Central Source NAT (SNAT) and Destination NAT (DNAT/VIP)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in today's video we're going to talk about that central NAT table and exactly how to use it and what it's really there for so stay tuned [Music] hey guys Mike here from fortinet guru so in a previous video where I was comparing profile mode versus policy mode I made a statement talking about how in policy mode a central net is required and I got some people hitting me up via email asking specifically what central knot was so in this video I'm going to dive in the central net and had a configured on the FortiGate and you know the inner workings of it if you will so first things first central net isn't some all mystical being right it's it's actually fairly simple when you think about it it's a central place where you control the net your device does and what I mean by that is when you're running in profile mode you're able to actually control the net on the specific policy itself which is good because you have granularity there but it also gives you the opportunity to mess up because what if you accidentally shadow a policy with another policy that has a different net statement a device that you intend to have that a certain way may not hit the way it should and the central NAT table basically gives you a single point of view that you're able to use specifically for your net address translations so it it takes the guesswork out of it if you will it gives you the opportunity to set things up exactly how you need it to and run from there so we're gonna dive in on our lab FortiGate and we're gonna run through a couple scenarios for it so we're sitting here we're logged into our FortiGate this is a FortiGate run 6.4 dot one now you can run central netting on profile or policy based mode policy based mode just forces it but if you want to use this option you can on profile mode as well so what we're looking at here is this is a FortiGate that's running in policy mode most people don't actually run in policy mode so what we're going to do is we're going to switch this over to profile mode because that's the one that most people are used to now central net central source netting is already enabled on this because that's how it's configured for policy mode so we'll go ahead and we'll click OK switch over to this so we're logged into our FortiGate it's running 40 OS 6.4 dot one it's a four to Wi-Fi 61 II is our homegrown lab unit first thing you'll notice is that whenever you have central source netting turn on you can basically just click policy and objects click central source net and you're listed with a table or something that actually looks like a policy set where you basically build out your Nats so let's say we have a specific IP that's internal to our network that's going out to the internet maybe we're in a situation where we have multiple static IPS on our home connection and we want specific computers to go out with specific addresses now if you look at the policy that's already there it'll look very familiar use outgoing interface address that's usually what most people end up using on their home for two days or their smaller units so we have use outgoing interface that's our default meaning if it doesn't hit before this it'll do that so we want to create new and maybe our incoming interfaces inside and our outgoing interfaces outside and our source address maybe that's you know let's set a host here right so we'll create this guy this specific host when it goes out we want it to go a certain way so we'll select all for our destination we'll define the actual source address that's of interest to us within the policy here and then we'll select NAT and we'll use a dynamic pool and just like you would on a normal policy you would actually select the IP pool that you have created for this now we don't have any creator here but let's just say for the sake of argument that we own 1.2.3.4 that's one of our external IP addresses so we've logged in and we need to actually create the dynamic IP pool that will be used for this so we're just going to name it outside IP one right and then we're gonna go1 that 2.3.4 to one not 2.3.5 for the sake of this video we're going to act like we own the 1.2.3.4 subnet just for the purpose of our external IPS it's not a case we're not going to actually print traffic through this so that's okay so we create our outside IP and we have 1.2.3.4 through 1.2.3.4 those are the two IPS that we want to use for this IP pool and what that means is if the traffic is coming from the inside interface going to the outside interface from 192.168.1.1 then it's going to NAT it is this particular address when you click OK now you notice it popped up underneath the one that's already there we need to move this up because this one is our catch-all net I treat this just like I do my firewall policies I have to catch all policy at the bottom specifically to make sure everything goes as it should and that's in situations where there's a lot more relaxed security usually you only want to whitelist what's allowed and if it doesn't have a policy to allow it it doesn't go but for this video this will suffice so now let's say we have another one maybe it's inside to outside and it's you know when I don't want to say to the whole subnet whenever it's going out to Dropbox we want it to net as something completely different right so maybe we want to use a different one so we just create our policy here when that do dot 3.2 1.2.3 dot so what this says is if it's inside going to outside and it's from that subnet going to Dropbox use this specific IP it seems trivial but there's a lot of organizations that tie their stuff down by specific IP especially for certain services for instance if you're in a banking situation and you want your stuff to go out via a certain IP because the other side's whitelisted for that IP you want that stuff to go out as intended or else the connection won't work and you end you end up in a situation where maybe you get fired because the bank couldn't run its records right so another thing that you have within this is the ability to do explicit port mapping which means you can take the original source port and translate it like it's coming from a different source port we won't need that for this specific one so we'll just close it out and we'll move this one up a little bit higher than our catch-all as well so that covers source netting but we still have to worry about our virtual IPS or our destination nets right well they have that covered as well they actually have a specific table just for destination net as well as virtual IPs which remember virtual IPs are just destination Nets so you can come in here go to create new destination net and you actually notice it says Dena and virtual IP that's because they're the same thing go to create new and this is where you would do your external life he's translating in and things along those lines or maybe if you had a FortiGate that was on a network where there was some overlap or something like that maybe the other side is doing that on their end so you have to you know there's a lot of different situations where this makes sense so we'll say this is male coming in and we want one not 2.3.3 map-21 onto that one six eight dot one dot fifty maybe that's our mail server now I like to configure the smallest section possible what I mean by that is I want my destination Nets as well as my firewall policies to be as specific as possible it's just a security best practice from my perspective now you could very well forward all ports for this specific IP but it doesn't make sense if you only have a limited number of IPs and you may run into a situation where you need to use other ports for something else for email maybe this one is only allowing port 25 for SMTP I know most people are using office 365 now but there are situations where it makes sense right so we'll do a port forward and we care about port 25 getting forwarded to port 25 on the inside click okay so that's our destination net now we we have it set up meaning that any traffic is trying to go to one not 23.1 it's going to translate to one unto that once they say that 1.15 as long as that external port is tcp 25 all right guys so that's pretty much the short and sweet of central source netting as well as destination net slash virtual IPS it's basically just a single spot for you to deal with it and then outside of that you use your policies to what you always have it is a little bit to get used to because you're not using your policies to actually build out your nets as you intend but instead using that central nap policy set but it does give you a very very granular look how many times have you been in a situation where you're digging through your firewall policy trying to figure out why a certain IP is getting that in a certain way well central source netting and destination netting can help solve that or I mean you can learn how to debug and find out what policy specific traffic's hitting which will dive into later so you can at least use the way you're used to but with a little bit more specificity right so guys hopefully you found this video helpful I know it's been a while since I've done a video actually gave you a walkthrough on how to do something I've been asked to actually crank those back up let's face it the other videos are good for views but it kind of takes away from what the channel should be doing so I'm going to try to keep it more 8020 with 80% being the actual how to's 20% being the actual drama and stuff that makes people go hmmm maybe for Dan that should change that or mmm maybe other vendors should anyways if you liked the video do me a favor hit the like button on the video as well as hit the subscribe button and notify Belle the like button helps the video well it helps other people find it that may have these questions and to subscribe and notify Bell helps you out helps keeps you up to date whenever I'll release new videos so until next time guys stay safe thank you [Music]
Info
Channel: Fortinet Guru
Views: 11,463
Rating: undefined out of 5
Keywords: fortinet central nat, fortigate central nat, central SNAT, central DNAT, central VIP
Id: stcsGnKM_LE
Channel Id: undefined
Length: 11min 41sec (701 seconds)
Published: Mon Jun 15 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.