Fortinet Firewall D-NAT configuration

From Notes_Wiki

Home > Enterprise security devices or applications > Fortigate firewall > Fortinet Firewall D-NAT configuration

D-NAT Policy Configuration in Fortinet Firewall

This article provides step-by-step instructions to configure **Destination NAT (D-NAT)** on a Fortinet Firewall. D-NAT allows mapping of a public IP address to an internal server, making it accessible from the internet.

Prerequisites

  • FortiGate Firewall with administrative access.
  • Public IP address from ISP.
  • Internal server IP address (LAN/DMZ).
  • List of required services/ports (e.g., HTTP, HTTPS, RDP).

Configure Virtual IP (VIP)

  1. Navigate to: Policy & ObjectsVirtual IPs.
  2. Click on Create NewVirtual IP.
  3. Fill in the following details:
    1. Name: A descriptive name (e.g., VIP-DMZ-Server).
    2. Interface: Select WAN interface (e.g., wan1).
    3. External IP Address: Enter the Public IP.
    4. Mapped Internal IP: Enter the private IP of the server.
    5. Port Forwarding (Optional):
      1. Enable if only specific services are required (e.g., HTTP/HTTPS).
      2. Configure external port, internal port, and protocol (TCP/UDP).

Note: The VIP object maps the external Public IP to the internal server in the DMZ zone.

Configure Firewall Policy

  1. Navigate to: Policy & ObjectsFirewall Policy.
  2. Click on Create New.
  3. Configure the following:
    1. Name: (e.g., Allow-DMZ-Server).
    2. Incoming Interface: WAN (outside network).
    3. Outgoing Interface: LAN/DMZ (where server resides).
    4. Source: All (or specify external IP/subnet if required).
    5. Destination: The configured Virtual IP (e.g., `VIP-DMZ-Server`).
    6. Service: Select required services (HTTP, HTTPS, RDP, etc.).
    7. Action: Accept.
    8. NAT: Enable → Select Use Outgoing Interface Address.

Important: NAT must remain enabled for proper traffic translation.

Verification

  1. From an external network, access the Public IP.
  2. Confirm redirection to the internal server.
  3. Check traffic logs: Log & ReportForward Traffic.

Antivirus Issue

  • Sometimes, server-side antivirus blocks connections via Public IP.
  • Fortinet TAC recommends enabling NAT for the source in the D-NAT policy.
  • Using **Use Outgoing Interface Address** usually resolves the issue.

Summary

  • Configure Virtual IP to map Public IP → Internal IP.
  • Create Firewall Policy with NAT enabled.
  • Verify via logs and external testing.
  • Enable Source NAT if antivirus blocks traffic.


Home > Enterprise security devices or applications > Fortigate firewall > Fortinet Firewall D-NAT configuration

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Fortinet_Firewall_D-NAT_configuration&oldid=9371"