Nat Flashcards
What are the two ways to configure NAT?
Central NAT or FW policy NAT
When do you use FW policy NAT
Firewall policy NAT is suggested for deployments that include relatively few NAT IP addresses and where each NAT IP address would have separate policies and security profiles.
When should you use central NAT
Central NAT is suggested for more complex scenarios where multiple NAT IP addresses have identical policies and security profiles, or in next generation firewall (NGFW) policy mode, where the appropriate policy may not be determined at the first packet.
two ways to configure firewall policy SNAT
• Use the outgoing interface address.
• Use the dynamic IP pool
IP pool
defines a single IP address or a range of IP addresses to be used as the source address for the duration of the session.
four types of IP pools
Overload
• One-to-one
Fixed port range CGN
• Port block allocation CGN
overload IP pool type
a many-to-one or many-to-few relationship and port translation is used.
one-to-one pool type
FortiGate assigns an IP pool address to an internal host on a first-come, firstserved basis.
Where do you enable DNAT?
You use a a VIP object on FW policy.
CGN IP pool type fixed port range
Ability to identify the subscribe of a connection by public ip add and port (no traffic log required)
Port block allocation - Ip pool type
You define the ip add, block port size and number of blocks assigned to each host. Logs each new system.
What is the default VIP type?
Static NAT; one to one
Port Forwarding on VIP
redirect the traffic matching the external address and port in the VIP to the mapped internal address and port. When you enable port forwarding, FortiGate no longer performs one-to-one mapping.
if the VIP is not referenced in an incoming firewall policy, or the policy is disabled, what happens?
It uses the external int ip add
Do VIPs match on FW policies?
No.
