
Everything started when IPv4 was
created…
•IPv4 allows 232 IP addresses = 4.2+
billion
•Today there’re more than 9 billion
Internet connected devices(1)
•NOT ENOUGH(1) http://www.readwriteweb.com/archives/more_than_50_of_devices_at_ces_were_internet_connected.php
5 Fortinet Confidential
What is NAT? (cont.)
• Allows IP address sharing
• NAT is the process of converting one IP
address to another on a given packet.
• Usually the convertion happens between a
private (non-routable) and a public
(routable) IP address.
6 Fortinet Confidential
Why does anyone need NAT?
Then, what are routable and non-routable IP addresses
•RFC 1918: IANA defines a set of IP addresses to be used as private address space (i.e. they should not be routed in the Internet)
» Class A: 10.0.0.0/8 = 10.0.0.0 – 10.255.255.255» Class B: 172.16.0.0/12 = 172.16.0.0 – 172.31.255.255» Class C: 192.168.0.0/16 = 192.168.0.0 – 192.168.255.255
7 Fortinet Confidential
Why does anyone need NAT? (cont.)
What other advantages offers NAT?•Security: NAT allows to hide internal IP addressing scheme, making it “invisible” to the outside world
•Makes connections with other networks possible (e.g. overlapping networks)
8 Fortinet Confidential
Yeap… there’re some drawbacks as well
•NAT breaks a core principle of
Internet:
•Provide end-to-end connectivity
•Application Layer Gateways and
techniques such as Traversal
NAT appeared as workarounds.
•The existence of NAT has
delayed IPv6 deployments
9 Fortinet Confidential
Application
Presentation
Session
Transport
Data Link
Physical
Network
Application
Presentation
Session
Transport
Data Link
Physical
Network
My Web Proxy also changes IP addresses!
• NAT happens in the Network Layer• A NATing device keeps the same connection
Application
Presentation
Session
Transport
Data Link
Physical
Network
CLIENT192.168.138.32
192.168.138.1
200.20.32.1
SERVER200.20.32.32
192.168.138.32 200.20.32.32
10 Fortinet Confidential
Application
Presentation
Session
Transport
Data Link
Physical
Network
Application
Presentation
Session
Transport
Data Link
Physical
Network
My Web Proxy also changes IP Address!
• A Proxy works at the Application Layer• When a Proxy is in the path you’ll actually end-up with TWO
connections
Application
Presentation
Session
Transport
Data Link
Physical
Network
CLIENT192.168.138.32
192.168.138.1
200.20.32.1
SERVER200.20.32.32
192.168.138.32 192.168.138.1 200.20.32.1 200.20.32.32
11 Fortinet Confidential
April 18, 2023
NAT in FortiOS
12 Fortinet Confidential
Packet Flow within FortiOS
13 Fortinet Confidential
Session Setup and Offloading on NP based platforms
SYN
14 Fortinet Confidential
Session Setup and Offloading on NP based platforms
SYN/ACK
15 Fortinet Confidential
Session Setup and Offloading on NP based platforms
ACK
16 Fortinet Confidential
Session Setup and Offloading on NP based platforms
Session information
pushed to the NP
17 Fortinet Confidential
Session Setup and Offloading on NP based platforms
Subsequent traffic is handled by the NP doesn’t go to the
CPU
NAT is a resource intensive task so having a platform able to offload this
on hardware is an important advantage in high-end environments
18 Fortinet Confidential
Performance
8 Gbps throughput IP packet forwarding (Bi-directional with 4 GE port) .
Over 1 million sessions of searching and dynamic network address translation (DNAT)
Over 2Gbps throughput IPsec ESP encryption/decryption processing.
Enhanced Extension Interface to support 8-GE with 16Gbps throughput.
Traffic Features
Session timeout feature. IP/TCP/UDP checksum
calculation offloading. Packet de-fragmentation. Jumbo packet support up to
18KB
Application Features
TCP offloading features Traffic shaping and firewall
basic policy check IPS anomaly filtering and
logging Up to 4096 Virtual Domain
support
FortiASIC Network Processors (NP)
NP4
Performance
20 Gbps throughput IP packet forwarding (40 Gbps Bi-directional with 2 XAUI ports)
Up to10 million sessions of searching and dynamic network address translation (DNAT)
6-8 Gbps IPsec ESP encryption/decryption processing
Seamlessly scalable system with switch chips to support any throughput.
Traffic Features
Session timeout feature IP/TCP/UDP checksum calculation
offloading Jumbo packet support up to 9 KB. Policy based traffic shaping
Application Features
TCP offloading features Traffic shaping and counting per
session / per VLAN Firewall policy check IPS anomaly filtering and logging Up to 4096 Virtual Domain support Packet fragmentation / de-
fragmentation
NP2
19 Fortinet Confidential
April 18, 2023
Lab 1 – Understanding Packet Flow
20 Fortinet Confidential
About the environment…
Virtual Machines:
1.FortiGate-VM 4.3.6 (Build0521)» admin/<blank>
2.xserver01: » Ubuntu Linux 10.10
» Apache 2.2.16
» Whireshark
» xuser/xuser
3.xserver02: » Ubuntu Linux 10.10
» Apache 2.2.16
» vsftpd 2.3.0
» xuser/xuser
Port1 (Host-only)192.168.138.10
Port2 (Host-only)20.20.20.1
Host PCVmnet1: 192.168.138.1
xserver01eth120.20.20.10
xserver02eth120.20.20.20
Between the Host PC and the FGT use whatever IP addressing you want, just be careful during labs
FGT-VM is LENC (Low Encryption) so access to it will be using HTTP
and Telnet
21 Fortinet Confidential
Start your engines!
1. Start VM machines2. Check that you’re able to ping:
» From Host PC 192.168.138.10» From FG-VM 20.20.20.10 and 20.20.20.20
3. Add a route on your host machine to the 20.20.20.0/24 network through your FortiGate
» MACOSX: # sudo route add 20.20.20.0/24 192.168.138.10» Windows: # route add 20.20.20.0 mask 255.255.255.0
192.168.138.10
» Linux: # sudo route add –net 20.20.20.0/24 gw 192.168.138.10» Verify with: # netstat –nr
22 Fortinet Confidential
Start your engines! (cont.)
4. Add the following secondary IP addresses to your Host PC on the host-only virtual NIC :
» 50.50.50.1/24» 192.168.138.2/24» 192.168.138.3/24» 192.168.138.4/24» 192.168.138.5/24» 192.168.138.56/24» MACOSX: # sudo ifconfig vmnet1 inet 50.50.50.1/24 add
» Windows: Use Control Panel -> Network Connections» Linux: # sudo ifconfig eth0:1 50.50.50.1 up» Verify with: ifconfig (Mac OSX/Linux) / ipconfig (Windows)
23 Fortinet Confidential
Lab 1 – Packet Flow
Host PCvmnet1192.168.138.1
port1192.168.138.10
port220.20.20.1
xserver01eth120.20.20.10
24 Fortinet Confidential
Lab 1 – Packet Flow
1. Allow all traffic between port1 and port2
25 Fortinet Confidential
Lab 1 – Packet Flow
3. Sample a flow for HTTP traffic and analyze steps
FGT_XT_12 # diag deb enable
FGT_XT_12 # diag deb flow filter dport 80
FGT_XT_12 # diag deb flow show console enable
show trace messages on console
FGT_XT_12 # diag deb flow filter daddr 20.20.20.10
FGT_XT_12 # diag deb flow trace start 1
3. Browse to http://20.20.20.10 from the Host PC
26 Fortinet Confidential
Lab 1 – Packet Flow
Packet flow inside FortiGate
FGT_XT_12 # id=36871 trace_id=1 msg="vd-root received a packet(proto=6, 192.168.138.1:56174->20.20.20.10:80) from port1.”
id=36871 trace_id=1 msg="allocate a new session-00000058"
id=36871 trace_id=1 msg="find a route: gw-20.20.20.10 via port2"
id=36871 trace_id=1 msg="Allowed by Policy-1:”
Is this an existing session
?
Route for this network
?
Receive and
parse
packet data
From: 192.168.138.1:56174To: 20.20.20.10:80On:port1
No Allocate a new
session in
state table
Session ID:00000058
GW:20.20.20.10
Interface:port2
Search within the security
policy
AllowedPolicy ID:1Is the
traffic allowed?
Forward packet
27 Fortinet Confidential
Lab 1 – Packet Flow
5. Filter and review session information
FGT_XT_12 # diag sys session filter dst 20.20.20.10
FGT_XT_12 # diag sys session list
28 Fortinet Confidential
Lab 1 – Packet Flow
session info: proto=6 proto_state=01 duration=1 expire=3598 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=40459
policy_dir=0 tunnel=/
state=log may_dirty
statistic(bytes/packets/allow_err): org=541/4/1 reply=581/3/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.10/192.168.138.1
hook=pre dir=org act=noop 192.168.138.1:56175->20.20.20.10:80(0.0.0.0:0)
hook=post dir=reply act=noop 20.20.20.10:80->192.168.138.1:56175(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=00000058 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=192.168.138.1, bps=335
total session 1
29 Fortinet Confidential
April 18, 2023
Destination NATOne-to-one
DNAT on different subnets
Port Address Translation
30 Fortinet Confidential
Destination NAT (DNAT)
• Changes Destination IP address
• Unless specified there’s no port
translation (statically)
• Usually used to publish a
service/server that has a private
IP address with a public, routable
one.
31 Fortinet Confidential
Lab 2 – Static Destination NAT (DNAT)
SADDR SPORT DADDR DPORT
192.168.138.1 23456 192.168.138.100 80
port1192.168.138.10
port220.20.20.1
SADDR SPORT DADDR DPORT
192.168.138.1 23456 20.20.20.10 80
192.168.138.100Host PC
vmnet1192.168.138.1
xserver01eth120.20.20.10
32 Fortinet Confidential
Lab 2 – Static Destination NAT (DNAT)
1. Publish Web Service on xserver01 with IP address 192.168.138.20. Create a new VIP with the following information:
•Name: XTWebServer01Pub•External IP: 192.168.138.100•Mapped IP 20.20.20.10•External Interface: port1
2. Modify recently created policy changing Destination Address to XTWebServer01Pub
33 Fortinet Confidential
Lab 2 – Static Destination NAT (DNAT)
34 Fortinet Confidential
Lab 2 – Static Destination NAT (DNAT)
35 Fortinet Confidential
Lab 2 – Static Destination NAT (DNAT)
36 Fortinet Confidential
Lab 2 – Static Destination NAT (DNAT)
4. Do a debug flow and review how it changed while browsing to http://192.168.138.100
FGT_XT_12 # diag deb fl filter daddr 192.168.138.100
FGT_XT_12 # diag deb flo trace start 1
FGT_XT_12 # id=36871 trace_id=2 msg="vd-root received a packet(proto=6, 192.168.138.1:56200->192.168.138.100:80) from port1."
id=36871 trace_id=2 msg="allocate a new session-0000007a"
id=36871 trace_id=2 msg="find SNAT: IP-20.20.20.10(from IPPOOL), port-80"
id=36871 trace_id=2 msg="VIP-20.20.20.10:80, outdev-port1"
id=36871 trace_id=2 msg="DNAT 192.168.138.100:80->20.20.20.10:80"
id=36871 trace_id=2 msg="find a route: gw-20.20.20.10 via port2"
id=36871 trace_id=2 msg="Allowed by Policy-1:"
Routing happens after DNAT
What is this SNAT?
37 Fortinet Confidential
Lab 2 – Static Destination NAT (DNAT)
5. List session table and review differences on NATed sessions
FGT_XT_12 # diag sys session filter dst 192.168.138.100
FGT_XT_12 # diag sys session list
session info: proto=6 proto_state=01 duration=4 expire=3595 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=40459
policy_dir=0 tunnel=/
state=may_dirty
statistic(bytes/packets/allow_err): org=545/4/1 reply=581/3/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.10/192.168.138.1
hook=pre dir=org act=dnat 192.168.138.1:56200->192.168.138.100:80(20.20.20.10:80)
hook=post dir=reply act=snat 20.20.20.10:80->192.168.138.1:56200(192.168.138.100:80)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=0000007a tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=192.168.138.1, bps=714
total session 1
DIRECTION: The action applies to original or reply direction traffic
ACTION: Doing SNAT or DNAT
Source IP Address : Source Port
Destination IP Address : Destination Port
Translated IP Address : Translated Port (either source or destination, depending
on action)
38 Fortinet Confidential
Lab 2 – Static Destination NAT (DNAT)
5. List session table and review differences on NATed sessions
FGT_XT_12 # diag sys session filter dst 192.168.138.100
FGT_XT_12 # diag sys session list
session info: proto=6 proto_state=01 duration=4 expire=3595 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=40459
policy_dir=0 tunnel=/
state=may_dirty
statistic(bytes/packets/allow_err): org=545/4/1 reply=581/3/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.10/192.168.138.1
hook=pre dir=org act=dnat 192.168.138.1:56200->192.168.138.100:80(20.20.20.10:80)
hook=post dir=reply act=snat 20.20.20.10:80->192.168.138.1:56200(192.168.138.100:80)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=0000007a tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=192.168.138.1, bps=714
total session 1
ACTION FOR ORIGINAL DIRECTION
TRAFFIC
ACTION FOR REPLY DIRECTION TRAFFIC
39 Fortinet Confidential
Lab 2 – Static Destination NAT (DNAT)
What has changed in L3 header?. What about L4 header?1.From xserver01, connect to FortiGate (telnet 20.20.20.1)2.Sniff traffic on port TCP/80, use any interface and maximum verbosity# diag sniffer packet any 'port 80' 6
2.Browse to http://192.168.138.100 from Host PC3.Copy and save the output to $ ~/Desktop/XT2012_Tools/traffic.txt 4.Convert the output to PCAP with fgt2eth.pl $ ~/Desktop/XT2012_Tools/fgt2eth.pl -in traffic.txt -out traffic.pcap
5.Open traffic.pcap with Wireshark ($ wireshark traffic.pcap) and review SYN packet before and after the firewall (port1 and port2).
40 Fortinet Confidential
Lab 2 – Static Destination NAT (DNAT)
• Before
41 Fortinet Confidential
Lab 2 – Static Destination NAT (DNAT)
• After
42 Fortinet Confidential
Layer 2 Resolution – Proxy ARP
• ARP (Address Resolution Protocol) is a Layer 2 protocol in charge of binding Layer 3 addresses (IP) to Layer 2 addresses (MAC)
FortiGateport1MAC: 00:0C:29:F7:65:46IP: 192.168.138.10
PC1vmnet1MAC: 00:50:56:C0:00:01IP: 192.168.138.1
SMAC DMAC SENDER IP DEST IP
00:50:56:C0:00:01 ff:ff:ff:ff:ff:ff 192.168.138.1 192.168.138.10
Who has 192.168.138.10? - Please tell 192.168.138.1
43 Fortinet Confidential
Layer 2 Resolution – Proxy ARP
• ARP (Address Resolution Protocol) is a Layer 2 protocol that for example is in charge of binding Layer 3 addresses (IP) to Layer 2 addresses (MAC)
SMAC DMAC SENDER IP DEST IP
00:0C:29:F7:65:46
00:50:56:C0:00:01 192.168.138.10 192.168.138.1
192.168.138.10 is at 00:0C:29:F7:65:46
FortiGateport1MAC: 00:0C:29:F7:65:46IP: 192.168.138.10
PC1vmnet1MAC: 00:50:56:C0:00:01IP: 192.168.138.1
44 Fortinet Confidential
Layer 2 Resolution – Proxy ARP
• MAC addresses are tied to NICs.• What happens when NAT is part of the equation?• No NIC actually has IP address 192.168.138.100
FortiGateport1MAC: 00:0C:29:F7:65:46IP: 192.168.138.10
VIP: 192.168.138.100
PC1vmnet1MAC: 00:50:56:C0:00:01IP: 192.168.138.1
SMAC DMAC SENDER IP DEST IP
00:50:56:C0:00:01 ff:ff:ff:ff:ff:ff 192.168.138.1 192.168.138.100
Who has 192.168.138.100? - Please tell 192.168.138.1
45 Fortinet Confidential
• MAC addresses are tied to NICs.• What happens when NAT is part of the equation?• No NIC actually has IP address 192.168.138.100• FortiGate will answer that request with its own MAC Address (thanks to
Proxy ARP configuration)
Layer 2 Resolution – Proxy ARP
SMAC DMAC SENDER IP DEST IP
00:0C:29:F7:65:46
00:50:56:C0:00:01 192.168.138.100 192.168.138.1
192.168.138.100 is at 00:0C:29:F7:65:46
FortiGateport1MAC: 00:0C:29:F7:65:46IP: 192.168.138.10
PC1vmnet1MAC: 00:50:56:C0:00:01IP: 192.168.138.1
VIP: 192.168.138.100
This means: answer ARP request for this
external IP (enabled by default)
46 Fortinet Confidential
Layer 2 Resolution – Proxy ARP
47 Fortinet Confidential
Layer 2 Resolution – Proxy ARP
48 Fortinet Confidential
Destination NAT (DNAT) on different subnet
• In previous exercise we publish
the Web Server using an IP
address in the same range of the
one configured in the FortiGate
• What if my ISP provides me with a
new pool of IP address?
• Let’s see how to manage those
scenarios
49 Fortinet Confidential
Lab 3 – DNAT on different subnet
SADDR SPORT DADDR DPORT
192.168.138.1 23456 50.50.50.10 80
port1192.168.138.10
port220.20.20.1
SADDR SPORT DADDR DPORT
192.168.138.1 23456 20.20.20.10 80
50.50.50.10Host PCvmnet1192.168.138.150.50.50.1
xserver01eth120.20.20.10
50 Fortinet Confidential
Lab 3 – DNAT on different subnet
1. What would happen if we try to publish an IP address from a different network?
2. Create a new VIP and publish the Web Server with IP address 50.50.50.10
» Name: XTWebServer05Pub» External Interface: port1» External IP: 50.50.50.10 – 50.50.50.10» Mapped IP: 20.20.20.10
51 Fortinet Confidential
Lab 3 – DNAT on different subnet
3. Create a new firewall policy allowing HTTP traffic for XTWebServer05Pub
FGT_XT_12 (3) # showconfig firewall policy edit 3 set srcintf "port1" set dstintf "port2" set srcaddr "all" set dstaddr "XTWebServer05Pub" set action accept set schedule "always" set service "HTTP" set logtraffic enable nextend
52 Fortinet Confidential
Lab 3 – DNAT on different subnet
53 Fortinet Confidential
Lab 3 – DNAT on different subnet
54 Fortinet Confidential
Lab 3 – DNAT on different subnet
55 Fortinet Confidential
Lab 3 – DNAT on different subnet
3. Try to access the web server using the new IP address in the URL; http://50.50.50.10
4. Is it working?
CHALLENGE 1
Find out and explain to the team what’s going on
Time: 5 minutes tops
Tips: Use the same debugging tools we used already
56 Fortinet Confidential
Lab 3 – DNAT on different subnet
CHALLENGE 1 1.Sniffer shows that traffic doesn’t leave the FortiGate
FGT_XT_12 # diag sniffer packet any 'port 80' 4
interfaces=[any]
filters=[port 80]
5.100864 port1 in 50.50.50.1.55916 -> 50.50.50.10.80: syn 1988918947
6.203151 port1 in 50.50.50.1.55916 -> 50.50.50.10.80: syn 1988918947
7.307608 port1 in 50.50.50.1.55916 -> 50.50.50.10.80: syn 1988918947
57 Fortinet Confidential
Lab 3 – DNAT on different subnet
CHALLENGE 1 2.Review traffic flow
FGT_XT_12 # diag deb flo filter dport 80
FGT_XT_12 # diag deb flo show con enable
show trace messages on console
FGT_XT_12 # diag deb flo trace start 3
FGT_XT_12 # id=36871 trace_id=1 msg="vd-root received a packet(proto=6, 50.50.50.1:55916->50.50.50.10:80) from port1."
id=36871 trace_id=1 msg="allocate a new session-00000107"
id=36871 trace_id=1 msg="find SNAT: IP-20.20.20.10(from IPPOOL), port-80"
id=36871 trace_id=1 msg="VIP-20.20.20.10:80, outdev-port1"
id=36871 trace_id=1 msg="DNAT 50.50.50.10:80->20.20.20.10:80"
id=36871 trace_id=1 msg="reverse path check fail, drop”
Reverse Path Forwarding (RPF)
(a.k.a. anti-spoofing) won’t let this packet go
through
58 Fortinet Confidential
Lab 3 – DNAT on different subnet
CHALLENGE 1 3.Add a route to the 50.50.50.0/24 network on port1 and try browsing again
FGT_XT_12 # conf router static FGT_XT_12 (static) # showconfig router static edit 1 set device "port1" set dst 50.50.50.0 255.255.255.0 nextend
59 Fortinet Confidential
Reverse Path Forwarding and NAT
• The FortiGate implements a mechanism called RPF (Reverse Path Forwarding), or Anti Spoofing, which prevents an IP packet to be forwarded if its Source IP does not either:»Belong to a locally attached subnet (local interface)»Be in the routing of the FortiGate from another source (static route, RIP, OSPF,
BGP)
FGT_XT_12 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 192.168.138.1, port1C 20.20.20.0/24 is directly connected, port2C 192.168.138.0/24 is directly connected, port1
Only traffic coming from 20.20.20.0/24 will be allowed
on port2
Any traffic will be allowed on port1 since there’s a default gateway defined
on it
60 Fortinet Confidential
Port Address Translation (PAT)
• The idea behind PAT is being able
to translate Layer 4 ports
• This could be useful for instance
to:
»Publish services on different ports
than those on which are “listening”
internally
»Use the same public IP address to
publish different services
61 Fortinet Confidential
Lab 4 – Port Address Translation (PAT)
SADDR SPORT DADDR DPORT
192.168.138.1 23456 192.168.138.100 8080
port1192.168.138.10
port220.20.20.1
SADDR SPORT DADDR DPORT
192.168.138.1 23456 20.20.20.10 80
192.168.138.100:8080
Host PCvmnet1192.168.138.1
xserver01eth120.20.20.10
xserver02eth120.20.20.20
SADDR SPORT DADDR DPORT
192.168.138.1 43213 20.20.20.20 21
SADDR SPORT DADDR DPORT
192.168.138.1 43213 192.168.138.100 21
192.168.138.100:21
62 Fortinet Confidential
Lab 4 – Port Address Translation (PAT)
1. Publish the Web Server on the port TCP/8080• Edit VIP XTWebServer01Pub• Enable port forwarding and translate port TCP/8080 to TCP/80
63 Fortinet Confidential
Lab 4 – Port Address Translation (PAT)
2. Create a new VIP to publish the FTP Server using the same IP address and taking advantage of Port Forwarding
• Name: XTFTPServer01Pub• External Interface: port1• External IP: 192.168.138.100• Mapped IP 20.20.20.20• Enable Port Forwarding, keeping port 21 without translation
IMPORTANT: VIPs with same external IP
address will always require “Port
Forwarding” enabled
64 Fortinet Confidential
Lab 4 – Port Address Translation (PAT)
3. Add a firewall policy to allow FTP traffic to the newly created VIP
65 Fortinet Confidential
Lab 4 – Port Address Translation (PAT)
4. Access the Web Server URL: http://192.168.138.100:8080 while doing a debug flow
5. Differences in flow with and without Port Forwarding
FGT_XT_12 # diag deb flow trace start 1
FGT_XT_12 # id=36871 trace_id=3 msg="vd-root received a packet(proto=6, 192.168.138.1:56222->192.168.138.100:8080) from port1."
id=36871 trace_id=3 msg="allocate a new session-000000a5"
id=36871 trace_id=3 msg="find SNAT: IP-20.20.20.10(from IPPOOL), port-80"
id=36871 trace_id=3 msg="VIP-20.20.20.10:80, outdev-port1"
id=36871 trace_id=3 msg="DNAT 192.168.138.100:8080->20.20.20.10:80"
id=36871 trace_id=3 msg="find a route: gw-20.20.20.10 via port2"
id=36871 trace_id=3 msg="Allowed by Policy-2:”
66 Fortinet Confidential
Lab 4 – Port Address Translation (PAT)
6. Differences in session list with and without Port Forwarding
FGT_XT_12 # diag sys session filter dport 8080
FGT_XT_12 # diag sys session list
session info: proto=6 proto_state=01 duration=10 expire=3589 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=40459
policy_dir=0 tunnel=/
state=may_dirty
statistic(bytes/packets/allow_err): org=974/6/1 reply=1138/4/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.10/192.168.138.1
hook=pre dir=org act=dnat 192.168.138.1:56222->192.168.138.100:8080(20.20.20.10:80)
hook=post dir=reply act=snat 20.20.20.10:80->192.168.138.1:56222(192.168.138.100:8080)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=000000a5 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=192.168.138.1, bps=664
total session 1
ACTION FOR ORIGINAL DIRECTION
TRAFFIC
ACTION FOR REPLY DIRECTION TRAFFIC
67 Fortinet Confidential
Lab 4 – Port Address Translation (PAT)
4. Access the FTP Server from Host PC (ftp 192.168.138.100) while debug flow is running
5. Review flow
FGT_XT_12 # diag deb enable
FGT_XT_12 # diag deb flo filter dport 21
FGT_XT_12 # diag deb flo trace start 1
FGT_XT_12 # id=36871 trace_id=15 msg="vd-root received a packet(proto=6, 192.168.138.1:63836->192.168.138.100:21) from port1."
id=36871 trace_id=15 msg="allocate a new session-000005ad"
id=36871 trace_id=15 msg="find SNAT: IP-20.20.20.20(from IPPOOL), port-21"
id=36871 trace_id=15 msg="VIP-20.20.20.20:21, outdev-port1"
id=36871 trace_id=15 msg="DNAT 192.168.138.100:21->20.20.20.20:21"
id=36871 trace_id=15 msg="find a route: gw-20.20.20.20 via port2"
id=36871 trace_id=15 msg="Allowed by Policy-4:"
id=36871 trace_id=15 msg="run helper-ftp(dir=original)"
68 Fortinet Confidential
Lab 4 – Port Address Translation (PAT)
5. Differences in session list with and without Port Forwarding
FGT_XT_12 # diag sys session filter dport 21
FGT_XT_12 # diag sys session list
session info: proto=6 proto_state=01 duration=18 expire=3581 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=40469
policy_dir=0 tunnel=/
state=log may_dirty
statistic(bytes/packets/allow_err): org=168/3/1 reply=132/2/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.20/192.168.138.1
hook=pre dir=org act=dnat 192.168.138.1:63844->192.168.138.100:21(20.20.20.20:21)
hook=post dir=reply act=snat 20.20.20.20:21->192.168.138.1:63844(192.168.138.100:21)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=000005af tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=192.168.138.1, bps=351
total session 1
ACTION FOR ORIGINAL DIRECTION
TRAFFIC
ACTION FOR REPLY DIRECTION TRAFFIC
69 Fortinet Confidential
The Match VIP dilemma
1. Add a rule on top of the others that DENIES all traffic2. Browse to http://192.168.138.1003. What happened?
VIP rules are processed a little different than other rules. They take precedence over “regular” rules.
There’re two ways of denying traffic to a VIP1. Create a DENY rule specifying the VIP as destination2. Enable “# match-vip enable” on the firewall rule that DENIES
traffic
70 Fortinet Confidential
April 18, 2023
Source NATDynamic SNAT
Dynamic SNAT with Ranges
Static SNAT
71 Fortinet Confidential
Dynamic Source NAT
• DSNAT is probably the most used
type of NAT
• Almost every organization with
uses this type of NAT so their
employees can surf the Web
• Allows to share a public IP
address among many users
72 Fortinet Confidential
Lab 5 – Dynamic SNAT
SADDR SPORT DADDR DPORT
192.168.138.1 23456 192.168.138.100 80
port1192.168.138.10
port220.20.20.1
SADDR SPORT DADDR DPORT
20.20.20.1 45123 20.20.20.10 80
192.168.138.100Host PC
vmnet1192.168.138.1
xserver01eth120.20.20.10
20.20.20.1
73 Fortinet Confidential
Lab 5 – Dynamic SNAT
1. Edit VIP XTWebServer01Pub and modify External Service Port to 80
2. Edit firewall policy that allows traffic from XTWebServer01Pub and enable NAT.
74 Fortinet Confidential
Lab 5 – Dynamic SNAT
3. Access to Web Server: http://192.168.138.100 while sampling a traffic flow
FGT_XT_12 # diag deb ena
FGT_XT_12 # diag deb flo filter dport 80
FGT_XT_12 # diag deb flo filter daddr 192.168.138.100
FGT_XT_12 # diag deb flo sho console enable
show trace messages on console
FGT_XT_12 # diag deb flo trace start 1
FGT_XT_12 # diag sys session listid=36871 trace_id=16 msg="vd-root received a packet(proto=6, 192.168.138.1:50540->192.168.138.100:80) from port1."
id=36871 trace_id=16 msg="allocate a new session-00000710"
id=36871 trace_id=16 msg="find SNAT: IP-20.20.20.10(from IPPOOL), port-80"
id=36871 trace_id=16 msg="VIP-20.20.20.10:80, outdev-port1"
id=36871 trace_id=16 msg="DNAT 192.168.138.100:80->20.20.20.10:80"
id=36871 trace_id=16 msg="find a route: gw-20.20.20.10 via port2"
id=36871 trace_id=16 msg="find SNAT: IP-20.20.20.1, port-34792"
id=36871 trace_id=16 msg="Allowed by Policy-2: SNAT"
id=36871 trace_id=16 msg="SNAT 192.168.138.1->20.20.20.1:34792"
SNAT happens at the end
75 Fortinet Confidential
Lab 5 – Dynamic SNAT
4. Reviewing session list
FGT_XT_12 # diag sys session filter dst 192.168.138.100
FGT_XT_12 # diag sys session filter dport 80
FGT_XT_12 # diag sys session list
session info: proto=6 proto_state=01 duration=2 expire=3598 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=40459
policy_dir=0 tunnel=/
state=log may_dirty
statistic(bytes/packets/allow_err): org=1026/6/1 reply=1055/4/1 tuples=4
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.10/192.168.138.1
hook=pre dir=org act=dnat 192.168.138.1:50540->192.168.138.100:80(20.20.20.10:80)
hook=post dir=org act=snat 192.168.138.1:50540->20.20.20.10:80(20.20.20.1:34792)
hook=pre dir=reply act=dnat 20.20.20.10:80->20.20.20.1:34792(192.168.138.1:50540)
hook=post dir=reply act=snat 20.20.20.10:80->192.168.138.1:50540(192.168.138.100:80)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=00000710 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=192.168.138.1, bps=69
total session 1
ACTION FOR ORIGINAL DIRECTION
TRAFFIC
ACTION FOR REPLY DIRECTION TRAFFIC
76 Fortinet Confidential
Understanding Dynamic SNAT behavior and limitations
How does the FortiGate track sessions in order to redirect reply traffic?
PC1192.168.138.1
Web Server20.20.20.10
20.20.20.1
PC2192.168.138.2
SADDR SPORT DADDR DPORT
192.168.138.1 1234 20.20.20.10 80
SADDR SPORT DADDR DPORT
20.20.20.1 1234 20.20.20.10 80
ORIGINAL REPLY
SNAT 192.168.138.1:1234, 20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
DNAT 20.20.20.10:80, 20.20.20.1:1234
20.20.20.10:80, 192.168.138.1:1234
77 Fortinet Confidential
Understanding Dynamic SNAT behavior and limitations
How does the FortiGate track sessions in order to redirect reply traffic?
PC1192.168.138.1
Web Server20.20.20.10
20.20.20.1
PC2192.168.138.2
SADDR SPORT DADDR DPORT
20.20.20.10 80 192.168.138.1 1234
SADDR SPORT DADDR DPORT
20.20.20.10 80 20.20.20.1 1234
ORIGINAL REPLY
SNAT 192.168.138.1:1234, 20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
DNAT 20.20.20.10:80, 20.20.20.1:1234
20.20.20.10:80, 192.168.138.1:1234
78 Fortinet Confidential
Understanding Dynamic SNAT behavior and limitations
How does the FortiGate track sessions in order to redirect reply traffic?
PC1192.168.138.1
Web Server20.20.20.10
20.20.20.1
PC2192.168.138.2
SADDR SPORT DADDR DPORT
192.168.138.2 5678 20.20.20.10 80
SADDR SPORT DADDR DPORT
20.20.20.1 5678 20.20.20.10 80
ORIGINAL REPLY
SNAT 192.168.138.1:1234, 20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
DNAT 20.20.20.10:80, 20.20.20.1:1234
20.20.20.10:80, 192.168.138.1:1234
SNAT 192.168.138.2:5678, 20.20.20.10:80
20.20.20.1:5678, 20.20.20.10:80
DNAT 20.20.20.10:80, 20.20.20.1:5678
20.20.20.10:80, 192.168.138.2:5678
79 Fortinet Confidential
Understanding Dynamic SNAT behavior and limitations
How does the FortiGate track sessions in order to redirect reply traffic?
PC1192.168.138.1
Web Server20.20.20.10
20.20.20.1
PC2192.168.138.2
SADDR SPORT DADDR DPORT
20.20.20.10 80 192.168.138.2 5678
SADDR SPORT DADDR DPORT
20.20.20.10 80 20.20.20.1 5678
ORIGINAL REPLY
SNAT 192.168.138.1:1234, 20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
DNAT 20.20.20.10:80, 20.20.20.1:1234
20.20.20.10:80, 192.168.138.1:1234
SNAT 192.168.138.2:5678, 20.20.20.10:80
20.20.20.1:5678, 20.20.20.10:80
DNAT 20.20.20.10:80, 20.20.20.1:5678
20.20.20.10:80, 192.168.138.2:5678
80 Fortinet Confidential
Understanding Dynamic SNAT behavior and limitations
How does the FortiGate track sessions in order to redirect reply traffic?
PC1192.168.138.1
Web Server20.20.20.10
20.20.20.1
PC2192.168.138.2
SADDR SPORT DADDR DPORT
192.168.138.2 1234 20.20.20.10 80
SADDR SPORT DADDR DPORT
20.20.20.1 1234 20.20.20.10 80
ORIGINAL REPLY
SNAT 192.168.138.1:1234, 20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
DNAT 20.20.20.10:80, 20.20.20.1:1234
20.20.20.10:80, 192.168.138.1:1234
SNAT 192.168.138.2:1234, 20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
DNAT 20.20.20.10:80, 20.20.20.1:1234
20.20.20.10:80, 192.168.138.2:1234
81 Fortinet Confidential
Understanding Dynamic SNAT behavior and limitations
How does the FortiGate track sessions in order to redirect reply traffic?
PC1192.168.138.1
Web Server20.20.20.10
20.20.20.1
PC2192.168.138.2 SADDR SPORT DADDR DPORT
20.20.20.10 80 20.20.20.1 1234
ORIGINAL REPLY
SNAT 192.168.138.1:1234, 20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
DNAT 20.20.20.10:80, 20.20.20.1:1234
20.20.20.10:80, 192.168.138.1:1234
SNAT 192.168.138.2:1234, 20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
DNAT 20.20.20.10:80, 20.20.20.1:1234
20.20.20.10:80, 192.168.138.2:1234
CONFLICT!
82 Fortinet Confidential
Understanding Dynamic SNAT behavior and limitations
How does the FortiGate track sessions in order to redirect reply traffic?
PC1192.168.138.1
Web Server20.20.20.10
20.20.20.1
PC2192.168.138.2
SADDR SPORT DADDR DPORT
192.168.138.2 1234 20.20.20.10 80
SADDR SPORT DADDR DPORT
20.20.20.1 2232 20.20.20.10 80
ORIGINAL REPLY
SNAT 192.168.138.1:1234, 20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
DNAT 20.20.20.10:80, 20.20.20.1:1234
20.20.20.10:80, 192.168.138.1:1234
SNAT 192.168.138.2:1234, 20.20.20.10:80
20.20.20.1:2232, 20.20.20.10:80
DNAT 20.20.20.10:80, 20.20.20.1:2232
20.20.20.10:80, 192.168.138.2:1234
83 Fortinet Confidential
Understanding Dynamic SNAT behavior and limitations
How does the FortiGate track sessions in order to redirect reply traffic?
PC1192.168.138.1
Web Server20.20.20.10
20.20.20.1
PC2192.168.138.2 SADDR SPORT DADDR DPORT
20.20.20.10 80 20.20.20.1 2232
ORIGINAL REPLY
SNAT 192.168.138.1:1234, 20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
DNAT 20.20.20.10:80, 20.20.20.1:1234
20.20.20.10:80, 192.168.138.1:1234
SNAT 192.168.138.2:1234, 20.20.20.10:80
20.20.20.1:2232, 20.20.20.10:80
DNAT 20.20.20.10:80, 20.20.20.1:2232
20.20.20.10:80, 192.168.138.2:1234
SADDR SPORT DADDR DPORT
20.20.20.10 80 192.168.138.2 5678
84 Fortinet Confidential
Understanding Dynamic SNAT behavior and limitations
How many unique NAT entries to a given Web
Server can be referenced in a FortiGate
How did you reach that number?
85 Fortinet Confidential
Understanding Dynamic SNAT behavior and limitations
1. Using source port as part of the “unique key” brings an intrinsic limitation: there’re 65,535 possible source ports
2. Actually, FortiOS uses a sub-pool of 32,768 ports (28,672-61,440).(*)
3. FortiOS’ Pool is tied to a unique combination of NAT IP, Destination IP, Port and Protocol
4. Indicator that this limit is being reached are:» Clash counter’s increase: Session clash means when a new session need to
be created, an old session already exists so the old one is deleted and new one is created.
» NAT port is exhausted: This entry appears in the system log.(*) http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30357
86 Fortinet Confidential
Understanding Dynamic SNAT behavior and limitations
FGT_XT_12 # diag sys session stat
misc info: session_count=1 setup_rate=0 exp_count=0 clash=0
memory_tension_drop=0 ephemeral=0/32768 removeable=0 ha_scan=0
delete=0, flush=0, dev_down=0/0
TCP sessions:
1 in ESTABLISHED state
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=00000000
ids_recv=00000000
url_recv=00000000
av_recv=00000000
fqdn_count=00000000
tcp reset stat:
syncqf=0 acceptqf=0 no-listener=1 data=0 ses=6 ips=0
global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0
87 Fortinet Confidential
Understanding Dynamic SNAT behavior and limitations
1. The best way of overcoming this limitation is using IP Pool Ranges as SNAT.
2. This way, for a given Destination IP address + Protocol + Port, pool is increased by N (being N the number of IP addresses in the IP Pool Range)
Range: 20.20.20.2 – 20.20.20.2 = 1 * 32,768 = 32,768
Range: 20.20.20.2 – 20.20.20.5 = 4 * 32,768 = 131,072
If you’re doing deployments on large networks you will probably want to use IP Pool Ranges
88 Fortinet Confidential
Lab 6 – Dynamic SNAT w/IP Pool Range
port1192.168.138.10
port220.20.20.1192.168.138.1
00Host PCvmnet1192.168.138.1192.168.138.2192.168.138.56
xserver01eth120.20.20.10
SADDR SPORT DADDR DPORT
192.168.138.1 1234 192.168.138.100 80
SADDR SPORT DADDR DPORT
20.20.20.3 4321 20.20.20.10 80
SADDR SPORT DADDR DPORT
20.20.20.2 7654 20.20.20.10 80
SADDR SPORT DADDR DPORT
192.168.138.56 4567 192.168.138.100 80
20.20.20.2 – 20.20.20.5
89 Fortinet Confidential
Lab 6 – Dynamic SNAT w/IP Pool Range
1. Create an new IP Pool» Name: IP_Pool_2_to_5
» IP Range/Subnet: 20.20.20.2 – 20.20.20.5
2. Edit firewall policy that allows traffic to XTWebServer01Pub and
configure newly created IP Pool for NAT
90 Fortinet Confidential
Lab 6 – Dynamic SNAT w/IP Pool Range
91 Fortinet Confidential
Lab 6 – Dynamic SNAT w/IP Pool Range
92 Fortinet Confidential
Lab 6 – Dynamic SNAT w/IP Pool Range
93 Fortinet Confidential
Lab 6 – Dynamic SNAT w/IP Pool Range
4. Sniff HTTP traffic on outgoing interface: port2» FGT_XT_12 # diag sni packet port2 'port 80 or icmp' 4
5. On the Host PC, open an HTTP session using telnet or just ping using different source IP addresses
» MAC OS X: # telnet -s 192.168.138.X 192.168.138.100 80» Linux: # telnet –b 192.168.138.X 192.168.138.100 80» Windows: <don’t think you can do this>
5. MAC OS X: # ping -S 192.168.138.X 192.168.138.100
6. Linux: # ping -I eth0:X 192.168.138.100
7. Windows (XP don’t have this flag): # ping –S 192.168.138.X 192.168.138.100
94 Fortinet Confidential
Lab 6 – Dynamic SNAT w/IP Pool Range
6. Review how NAT IP address depends on source IP in original packet.FGT_XT_12 # diag sniffer packet port2 'icmp or port 80' 1
interfaces=[port2]
filters=[icmp or port 80]
Using Source IP: 192.168.138.1
96.416203 20.20.20.3 -> 20.20.20.10: icmp: echo request
96.420104 20.20.20.10 -> 20.20.20.3: icmp: echo reply
97.416982 20.20.20.3 -> 20.20.20.10: icmp: echo request
97.417217 20.20.20.10 -> 20.20.20.3: icmp: echo reply
Using Source IP: 192.168.138.2
105.204372 20.20.20.4 -> 20.20.20.10: icmp: echo request
105.208867 20.20.20.10 -> 20.20.20.4: icmp: echo reply
106.204815 20.20.20.4 -> 20.20.20.10: icmp: echo request
106.205062 20.20.20.10 -> 20.20.20.4: icmp: echo reply
Using Source IP: 192.168.138.56
112.955957 20.20.20.2 -> 20.20.20.10: icmp: echo request
112.956181 20.20.20.10 -> 20.20.20.2: icmp: echo reply
113.956425 20.20.20.2 -> 20.20.20.10: icmp: echo request
113.956671 20.20.20.10 -> 20.20.20.2: icmp: echo reply
95 Fortinet Confidential
SNAT w/IP Pool Range Behavior
• Behavior on different range sizes1.Original IP Range > IP Pool Range
192.168.138.1 20.20.20.1192.168.138.2 20.20.20.2192.168.138.3 20.20.20.1192.168.138.4 20.20.20.2
…192.168.138.254 20.20.20.2
SOURCE IP ADDRESSES ARE TRANSLATED USING A WRAP-AROUND MECHANISM
96 Fortinet Confidential
SNAT w/IP Pool Range Behavior (cont.)
• Behavior on different range sizes1.Original IP Range < IP Pool Range
192.168.138.1 20.20.20.1192.168.138.2 20.20.20.2192.168.138.3 20.20.20.3
Not used 20.20.20.4…
Not used 20.20.20.254
A SUBSET OF IP ADDRESSES WILL NEVER BE USED
97 Fortinet Confidential
SNAT w/IP Pool Range Behavior (cont.)
• Behavior on different range sizes1.Original IP Range = IP Pool Range
192.168.138.1 20.20.20.1192.168.138.2 20.20.20.2192.168.138.3 20.20.20.3192.168.138.4 20.20.20.4
…192.168.138.254 20.20.20.254
EACH SOURCE IP IS TRANSLATED ALWAYS TO ITS MATCHING ADDRESS
98 Fortinet Confidential
SNAT w/IP Pool Range Behavior (cont.)
When ranges size match, would be fair saying that
behaves as an STATIC 1-to-1 NAT?
No, since Source Ports are being translated randomly
99 Fortinet Confidential
Static SNAT (1-to-1)
• So far we saw Dynamic SNAT. Where a N-to-1 or N-to-M mapping exists
• Source Port was translated randomly
• Static NAT assures that a given Source IP is always translated to a predefined IP address in a 1-to-1 fashion
• No Source Port translation exist
Source IP Translate Source IP
192.168.138.1:1234 20.20.20.1:1234192.168.138.2:4325 20.20.20.2:4325192.168.138.3:5698 20.20.20.3:5698
…192.168.138.254:7654 20.20.20.254:7654
100 Fortinet Confidential
Static SNAT (1-to-1)
• There’re some applications that need an specific source port to work• VoIP, Videoconference, tunneling applications, etc.
A DNS protocol vulnerability is indirectly affected by NAT port mapping. To avoid DNS server cache poisoning, it is highly desirable to not translate UDP source port numbers of outgoing DNS requests from a DNS server which is behind a firewall which implements NAT(1)
• For these cases, you should probably think in Static NAT
(1) http://en.wikipedia.org/wiki/Network_address_translation
101 Fortinet Confidential
Lab 7 – Static SNAT (1-to-1)
port1192.168.138.10
port220.20.20.1192.168.138.1
00Host PCvmnet1192.168.138.1192.168.138.4
xserver01eth120.20.20.10
SADDR SPORT DADDR DPORT
192.168.138.2 1234 192.168.138.100 80
SADDR SPORT DADDR DPORT
20.20.20.2 1234 20.20.20.10 80
SADDR SPORT DADDR DPORT
20.20.20.3 4567 20.20.20.10 80
SADDR SPORT DADDR DPORT
192.168.138.3 4567 192.168.138.100 80
20.20.20.2 – 20.20.20.5
102 Fortinet Confidential
Lab 7 – Static SNAT (1-to-1)
1. Create an new Firewall Address» Name: Addr_Range_2_to_5
» Subnet / IP Range: 192.168.138.[2-5]
2. Create a firewall policy that allows HTTP/ICMP traffic from
Addr_Range_2_to_5 to “any”, using IP_Pool_2_to_5 as NAT
3. Make sure to enable “Fixed Port” on the new rule.
103 Fortinet Confidential
Lab 7 – Static SNAT (1-to-1)
104 Fortinet Confidential
Lab 7 – Static SNAT (1-to-1)
105 Fortinet Confidential
Lab 7 – Static SNAT (1-to-1)
• Here is where the magic happens!.
106 Fortinet Confidential
Lab 7 – Static SNAT (1-to-1)
4. Sniff HTTP traffic on incoming and outgoing interface» FGT_XT_12 # diag sni packet any 'port 80 and host
20.20.20.10' 4
5. On the Host PC, open an HTTP session using telnet or just ping using different source IP addresses
» MAC OS X: # telnet -s 192.168.138.X 192.168.138.100 80» Linux: # telnet –b 192.168.138.X 192.168.138.100 80» Windows: <don’t think you can do this>
107 Fortinet Confidential
Lab 7 – Static SNAT (1-to-1)
6. Review how NAT IP address depends on source IP in original packet.
FGT_XT_12 # diag sniffer packet any 'port 80 and host 20.20.20.10' 4
interfaces=[any]
filters=[port 80 and host 20.20.20.10]
Using Source IP: 192.168.138.2
2.349765 port1 in 192.168.138.2.58229 -> 20.20.20.10.80: syn 4243720882
2.349838 port2 out 20.20.20.4.58229 -> 20.20.20.10.80: syn 4243720882
Using Source IP: 192.168.138.3
11.728808 port1 in 192.168.138.3.58230 -> 20.20.20.10.80: syn 650004285
11.728942 port2 out 20.20.20.5.58230 -> 20.20.20.10.80: syn 650004285
Using Source IP: 192.168.138.4
19.844453 port1 in 192.168.138.4.58231 -> 20.20.20.10.80: syn 1223648107
19.844592 port2 out 20.20.20.2.58231 -> 20.20.20.10.80: syn 1223648107
108 Fortinet Confidential
Lab 7 – Static SNAT w/Port Translation
• Port Address Translation is also an option when doing SNAT
• The idea is to translate a range of source ports into another, same size, range
• This’s one of the benefits of using Central NAT Table (available since 4.0 Mr2)
• Remember that Central NAT Table is for Source NAT only
109 Fortinet Confidential
Lab 7 – Static SNAT w/Port Translation
port1192.168.138.10
port220.20.20.1Host PC
vmnet1192.168.138.1:60000
xserver01eth120.20.20.10
SADDR SPORT DADDR DPORT
192.168.138.1 60000 20.20.20.10 80
SADDR SPORT DADDR DPORT
20.20.20.1 32000 20.20.20.10 80
SADDR SPORT DADDR DPORT
20.20.20.1 32001 20.20.20.10 80
SADDR SPORT DADDR DPORT
192.168.138.1 60001 20.20.20.10 80
20.20.20.1:32000
110 Fortinet Confidential
Lab 7 – Static SNAT w/Port Translation
1. Enable Central NAT Table• Go to System Admin Settings• Enable Central NAT Table in GUI options
2. Create a firewall rule on top of the others allowing HTTP traffic from any source to any destination. Allow NAT and use Central NAT table for this rule.
3. Create a new entry in Central NAT table» Source Address: all» Translated Address: IP_Pool_2_to_5» Original Source Port: 1» Translated Port: 180 – 184
111 Fortinet Confidential
Lab 7 – Static SNAT w/Port Translation
112 Fortinet Confidential
Lab 7 – Static SNAT w/Port Translation
113 Fortinet Confidential
Lab 7 – Static SNAT w/Port Translation
114 Fortinet Confidential
Lab 7 – Static SNAT w/Port Translation
4.Browse to http://20.20.20.10 while sniffing traffic
•We can’t control which source port the operating system is going to pick. Hopefully will be in the specified range in the Central NAT Table
115 Fortinet Confidential
Lab 7 – Static SNAT w/Port Translation
FGT_XT_12 # diag sni packet any 'host 20.20.20.10' 4interfaces=[any]
filters=[host 20.20.20.10]
5.684952 port1 in 192.168.138.1.60764 -> 20.20.20.10.80: syn 205570712
5.685011 port2 out 20.20.20.3.29763 -> 20.20.20.10.80: syn 205570712
5.691359 port2 in 20.20.20.10.80 -> 20.20.20.3.29763: syn 3656265083 ack 205570713
5.691394 port1 out 20.20.20.10.80 -> 192.168.138.1.60764: syn 3656265083 ack 205570713
5.691531 port1 in 192.168.138.1.60764 -> 20.20.20.10.80: ack 3656265084
5.691542 port2 out 20.20.20.3.29763 -> 20.20.20.10.80: ack 3656265084
5.692194 port1 in 192.168.138.1.60764 -> 20.20.20.10.80: psh 205570713 ack 3656265084
5.692205 port2 out 20.20.20.3.29763 -> 20.20.20.10.80: psh 205570713 ack 3656265084
5.693810 port2 in 20.20.20.10.80 -> 20.20.20.3.29763: ack 205571060
5.693826 port1 out 20.20.20.10.80 -> 192.168.138.1.60764: ack 205571060
60764 (Original) – 32001 (First Original Range) + 1000 (First
translated range) = 29763
116 Fortinet Confidential
Lab 7 – Static SNAT w/Port Translation
FGT_XT_12 # diag deb enable
FGT_XT_12 # diag de flow filter daddr 20.20.20.10
FGT_XT_12 # diag deb flo sho con enable
show trace messages on console
FGT_XT_12 # diag deb flo trace start 10
FGT_XT_12 # id=36871 trace_id=26 msg="vd-root received a packet(proto=6, 192.168.138.1:60769->20.20.20.10:80) from port1."
id=36871 trace_id=26 msg="allocate a new session-00001e4d"
id=36871 trace_id=26 msg="find a route: gw-20.20.20.10 via port2"
id=36871 trace_id=26 msg="find SNAT: IP-20.20.20.1, port-25573"
id=36871 trace_id=26 msg="find SNAT: IP-20.20.20.3(from IPPOOL), port-29768"
id=36871 trace_id=26 msg="Allowed by Policy-3: SNAT"
id=36871 trace_id=26 msg="SNAT 192.168.138.1->20.20.20.3:29768”
117 Fortinet Confidential
Lab 7 – Static SNAT (1-to-1)
FGT_XT_12 # diag sys session list
session info: proto=6 proto_state=01 duration=2 expire=3597 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=40459
policy_dir=0 tunnel=/
state=may_dirty
statistic(bytes/packets/allow_err): org=1092/6/1 reply=865/4/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.10/192.168.138.1
hook=post dir=org act=snat 192.168.138.1:60770->20.20.20.10:80(20.20.20.3:29769)
hook=pre dir=reply act=dnat 20.20.20.10:80->20.20.20.3:29769(192.168.138.1:60770)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=00001e4e tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=192.168.138.1, bps=484
total session 1
FGT_XT_12 #
ACTION FOR ORIGINAL DIRECTION
TRAFFIC
ACTION FOR REPLY DIRECTION TRAFFIC
118 Fortinet Confidential
April 18, 2023
Load Balancing NAT
119 Fortinet Confidential
Load Balancing with FortiGate
• You can configure FortiOS load balancing to intercept incoming traffic with a virtual server and share it among one or more backend real servers.
• The FortiGate unit enables multiple real servers to respond as if they were a single device to the outside world.
• Up to eight Real Servers can be load balanced in one VIP
• Things that won’t work: Authentication, WAN Optimization and Web Caching
120 Fortinet Confidential
Load Balancing with FortiGate
When load balancing, there’re some important concepts to keep in mind:
1.Load Balancing Algorithm: Defines how the traffic will be distributed among real servers. FGT supports the following LB algorithms:
»Source IP Hash: Traffic load is statically spread evenly across all real servers. Non dependent on how busy individual real servers are. Provides some persistence because all sessions from the same source address always go to the same real server. Distribution is stateless; if a real server is added or removed (or goes up or down) the distribution is changed and persistence could be lost.
121 Fortinet Confidential
Load Balancing with FortiGate
When load balancing, there’re some important concepts to keep in mind:
1.Load Balancing Algorithm: Defines how the traffic will be distributed among real servers. FGT supports the following LB algorithms:
»Round Robin: Directs new requests to the next real server, and treats all real servers as equals regardless of response time or number of connections. Dead real servers or non responsive real servers are avoided.
122 Fortinet Confidential
Load Balancing with FortiGate
When load balancing, there’re some important concepts to keep in mind:
1.Load Balancing Algorithm: Defines how the traffic will be distributed among real servers. FGT supports the following LB algorithms:
»Weighted: Behaves like a weighted round robin. Real servers with a higher weight value receive a larger percentage of connections. Set the real server weight when adding a real server.
123 Fortinet Confidential
Load Balancing with FortiGate
When load balancing, there’re some important concepts to keep in mind:
1.Load Balancing Algorithm: Defines how the traffic will be distributed among real servers. FGT supports the following LB algorithms:
»First Alive: Always directs sessions to the first alive real server (order of the real servers). Provides real server failover. For example, if you add real servers A, B and C in that order, then all sessions always go to A as long as it is alive. If A goes down then sessions go to B and if B goes down sessions go to C. If A comes back up sessions go back to A.
124 Fortinet Confidential
Load Balancing with FortiGate
When load balancing, there’re some important concepts to keep in mind:
1.Load Balancing Algorithm: Defines how the traffic will be distributed among real servers. FGT supports the following LB algorithms:
»Least RTT (Round Trip Time): Directs sessions to the real server with the least round trip time. The round trip time is determined by a Ping health check monitor and is defaulted to 0 if no Ping health check monitors are added to the virtual server.
125 Fortinet Confidential
Load Balancing with FortiGate
When load balancing, there’re some important concepts to keep in mind:
1.Load Balancing Algorithm: Defines how the traffic will be distributed among real servers. FGT supports the following LB algorithms:
»Least Sessions: Directs requests to the real server that has the least number of current connections. This method works best in environments where the real servers or other equipment you are load balancing all have similar capabilities. This load balancing method uses the FortiGate session table to track the number of sessions being processed by each real server.
126 Fortinet Confidential
Load Balancing with FortiGate
When load balancing, there’re some important concepts to keep in mind:
1.Load Balancing Algorithm: Defines how the traffic will be distributed among real servers. FGT supports the following LB algorithms:
»HTTP Host: Load balances HTTP host connections across multiple real servers using the host’s HTTP header to guide the connection to the correct real server. For example: www.mycompany.com goes to 20.20.20.10, www.mycompany.org goes to 20.20.20.20 and the rest of traffic goes to 20.20.20.30
127 Fortinet Confidential
Load Balancing with FortiGate
When load balancing, there’re some important concepts to keep in mind:
2.Health-Check: Mechanisms to check server and application status and determine if they’re able to receive connections:
»PING: Verifies that the IP address is reachable from the FortiGate by means of ICMP Echo Request/Response. ONLY checks reachability
128 Fortinet Confidential
Load Balancing with FortiGate
When load balancing, there’re some important concepts to keep in mind:
2.Health-Check: Mechanisms to check server and application status and determine if they’re able to receive connections:
»TCP: Opens a socket to the specified port, making sure there’s Layer 4 connectivity (i.e. some process is “listening” on that port)
129 Fortinet Confidential
Load Balancing with FortiGate
When load balancing, there’re some important concepts to keep in mind:
2.Health-Check: Mechanisms to check server and application status and determine if they’re able to receive connections:
»HTTP: In this case the health-checker will perform a GET request to the specified URL, making sure not only the Web Server is up and running, but the application is actually working. A MATCHing condition can be specified to check it’s retrieving the correct content (e.g. there was no defacement)
130 Fortinet Confidential
Load Balancing with FortiGate
When load balancing, there’re some important concepts to keep in mind:
3.Session Persistence: Is the mechanisms to assure that connections belonging to the same user session end-up always in the same Real Server. This is mandatory in transactional sites for example.
»HTTP Cookie: Inserts a cookie in the user session to track persistence
»SSL Session ID: Works on HTTPS only and track persistence by the ID generated in the SSL Session
131 Fortinet Confidential
Load Balancing with FortiGate
When load balancing, there’re some important concepts to keep in mind:
4.Session Multiplexing: Leverage HTTP/1.1 feature that allows to encapsulate multiple HTTP requests over a single connection. This ability frees-up resources on real servers by avoiding session setup.
Preserve Client IP will insert X-Forwarded-For
header so the real servers can track client’s IP address. If not enable, they will only see FGT’s IP address
132 Fortinet Confidential
Load Balancing with FortiGate – Session Multiplexing
Behavior without Session Multiplexing
Web Server
PC2
PC1
PC3Web Server established three sessions, allocating CPU for the session setup and memory for the session information
133 Fortinet Confidential
Load Balancing with FortiGate – Session Multiplexing
Behavior with Session Multiplexing
Web Server
PC2
PC1
PC3Web Server established just one session = More resources to be used with other clients
HTTP/1.1 Persistence Session
134 Fortinet Confidential
Load Balancing with FortiGate
When load balancing, there’re some important concepts to keep in mind:
5.SSL Offloading: The FortiGate can offload SSL 3.0 and TLS1.0 on specific hardware (FortiASIC) freeing-up Real Server resources.
»Half-Mode Offloading: Will create a secure channel between the FGT and the client and a clean channel between the FGT and the server. Real Servers don’t process encryption
»Full-Mode Offloading: Will create a secure channel on both sides of the FGT. Real Server process encryption with abbreviated handshake.
135 Fortinet Confidential
Load Balancing with FortiGate – SSL Offloading
Half-Mode Encryption•FortiGate needs Certificate and Private Key of the web sited
Web Server
PC1
FortiGate will be in charge of processing encryption/decryption
Encrypted Clean
136 Fortinet Confidential
Load Balancing with FortiGate – SSL Offloading
Half-Mode Encryption•FortiGate needs Certificate and Private Key of the web sited•Web Server needs a Certificate and Private Key as well
Web Server
PC1
Both, FortiGate and Web Server will be processing encryption/decryption
Encrypted Encrypted
137 Fortinet Confidential
Lab 8 – Load Balancing VIP
SADDR SPORT DADDR DPORT
192.168.138.1 23456 192.168.138.100 443
port1192.168.138.10
port220.20.20.1
SADDR SPORT DADDR DPORT
192.168.138.1 1234 20.20.20.10 80
Host PCvmnet1192.168.138.1
xserver01eth120.20.20.10
xserver02eth120.20.20.20
SADDR SPORT DADDR DPORT
192.168.138.1 3456 20.20.20.20 80
192.168.138.101
138 Fortinet Confidential
Lab 8 – Load Balancing VIP
1.Create a health-checker for HTTP• Name: XT_HTTP_Check• Type: HTTP• Port: 80• URL: /index.html• Matched Content: XTREME• Leave defaults for the rest
139 Fortinet Confidential
Lab 8 – Load Balancing VIP
3. Create a Virtual Server• Name: LB_Public_IP• Type: HTTP• Interface: port1• Virtual Server IP: 192.168.138.101• Virtual Server Port: 80• Load Balance Method: Round Robin• Health Check: Select the recently created health-checker
4. Create both Real-Servers• Virtual Server: LB_Public_IP• IP Address: 20.20.20.10 and 20.20.20.20• Port: 80
140 Fortinet Confidential
Lab 8 – Load Balancing VIP
4.Create a firewall policy allowing HTTP traffic from port1 to port2 with newly created Load-Balance VIP as destination.
4.Make sure this policy is on top of the others.
141 Fortinet Confidential
Lab 8 – Load Balancing VIP
142 Fortinet Confidential
Lab 8 – Load Balancing VIP
143 Fortinet Confidential
Lab 8 – Load Balancing VIP
It’s possible to define different health-check per real server using
CLI
Active: Receive connections
Disabled: Don’t receive connections
Standby: Becomes active if another fails (n+1)
144 Fortinet Confidential
Lab 8 – Load Balancing VIP
145 Fortinet Confidential
Lab 8 – Load Balancing VIP
6. Monitor real-server health on GUI and CLI
146 Fortinet Confidential
Lab 8 – Load Balancing VIP
7. Let’s generate some sessions and check if they’re DNATed with different IP addresses. Browse from the Host PC to http://192.168.138.101
FGT_XT_12 # diag sniffer packet port2 'port 80' 1
interfaces=[port2]
filters=[port 80]
4.110573 20.20.20.1.4447 -> 20.20.20.20.80: syn 1375892443
4.110681 20.20.20.1.4448 -> 20.20.20.10.80: syn 293125801
4.110793 20.20.20.20.80 -> 20.20.20.1.4447: syn 2610757897 ack 1375892444
4.110824 20.20.20.1.4447 -> 20.20.20.20.80: ack 2610757898
4.110879 20.20.20.10.80 -> 20.20.20.1.4448: syn 1901104108 ack 293125802
4.110917 20.20.20.1.4448 -> 20.20.20.10.80: ack 1901104109
4.110991 20.20.20.1.4448 -> 20.20.20.10.80: psh 293125802 ack 1901104109
4.111045 20.20.20.1.4447 -> 20.20.20.20.80: psh 1375892444 ack 2610757898
4.111122 20.20.20.10.80 -> 20.20.20.1.4448: ack 293125867
4.111232 20.20.20.20.80 -> 20.20.20.1.4447: ack 1375892509
4.111549 20.20.20.10.80 -> 20.20.20.1.4448: psh 1901104109 ack 293125867
4.111571 20.20.20.1.4448 -> 20.20.20.10.80: ack 1901104461
4.111619 20.20.20.20.80 -> 20.20.20.1.4447: psh 2610757898 ack 1375892509
4.111637 20.20.20.1.4447 -> 20.20.20.20.80: ack 2610758250
4.111690 20.20.20.10.80 -> 20.20.20.1.4448: fin 1901104461 ack 293125867
147 Fortinet Confidential
Lab 8 – Load Balancing VIP
FGT_XT_12 # diag sys session filter dport 80
FGT_XT_12 # diag sys session list
session info: proto=6 proto_state=05 duration=0 expire=0 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=10251
policy_dir=0 tunnel=/
state=local
statistic(bytes/packets/allow_err): org=385/6/1 reply=620/5/1 tuples=2
orgin->sink: org out->post, reply pre->in dev=7->3/3->7 gwy=0.0.0.0/20.20.20.1
hook=out dir=org act=noop 20.20.20.1:6775->20.20.20.10:80(0.0.0.0:0)
hook=in dir=reply act=noop 20.20.20.10:80->20.20.20.1:6775(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=00002c6f tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=20.20.20.1, bps=2010
Q: Is this the load-balance session?
A: Health Checker’s session. There’s no
NAT there
148 Fortinet Confidential
Lab 8 – Load Balancing VIP
FGT_XT_12 # diag sys session filter dport 80
FGT_XT_12 # diag sys session list
session info: proto=6 proto_state=01 duration=1 expire=3598 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=40459
policy_dir=0 tunnel=/
state=log may_dirty
statistic(bytes/packets/allow_err): org=571/4/1 reply=584/3/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.10/192.168.138.1
hook=pre dir=org act=dnat 192.168.138.1:54004->192.168.138.101:80(20.20.20.10:80)
hook=post dir=reply act=snat 20.20.20.10:80->192.168.138.1:54004(192.168.138.101:80)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=5 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=00002cc0 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=192.168.138.1, bps=151
This one is the load-balanced session
149 Fortinet Confidential
Lab 8 – Load Balancing VIP
7. Change index.html and re-check health status.• Login to any of the Web Servers and move index.html• $ mv index.html index.html.2
150 Fortinet Confidential
Lab 8 – Load Balancing VIP
8. Edit Virtual Server object and select Persistence using HTTP Cookie.
9. Browse again to the http://192.168.138.101 and check individual cookies. Is there anyone from that site?
» Cookie Name: FGTServer
10. As long as the cookie remains valid you will be always redirected to the same Web Server
151 Fortinet Confidential
Lab 8 – Load Balancing VIP
152 Fortinet Confidential
Lab 8 – Load Balancing VIP
153 Fortinet Confidential
April 18, 2023
Working with SIP ALG
154 Fortinet Confidential
How SIP ALG works
155 Fortinet Confidential
How the SIP ALP performs NAT
• Using NAT with SIP is more complex because of the IP addresses and media stream port numbers used in SIP message headers and bodies.
• The SIP ALG must translate the private network addresses in the SIP message to IP addresses and port numbers that are valid on the Internet.
• When the response message is sent back to the caller, the SIP ALG must translate these addresses back to valid private network addresses.
• The SIP ALG opens pinholes to accept these media sessions, using the information in the SIP messages to determine the pinholes to open. The ALG may also perform port translation on the media sessions.
156 Fortinet Confidential
SIP scenario source NAT:INVITE Request
157 Fortinet Confidential
SIP scenario source NAT:200 OK returned
158 Fortinet Confidential
SIP NAT Configuration Source NAT
Add Firewall Addresses:
config firewall address
edit Phone_A
set associated interface internal
set type ipmask
set subnet 10.31.101.20 255.255.255.255
next
edit Phone_B
set associated interface wan1
set type ipmask
set subnet 172.20.120.30 255.255.255.255
end
159 Fortinet Confidential
SIP NAT Configuration Source NAT
Add Security Policies:config firewall policy
edit 0
set srcintf internal
set dstintf wan1
set srcaddr Phone_A
set dstaddr Phone_B
set action accept
set schedule always
set service SIP
set nat enable
set utm-status enable
set profile-protocol-options default
set voip-profile default
next edit 0
set srcintf wan1
set dstintf internal
set srcaddr Phone_B
set dstaddr Phone_A
set action accept
set schedule always
set service SIP
set nat enable
set utm-status enable
set profile-protocol-options default
set voip-profile default
end
160 Fortinet Confidential
SIP scenario destination NAT: INVITE request
161 Fortinet Confidential
SIP scenario destination NAT: 200 OK Returned
162 Fortinet Confidential
SIP NAT Configuration Destination NAT
Add SIP Proxy Server Virtual IP and Firewall Addresses:config firewall vip
edit SIP_Proxy_VIP
set type static-nat
set extip 172.20.120.50
set mappedip 10.31.101.50
set extintf port1
end
config firewall address
edit SIP_Proxy_Server
set associated interface port2
set type ipmask
set subnet 10.31.101.50 255.255.255.255
end
163 Fortinet Confidential
SIP NAT Configuration Destination NAT
Add Security Policies:config firewall policy
edit 0
set srcintf port1
set dstintf port2
set srcaddr all
set dstaddr SIP_Proxy_VIP
set action accept
set schedule always
set service SIP
set nat enable
set utm-status enable
set profile-protocol-options default
set voip-profile default
end
config firewall policy
edit 0
set srcintf port2
set dstintf port1
set srcaddr SIP_Proxy_Server
set dstaddr all
set action accept
set schedule always
set service SIP
set nat enable
set utm-status enable
set profile-protocol-options default
set voip-profile default
end
164 Fortinet Confidential
April 18, 2023
Sneak Peek on IPv6 with FortiOS 5.0
165 Fortinet Confidential
• Typical scenario
• Well-known prefix [RFC 6052]: 64:ff9b::/96• e.g. 172.20.120.12 >> 64:ff9b::ac14:ac0c /96
NAT64
166 Fortinet Confidential
• For IPv6 initialized traffic to a IPv4 networkThat is, traffic flows using firewall policy with
• Src IPv6 address• Dest IPv4 address
• NAT64 implemented with• config system nat64 to set prefix (1 per Vdom)• config firewall policy64 for the forwarding policy
• Currently CLI only
IPv6 NAT for IPv4 Connectivity
167 Fortinet Confidential
• IPv6 prefix setting (per Vdom)config system nat64 set status [disable*|enable] set ipv6prefix <::/96> //default 64:FF9B::/96 set always-synthetize-aaaa-record [disable*|enable]end
• Forwarding policyconfig firewall policy64 edit 1 set srcintf "port1" set dstintf "port4" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" nextend
NAT64 Configuration
IPv6 network interface
Dest. IPv4 interface
168 Fortinet Confidential
• NAT66 desired for:• Privacy reasons to obfuscate src IPv6 address• Address independency (Move to another ISP)
• Can define NAT pool to specify address(es) instead of out-going interface’s address
• RFC 6296 for NAT66 –still EXPERIMENTAL status
IPv6 NAT for IPv6 Connectivity
169 Fortinet Confidential
• CLI only for now• New commandsconfig firewall policy6 edit <policy id> set nat [enable|disable*] set ippool [enable|disable*] set poolname <ippool6-name> nextend
config firewall ippool6 edit <ippool6 name> set name <ip pool's name> set endip <ip6 addr> set startip <ip6 addr> nextend
NAT66 Configuration
Optional
Optional
170 Fortinet Confidential
Thank YouObrigadoGracias
John León – SE Andean Region
Marcelo Mayorga – Mgr., System Engineering CALA
Top Related