Вы находитесь на странице: 1из 170

FortiGate

NAT
Deep Dive
John Len SE Andean Region
jleon@fortinet.com

Fortinet Confidential

Marcelo Mayorga Mgr., System Engineering


CALA
mmayorga@fortinet.com

Setting expectations
Mainly this is a hands-on

track
We expect that you know

what NAT is and how to


configure basic NAT on
FortiOS
Youre here not only to listen

but to ask questions, share


experiences and participate!
2

Fortinet Confidential

Some initial words on NAT

September 22, 2015


3

Fortinet Confidential

What is NAT?

Everything started when IPv4 was


created
IPv4 allows 232 IP addresses = 4.2+
billion
Today therere more than 9 billion
Internet connected devices(1)
NOT ENOUGH
(1)
4

http://www.readwriteweb.com/archives/more_than_50_of_devices_at_ces_were_internet_connected.php
Fortinet Confidential

What is NAT? (cont.)

Allows IP address sharing


NAT is the process of converting one IP
address to another on a given packet.
Usually the convertion happens between a
private (non-routable) and a public
(routable) IP address.

Fortinet Confidential

Why does anyone need NAT?


Then, what are routable and non-routable IP addresses
RFC 1918: IANA defines a set of IP addresses to be used
as private address space (i.e. they should not be routed in
the Internet)

Class A: 10.0.0.0/8 = 10.0.0.0 10.255.255.255


Class B: 172.16.0.0/12 = 172.16.0.0 172.31.255.255
Class C: 192.168.0.0/16 = 192.168.0.0 192.168.255.255

Fortinet Confidential

Why does anyone need NAT? (cont.)

What other advantages offers


NAT?
Security: NAT allows to hide
internal IP addressing scheme,
making it invisible to the
outside world
Makes connections with other
networks possible (e.g.
overlapping networks)
7

Fortinet Confidential

Yeap therere some drawbacks as well

NAT breaks a core principle of


Internet:
Provide end-to-end connectivity
Application Layer Gateways and
techniques such as Traversal NAT
appeared as workarounds.
The existence of NAT has delayed
IPv6 deployments
8

Fortinet Confidential

My Web Proxy also changes IP addresses!


NAT happens in the Network Layer
A NATing device keeps the same connection
192.168.138.32 200.20.32.32
Application

Application

Application

Presentation

Presentation

Presentation

Session

Session

Session

Transport

Transport

Transport

Network

Network

Network

Data Link

Data Link

Data Link

Physical

Physical

Physical

CLIENT
192.168.138
.32

192.168.13
8.1
9

Fortinet Confidential

200.20.32.1

SERVER
200.20.32.3
2

My Web Proxy also changes IP Address!


A Proxy works at the Application Layer
When a Proxy is in the path youll actually end-up with TWO
connections
200.20.32.1 200.20.32.32

192.168.138.32 192.168.138.1
Application

Application

Application

Presentation

Presentation

Presentation

Session

Session

Session

Transport

Transport

Transport

Network

Network

Network

Data Link

Data Link

Data Link

Physical

Physical

Physical

CLIENT
192.168.138
.32

192.168.13
8.1
10

Fortinet Confidential

200.20.32.1

SERVER
200.20.32.3
2

NAT in FortiOS

September 22, 2015


11

Fortinet Confidential

Packet Flow within FortiOS

12

Fortinet Confidential

Session Setup and Offloading on NP based platforms

SYN

13

Fortinet Confidential

Session Setup and Offloading on NP based platforms

SYN/AC
K

14

Fortinet Confidential

Session Setup and Offloading on NP based platforms

ACK

15

Fortinet Confidential

Session Setup and Offloading on NP based platforms


Session
information
pushed to the NP

16

Fortinet Confidential

Session Setup and Offloading on NP based platforms


Subsequent traffic is
handled by the NP
doesnt go to the
CPU

NAT is a resource intensive task so


having a platform able to offload this
on hardware is an important
advantage in high-end environments

17

Fortinet Confidential

FortiASIC Network Processors (NP)


NP2

NP4
Performanc
e

Traffic
Features

Application
Features

18

20 Gbps throughput IP packet


forwarding (40 Gbps Bi-directional
with 2 XAUI ports)
Up to10 million sessions of
searching and dynamic network
address translation (DNAT)
6-8 Gbps IPsec ESP
encryption/decryption processing
Seamlessly scalable system with
switch chips to support any
throughput.
Session timeout feature
IP/TCP/UDP checksum calculation
offloading
Jumbo packet support up to 9 KB.
Policy based traffic shaping
TCP offloading features
Traffic shaping and counting per
session / per VLAN
Firewall policy check
IPS anomaly filtering and logging
Up to 4096 Virtual Domain support
Packet fragmentation / defragmentation

Fortinet Confidential

Performanc
e

Traffic
Features

Application
Features

8 Gbps throughput IP packet


forwarding (Bi-directional with
4 GE port) .
Over 1 million sessions of
searching and dynamic
network address translation
(DNAT)
Over 2Gbps throughput IPsec
ESP encryption/decryption
processing.
Enhanced Extension Interface
to support 8-GE with 16Gbps
throughput.
Session timeout feature.
IP/TCP/UDP checksum
calculation offloading.
Packet de-fragmentation.
Jumbo packet support up to
18KB
TCP offloading features
Traffic shaping and firewall
basic policy check
IPS anomaly filtering and
logging
Up to 4096 Virtual Domain
support

Lab 1 Understanding Packet Flow

September 22, 2015


19

Fortinet Confidential

About the environment


Virtual Machines:
1.FortiGate-VM 4.3.6 (Build0521)

admin/<blank>

Between the Host PC and the FGT


use whatever IP addressing you
2.xserver01:
want, just be careful during labs

Ubuntu Linux 10.10

Apache 2.2.16

Whireshark

xuser/xuser

Port1 (Hostonly)
192.168.138.
10

3.xserver02:

20

Ubuntu Linux 10.10

Apache 2.2.16

vsftpd 2.3.0

xuser/xuser
Fortinet Confidential

xserver01
eth1
20.20.20.10

Port2 (Hostonly)
20.20.20.1

FGT-VM is LENC (Low Encryption)


so access to it Host
will PC
be using HTTP
andVmnet1:
Telnet
192.168.138.1

xserver02
eth1
20.20.20.20

Start your engines!


1. Start VM machines
2. Check that youre able to ping:

From Host PC 192.168.138.10

From FG-VM 20.20.20.10 and 20.20.20.20

3. Add a route on your host machine to the 20.20.20.0/24 network


through your FortiGate

MACOSX: # sudo route add 20.20.20.0/24 192.168.138.10

Windows: # route add 20.20.20.0 mask 255.255.255.0


192.168.138.10

21

Linux: # sudo route add net 20.20.20.0/24 gw 192.168.138.10

Verify with: # netstat nr

Fortinet Confidential

Start your engines! (cont.)


4. Add the following secondary IP addresses to your Host PC on the hostonly virtual NIC :
50.50.50.1/24
192.168.138.2/24
192.168.138.3/24
192.168.138.4/24
192.168.138.5/24
192.168.138.56/24
MACOSX: # sudo ifconfig vmnet1 inet 50.50.50.1/24 add
Windows: Use Control Panel -> Network Connections
Linux: # sudo ifconfig eth0:1 50.50.50.1 up
Verify with: ifconfig (Mac OSX/Linux) / ipconfig (Windows)

22

Fortinet Confidential

Lab 1 Packet Flow

xserver01
eth1
20.20.20.10

port1
192.168.138
.10
port2
20.20.20.1
Host PC
vmnet1
192.168.13
8.1

23

Fortinet Confidential

Lab 1 Packet Flow


1. Allow all traffic between port1 and port2

24

Fortinet Confidential

Lab 1 Packet Flow


3. Sample a flow for HTTP traffic and analyze steps
FGT_XT_12 # diag deb enable
FGT_XT_12 # diag deb flow filter dport 80
FGT_XT_12 # diag deb flow show console enable
show trace messages on console
FGT_XT_12 # diag deb flow filter daddr 20.20.20.10
FGT_XT_12 # diag deb flow trace start 1

3. Browse to http://20.20.20.10 from the Host PC

25

Fortinet Confidential

Lab 1 Packet Flow


Packet flow inside FortiGate
FGT_XT_12 # id=36871 trace_id=1 msg="vd-root received a packet(proto=6,
192.168.138.1:56174->20.20.20.10:80) from port1.
id=36871 trace_id=1 msg="allocate a new session-00000058"
id=36871 trace_id=1 msg="find a route: gw-20.20.20.10 via port2"
id=36871 trace_id=1 msg="Allowed by Policy-1:

From:
192.168.138.1:561
74
To:
20.20.20.10:80
On:
port1

Forward
packet

26

Is this an
existing
session
?

Receive and
parse
packet data

Is the
traffic
allowed?

Fortinet Confidential

Allowed
Policy ID:
1

No

Allocate a new
session in
state table
Session
ID:
00000058

Search within
the security
policy

GW:
20.20.20.10
Interface:
port2

Route
for this
network
?

Lab 1 Packet Flow


5. Filter and review session information
FGT_XT_12 # diag sys session filter dst 20.20.20.10
FGT_XT_12 # diag sys session list

27

Fortinet Confidential

Lab 1 Packet Flow


session info: proto=6 proto_state=01 duration=1 expire=3598 timeout=3600
flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=40459
policy_dir=0 tunnel=/
state=log may_dirty
statistic(bytes/packets/allow_err): org=541/4/1 reply=581/3/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2
gwy=20.20.20.10/192.168.138.1
hook=pre dir=org act=noop 192.168.138.1:56175->20.20.20.10:80(0.0.0.0:0)
hook=post dir=reply act=noop 20.20.20.10:80->192.168.138.1:56175(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=00000058 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=192.168.138.1, bps=335
total session 1

28

Fortinet Confidential

Destination NAT
One-to-one
DNAT on different subnets
Port Address Translation

September 22, 2015


29

Fortinet Confidential

Destination NAT (DNAT)

Changes Destination IP address


Unless specified theres no port
translation (statically)
Usually used to publish a
service/server that has a private
IP address with a public, routable
one.

30

Fortinet Confidential

Lab 2 Static Destination NAT (DNAT)


SADDR

SPORT

DADDR

DPORT

192.168.138.1

23456

192.168.138.100

80

xserver01
eth1
20.20.20.10

port1
192.168.138
.10

Host PC
vmnet1
192.168.13
8.1

31

Fortinet Confidential

192.168.138.
100

port2
20.20.20.1

SADDR

SPORT

DADDR

DPORT

192.168.138.1

23456

20.20.20.10

80

Lab 2 Static Destination NAT (DNAT)

1. Publish Web Service on xserver01 with IP address 192.168.138.20.


Create a new VIP with the following information:
Name: XTWebServer01Pub
External IP: 192.168.138.100
Mapped IP 20.20.20.10
External Interface: port1

2. Modify recently created policy changing Destination Address to


XTWebServer01Pub

32

Fortinet Confidential

Lab 2 Static Destination NAT (DNAT)

33

Fortinet Confidential

Lab 2 Static Destination NAT (DNAT)

34

Fortinet Confidential

Lab 2 Static Destination NAT (DNAT)

35

Fortinet Confidential

Lab 2 Static Destination NAT (DNAT)


4. Do a debug flow and review how it changed while browsing to
http://192.168.138.100
What is this

FGT_XT_12 # diag deb fl filter daddr 192.168.138.100


FGT_XT_12 # diag deb SNAT?
flo trace start 1

Routing happens
after aDNAT
received
packet(proto=6,

FGT_XT_12 # id=36871 trace_id=2 msg="vd-root


192.168.138.1:56200->192.168.138.100:80) from port1."
id=36871 trace_id=2 msg="allocate a new session-0000007a"
id=36871 trace_id=2 msg="find SNAT: IP-20.20.20.10(from IPPOOL), port-80"
id=36871 trace_id=2 msg="VIP-20.20.20.10:80, outdev-port1"
id=36871 trace_id=2 msg="DNAT 192.168.138.100:80->20.20.20.10:80"
id=36871 trace_id=2 msg="find a route: gw-20.20.20.10 via port2"
id=36871 trace_id=2 msg="Allowed by Policy-1:"

36

Fortinet Confidential

Lab 2 Static Destination NAT (DNAT)


5. List session table and review differences on NATed sessions
FGT_XT_12 # diag sys session filter dst 192.168.138.100
FGT_XT_12 # diag sys session list

37

session info: proto=6 proto_state=01 duration=4 expire=3595 timeout=3600 flags=00000000


sockflag=00000000 sockport=0 av_idx=0 use=3
Translated IP Address :
origin-shaper=
DIRECTION: The action
Translated Port (either
reply-shaper=
applies
to
original
or
per_ip_shaper=
source or destination,
Source IP Address :
reply
direction
traffic
ha_id=0 hakey=40459
depending on action)
Source Port
policy_dir=0 tunnel=/
state=may_dirty
statistic(bytes/packets/allow_err): org=545/4/1 reply=581/3/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.10/192.168.138.1
hook=pre dir=org act=dnat 192.168.138.1:56200->192.168.138.100:80(20.20.20.10:80)
hook=post dir=reply act=snat 20.20.20.10:80->192.168.138.1:56200(192.168.138.100:80)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=0000007a tos=ff/ff ips_view=0 app_list=0 app=0
Destination IP Address :
dd_type=0 dd_rule_id=0
ACTION: Doing SNAT
Destination Port
per_ip_bandwidth meter: addr=192.168.138.1,
bps=714
or DNAT
total session 1
Fortinet Confidential

Lab 2 Static Destination NAT (DNAT)


5. List session table and review differences on NATed sessions
FGT_XT_12 # diag sys session filter dst 192.168.138.100
FGT_XT_12 # diag sys session list
session info: proto=6 proto_state=01 duration=4 expire=3595 timeout=3600 flags=00000000
sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
ACTION FOR
per_ip_shaper=
ORIGINAL DIRECTION
TRAFFIC
ha_id=0 hakey=40459

38

policy_dir=0 tunnel=/
state=may_dirty
statistic(bytes/packets/allow_err): org=545/4/1 reply=581/3/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.10/192.168.138.1
hook=pre dir=org act=dnat 192.168.138.1:56200->192.168.138.100:80(20.20.20.10:80)
hook=post dir=reply act=snat 20.20.20.10:80->192.168.138.1:56200(192.168.138.100:80)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=0000007a tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=192.168.138.1, bps=714
ACTION FOR REPLY
total session 1
DIRECTION TRAFFIC
Fortinet Confidential

Lab 2 Static Destination NAT (DNAT)


What has changed in L3 header?. What about L4 header?
1.From xserver01, connect to FortiGate (telnet 20.20.20.1)
2.Sniff traffic on port TCP/80, use any interface and maximum verbosity
# diag sniffer packet any 'port 80' 6

2.Browse to http://192.168.138.100 from Host PC


3.Copy and save the output to $ ~/Desktop/XT2012_Tools/traffic.txt
4.Convert the output to PCAP with fgt2eth.pl
$ ~/Desktop/XT2012_Tools/fgt2eth.pl -in traffic.txt
-out traffic.pcap

5.Open traffic.pcap with Wireshark ($ wireshark traffic.pcap)


and review SYN packet before and after the firewall (port1 and port2).
39

Fortinet Confidential

Lab 2 Static Destination NAT (DNAT)


Before

40

Fortinet Confidential

Lab 2 Static Destination NAT (DNAT)


After

41

Fortinet Confidential

Layer 2 Resolution Proxy ARP


ARP (Address Resolution Protocol) is a Layer 2 protocol in charge of
binding Layer 3 addresses (IP) to Layer 2 addresses (MAC)

Who has 192.168.138.10? - Please tell


192.168.138.1
SMAC
00:50:56:C0:00:01

DMAC

SENDER IP

DEST IP

ff:ff:ff:ff:ff:ff

192.168.138.1

192.168.138.10

PC1
vmnet1
MAC: 00:50:56:C0:00:01
IP: 192.168.138.1
42

Fortinet Confidential

FortiGate
port1
MAC:
00:0C:29:F7:65:46
IP: 192.168.138.10

Layer 2 Resolution Proxy ARP


ARP (Address Resolution Protocol) is a Layer 2 protocol that for
example is in charge of binding Layer 3 addresses (IP) to Layer 2
addresses (MAC)

192.168.138.10 is at 00:0C:29:F7:65:46

PC1
vmnet1
MAC: 00:50:56:C0:00:01
IP: 192.168.138.1
43

Fortinet Confidential

SMAC

DMAC

SENDER IP

DEST IP

00:0C:29:F7:65:4
6

00:50:56:C0:00:01

192.168.138.10

192.168.138.1

FortiGate
port1
MAC:
00:0C:29:F7:65:46
IP: 192.168.138.10

Layer 2 Resolution Proxy ARP


MAC addresses are tied to NICs.
What happens when NAT is part of the equation?
No NIC actually has IP address 192.168.138.100

Who has 192.168.138.100? - Please tell


192.168.138.1
SMAC
00:50:56:C0:00:01

DMAC

SENDER IP

DEST IP

ff:ff:ff:ff:ff:ff

192.168.138.1

192.168.138.100

PC1
vmnet1
MAC: 00:50:56:C0:00:01
IP: 192.168.138.1
44

Fortinet Confidential

VIP:
192.168.138.100
FortiGate
port1
MAC:
00:0C:29:F7:65:46
IP: 192.168.138.10

Layer 2 Resolution Proxy ARP


MAC addresses are tied to NICs.
What happens when NAT is part of the equation?
No NIC actually has IP address 192.168.138.100
FortiGate will answer that request with its own MAC Address (thanks to
Proxy ARP configuration) This means: answer
192.168.138.100
is at 00:0C:29:F7:65:46
ARP request for this
external IP (enabled by
SMAC
DMAC
SENDER IP
DEST IP
default)

00:0C:29:F7:65:4
6

PC1
vmnet1
MAC: 00:50:56:C0:00:01
IP: 192.168.138.1
45

Fortinet Confidential

00:50:56:C0:00:01

192.168.138.100

192.168.138.1

VIP:
192.168.138.100
FortiGate
port1
MAC:
00:0C:29:F7:65:46
IP: 192.168.138.10

Layer 2 Resolution Proxy ARP

46

Fortinet Confidential

Layer 2 Resolution Proxy ARP

47

Fortinet Confidential

Destination NAT (DNAT) on different subnet

In previous exercise we publish


the Web Server using an IP
address in the same range of the
one configured in the FortiGate
What if my ISP provides me with a
new pool of IP address?
Lets see how to manage those
scenarios
48

Fortinet Confidential

Lab 3 DNAT on different subnet


SADDR

SPORT

DADDR

DPORT

192.168.138.1

23456

50.50.50.10

80

xserver01
eth1
20.20.20.10

port1
192.168.138
.10

Host PC
vmnet1
192.168.13
8.1
50.50.50.1

49

Fortinet Confidential

50.50.50.10

port2
20.20.20.1

SADDR

SPORT

DADDR

DPORT

192.168.138.1

23456

20.20.20.10

80

Lab 3 DNAT on different subnet


1. What would happen if we try to publish an IP address from a
different network?
2. Create a new VIP and publish the Web Server with IP address
50.50.50.10

50

Name: XTWebServer05Pub

External Interface: port1

External IP: 50.50.50.10 50.50.50.10

Mapped IP: 20.20.20.10

Fortinet Confidential

Lab 3 DNAT on different subnet


3. Create a new firewall policy allowing HTTP traffic for
XTWebServer05Pub

FGT_XT_12 (3) # show


config firewall policy
edit 3
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "XTWebServer05Pub"
set action accept
set schedule "always"
set service "HTTP"
set logtraffic enable
next
end
51

Fortinet Confidential

Lab 3 DNAT on different subnet

52

Fortinet Confidential

Lab 3 DNAT on different subnet

53

Fortinet Confidential

Lab 3 DNAT on different subnet

54

Fortinet Confidential

Lab 3 DNAT on different subnet


3. Try to access the web server using the new IP address in the URL;
http://50.50.50.10
4. Is it working?

CHALLENGE 1
Find out and explain to the team
whats going on
Time: 5 minutes tops
Tips: Use the same debugging
tools we used already
55

Fortinet Confidential

Lab 3 DNAT on different subnet

CHALLENGE 1
1.Sniffer shows that traffic doesnt leave the FortiGate
FGT_XT_12 # diag sniffer packet any 'port 80' 4
interfaces=[any]
filters=[port 80]
5.100864 port1 in 50.50.50.1.55916 -> 50.50.50.10.80: syn 1988918947
6.203151 port1 in 50.50.50.1.55916 -> 50.50.50.10.80: syn 1988918947
7.307608 port1 in 50.50.50.1.55916 -> 50.50.50.10.80: syn 1988918947

56

Fortinet Confidential

Lab 3 DNAT on different subnet

CHALLENGE 1
2.Review traffic flow
FGT_XT_12 # diag deb flo filter dport 80
Reverse Path
FGT_XT_12 # diag deb flo show con enable
Forwarding (RPF)
show trace messages on console
FGT_XT_12 # diag deb flo trace start 3 (a.k.a. anti-spoofing)
wont received
let this packet
go
FGT_XT_12 # id=36871 trace_id=1 msg="vd-root
a packet(proto=6,
50.50.50.1:55916->50.50.50.10:80) from port1." through
id=36871 trace_id=1 msg="allocate a new session-00000107"
id=36871 trace_id=1 msg="find SNAT: IP-20.20.20.10(from IPPOOL), port-80"
id=36871 trace_id=1 msg="VIP-20.20.20.10:80, outdev-port1"
id=36871 trace_id=1 msg="DNAT 50.50.50.10:80->20.20.20.10:80"
id=36871 trace_id=1 msg="reverse path check fail, drop

57

Fortinet Confidential

Lab 3 DNAT on different subnet

CHALLENGE 1
3.Add a route to the 50.50.50.0/24 network on port1 and try browsing
again

FGT_XT_12 # conf router static


FGT_XT_12 (static) # show
config router static
edit 1
set device "port1"
set dst 50.50.50.0 255.255.255.0
next
end
58

Fortinet Confidential

Reverse Path Forwarding and NAT


The FortiGate implements a mechanism called RPF (Reverse Path
Forwarding), or Anti Spoofing, which prevents an IP packet to be
forwarded if its Source IP does not either:
Belong to a locally attached subnet (local interface)
traffic
willFortiGate
be allowed
Be in the Any
routing
of the
from another source (static route, RIP, OSPF,
on port1 since theres a
BGP)
Only traffic coming from
default gateway defined
on it

20.20.20.0/24 will be allowed


on port2

FGT_XT_12 # get router info routing-table all


S*
C
C

59

Fortinet Confidential

0.0.0.0/0 [10/0] via 192.168.138.1, port1


20.20.20.0/24 is directly connected, port2
192.168.138.0/24 is directly connected, port1

Port Address Translation (PAT)

The idea behind PAT is being able


to translate Layer 4 ports
This could be useful for instance
to:
Publish services on different ports
than those on which are listening
internally
Use the same public IP address to
publish different services
60

Fortinet Confidential

Lab 4 Port Address Translation (PAT)


SADDR

SPORT

DADDR

DPORT

192.168.138.1

23456

192.168.138.100

8080

SADDR

SPORT

DADDR

DPORT

192.168.138.1

43213

192.168.138.100

21

xserver01
eth1
20.20.20.10

xserver02
eth1
20.20.20.20

port1
192.168.138
.10

Host PC
vmnet1
192.168.13
8.1

61

Fortinet Confidential

192.168.138.100:
8080

port2
20.20.20.1
192.168.138.100:
21
SADDR

SPORT

DADDR

DPORT

192.168.138.1

23456

20.20.20.10

80

SADDR

SPORT

DADDR

DPORT

192.168.138.1

43213

20.20.20.20

21

Lab 4 Port Address Translation (PAT)


1. Publish the Web Server on the port TCP/8080

62

Edit VIP XTWebServer01Pub

Enable port forwarding and translate port TCP/8080 to TCP/80

Fortinet Confidential

Lab 4 Port Address Translation (PAT)


2. Create a new VIP to publish the FTP Server using the same IP
address and taking advantage of Port Forwarding

Name: XTFTPServer01Pub

External Interface: port1

External IP: 192.168.138.100

63

IMPORTANT: VIPs with


same external IP
Mapped IP 20.20.20.20
address will always
Enable Port Forwarding, keeping port 21 without translation
require Port
Forwarding enabled

Fortinet Confidential

Lab 4 Port Address Translation (PAT)


3. Add a firewall policy to allow FTP traffic to the newly created VIP

64

Fortinet Confidential

Lab 4 Port Address Translation (PAT)


4. Access the Web Server URL: http://192.168.138.100:8080 while
doing a debug flow
5. Differences in flow with and without Port Forwarding
FGT_XT_12 # diag deb flow trace start 1
FGT_XT_12 # id=36871 trace_id=3 msg="vd-root received a packet(proto=6,
192.168.138.1:56222->192.168.138.100:8080) from port1."
id=36871 trace_id=3 msg="allocate a new session-000000a5"
id=36871 trace_id=3 msg="find SNAT: IP-20.20.20.10(from IPPOOL), port-80"
id=36871 trace_id=3 msg="VIP-20.20.20.10:80, outdev-port1"
id=36871 trace_id=3 msg="DNAT 192.168.138.100:8080->20.20.20.10:80"
id=36871 trace_id=3 msg="find a route: gw-20.20.20.10 via port2"
id=36871 trace_id=3 msg="Allowed by Policy-2:

65

Fortinet Confidential

Lab 4 Port Address Translation (PAT)


6. Differences in session list with and without Port Forwarding
FGT_XT_12 # diag sys session filter dport 8080
FGT_XT_12 # diag sys session list
session info: proto=6 proto_state=01 duration=10 expire=3589 timeout=3600 flags=00000000
sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
ACTION FOR
per_ip_shaper=
ORIGINAL
DIRECTION
ha_id=0 hakey=40459
TRAFFIC
policy_dir=0 tunnel=/
state=may_dirty
statistic(bytes/packets/allow_err): org=974/6/1 reply=1138/4/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.10/192.168.138.1
hook=pre dir=org act=dnat 192.168.138.1:56222->192.168.138.100:8080(20.20.20.10:80)
hook=post dir=reply act=snat 20.20.20.10:80->192.168.138.1:56222(192.168.138.100:8080)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=000000a5 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=192.168.138.1, bps=664
total session 1

ACTION FOR REPLY


DIRECTION TRAFFIC
66

Fortinet Confidential

Lab 4 Port Address Translation (PAT)


4. Access the FTP Server from Host PC (ftp 192.168.138.100) while
debug flow is running
5. Review flow
FGT_XT_12 # diag deb enable
FGT_XT_12 # diag deb flo filter dport 21
FGT_XT_12 # diag deb flo trace start 1
FGT_XT_12 # id=36871 trace_id=15 msg="vd-root received a packet(proto=6,
192.168.138.1:63836->192.168.138.100:21) from port1."
id=36871 trace_id=15 msg="allocate a new session-000005ad"
id=36871 trace_id=15 msg="find SNAT: IP-20.20.20.20(from IPPOOL), port-21"
id=36871 trace_id=15 msg="VIP-20.20.20.20:21, outdev-port1"
id=36871 trace_id=15 msg="DNAT 192.168.138.100:21->20.20.20.20:21"
id=36871 trace_id=15 msg="find a route: gw-20.20.20.20 via port2"
id=36871 trace_id=15 msg="Allowed by Policy-4:"
id=36871 trace_id=15 msg="run helper-ftp(dir=original)"
67

Fortinet Confidential

Lab 4 Port Address Translation (PAT)


5. Differences in session list with and without Port Forwarding
FGT_XT_12 # diag sys session filter dport 21
FGT_XT_12 # diag sys session list
session info: proto=6 proto_state=01 duration=18 expire=3581 timeout=3600 flags=00000000
sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
ACTION FOR
per_ip_shaper=
ORIGINAL DIRECTION
ha_id=0 hakey=40469
TRAFFIC
policy_dir=0 tunnel=/
state=log may_dirty
statistic(bytes/packets/allow_err): org=168/3/1 reply=132/2/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.20/192.168.138.1
hook=pre dir=org act=dnat 192.168.138.1:63844->192.168.138.100:21(20.20.20.20:21)
hook=post dir=reply act=snat 20.20.20.20:21->192.168.138.1:63844(192.168.138.100:21)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=000005af tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=192.168.138.1, bps=351
total session 1

ACTION FOR REPLY


DIRECTION TRAFFIC
68

Fortinet Confidential

The Match VIP dilemma


1. Add a rule on top of the others that DENIES all traffic
2. Browse to http://192.168.138.100
3. What happened?
VIP rules are processed a little different than other rules. They take
precedence over regular rules.
Therere two ways of denying traffic to a VIP
1. Create a DENY rule specifying the VIP as destination
2. Enable # match-vip enable on the firewall rule that DENIES
traffic

69

Fortinet Confidential

Source NAT
Dynamic SNAT
Dynamic SNAT with Ranges
Static SNAT

September 22, 2015


70

Fortinet Confidential

Dynamic Source NAT

DSNAT is probably the most used


type of NAT
Almost every organization with
uses this type of NAT so their
employees can surf the Web
Allows to share a public IP
address among many users

71

Fortinet Confidential

Lab 5 Dynamic SNAT


SADDR

SPORT

DADDR

DPORT

192.168.138.1

23456

192.168.138.100

80

port1
192.168.138
.10

Host PC
vmnet1
192.168.13
8.1

72

Fortinet Confidential

192.168.138.1
00

20.20.20.1

xserver01
eth1
20.20.20.10

port2
20.20.20.1

SADDR

SPORT

DADDR

DPORT

20.20.20.1

45123

20.20.20.10

80

Lab 5 Dynamic SNAT


1. Edit VIP XTWebServer01Pub and modify External Service Port to 80
2. Edit firewall policy that allows traffic from XTWebServer01Pub and
enable NAT.

73

Fortinet Confidential

Lab 5 Dynamic SNAT


3. Access to Web Server: http://192.168.138.100 while sampling a
traffic flow
FGT_XT_12 # diag deb ena
FGT_XT_12 # diag deb flo filter dport 80
FGT_XT_12 # diag deb flo filter daddr 192.168.138.100
FGT_XT_12 # diag deb flo sho console enable
show trace messages on console
FGT_XT_12 # diag deb flo trace start 1
FGT_XT_12 # diag sys session listid=36871 trace_id=16 msg="vd-root received a
packet(proto=6, 192.168.138.1:50540->192.168.138.100:80) from port1."
id=36871 trace_id=16 msg="allocate a new session-00000710"
id=36871 trace_id=16 msg="find SNAT: IP-20.20.20.10(from IPPOOL), port-80"
id=36871 trace_id=16 msg="VIP-20.20.20.10:80, outdev-port1"
id=36871 trace_id=16 msg="DNAT 192.168.138.100:80->20.20.20.10:80"
id=36871 trace_id=16 msg="find a route: gw-20.20.20.10 via port2"
id=36871 trace_id=16 msg="find SNAT: IP-20.20.20.1, port-34792"
id=36871 trace_id=16 msg="Allowed by Policy-2: SNAT"
id=36871 trace_id=16 msg="SNAT 192.168.138.1->20.20.20.1:34792"

SNAT happens at the


end

74

Fortinet Confidential

Lab 5 Dynamic SNAT


4. Reviewing session list

75

FGT_XT_12 # diag sys session filter dst 192.168.138.100


FGT_XT_12 # diag sys session filter dport 80
FGT_XT_12 # diag sys session list
session info: proto=6 proto_state=01 duration=2 expire=3598 timeout=3600 flags=00000000
sockflag=00000000 sockport=0 av_idx=0 use=5
origin-shaper=
reply-shaper=
per_ip_shaper=
ACTION FOR
ha_id=0 hakey=40459
ORIGINAL DIRECTION
policy_dir=0 tunnel=/
TRAFFIC
state=log may_dirty
statistic(bytes/packets/allow_err): org=1026/6/1 reply=1055/4/1 tuples=4
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.10/192.168.138.1
hook=pre dir=org act=dnat 192.168.138.1:50540->192.168.138.100:80(20.20.20.10:80)
hook=post dir=org act=snat 192.168.138.1:50540->20.20.20.10:80(20.20.20.1:34792)
hook=pre dir=reply act=dnat 20.20.20.10:80->20.20.20.1:34792(192.168.138.1:50540)
hook=post dir=reply act=snat 20.20.20.10:80->192.168.138.1:50540(192.168.138.100:80)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=00000710 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=192.168.138.1, bps=69
ACTION FOR REPLY
Fortinet
Confidential
total
session
1
DIRECTION TRAFFIC

Understanding Dynamic SNAT behavior and limitations


How does the FortiGate track sessions in order to redirect reply traffic?
SADDR

SPORT

DADDR

DPORT

192.168.138.1

1234

20.20.20.10

80

PC1
192.168.13
8.1

SADDR

SPORT

DADDR

DPORT

20.20.20.1

1234

20.20.20.10

80

Web Server
20.20.20.10

PC2
192.168.13
8.2

76

Fortinet Confidential

20.20.20.1

ORIGINAL

REPLY

SNAT 192.168.138.1:1234,
20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.1:1234

Understanding Dynamic SNAT behavior and limitations


How does the FortiGate track sessions in order to redirect reply traffic?
PC1
192.168.13
8.1

SADDR

SPORT

DADDR

DPORT

20.20.20.10

80

192.168.138.1

1234
SADDR

SPORT

DADDR

DPORT

20.20.20.10

80

20.20.20.1

1234

Web Server
20.20.20.10

PC2
192.168.13
8.2

77

Fortinet Confidential

20.20.20.1

ORIGINAL

REPLY

SNAT 192.168.138.1:1234,
20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.1:1234

Understanding Dynamic SNAT behavior and limitations


How does the FortiGate track sessions in order to redirect reply traffic?
PC1
192.168.13
8.1
SADDR

SPORT

DADDR

DPORT

192.168.138.2

5678

20.20.20.10

80

PC2
192.168.13
8.2

20.20.20.1

ORIGINAL

SNAT 192.168.138.1:1234,
20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80
SNAT 192.168.138.2:5678,
20.20.20.10:80

20.20.20.1:5678, 20.20.20.10:80
78

Fortinet Confidential

Web Server
20.20.20.10

SADDR

SPORT

DADDR

DPORT

20.20.20.1

5678

20.20.20.10

80

REPLY

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.1:1234
DNAT 20.20.20.10:80, 20.20.20.1:5678

20.20.20.10:80, 192.168.138.2:5678

Understanding Dynamic SNAT behavior and limitations


How does the FortiGate track sessions in order to redirect reply traffic?
PC1
192.168.13
8.1
SADDR

SPORT

DADDR

DPORT

20.20.20.10

80

192.168.138.2

5678

PC2
192.168.13
8.2

20.20.20.1

ORIGINAL

SNAT 192.168.138.1:1234,
20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80
SNAT 192.168.138.2:5678,
20.20.20.10:80

20.20.20.1:5678, 20.20.20.10:80
79

Fortinet Confidential

Web Server
20.20.20.10

SADDR

SPORT

DADDR

DPORT

20.20.20.10

80

20.20.20.1

5678

REPLY

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.1:1234
DNAT 20.20.20.10:80, 20.20.20.1:5678

20.20.20.10:80, 192.168.138.2:5678

Understanding Dynamic SNAT behavior and limitations


How does the FortiGate track sessions in order to redirect reply traffic?
PC1
192.168.13
8.1
SADDR

SPORT

DADDR

DPORT

192.168.138.2

1234

20.20.20.10

80

PC2
192.168.13
8.2

20.20.20.1

ORIGINAL

SNAT 192.168.138.1:1234,
20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80
SNAT 192.168.138.2:1234,
20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80
80

Fortinet Confidential

Web Server
20.20.20.10

SADDR

SPORT

DADDR

DPORT

20.20.20.1

1234

20.20.20.10

80

REPLY

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.1:1234
DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.2:1234

Understanding Dynamic SNAT behavior and limitations


How does the FortiGate track sessions in order to redirect reply traffic?
PC1
192.168.13
8.1
Web Server
20.20.20.10

CONFLICT!
PC2
192.168.13
8.2

20.20.20.1

ORIGINAL

SNAT 192.168.138.1:1234,
20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80
SNAT 192.168.138.2:1234,
20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80
81

Fortinet Confidential

SADDR

SPORT

DADDR

DPORT

20.20.20.10

80

20.20.20.1

1234

REPLY

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.1:1234
DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.2:1234

Understanding Dynamic SNAT behavior and limitations


How does the FortiGate track sessions in order to redirect reply traffic?
PC1
192.168.13
8.1
SADDR

SPORT

DADDR

DPORT

192.168.138.2

1234

20.20.20.10

80

PC2
192.168.13
8.2

20.20.20.1

ORIGINAL

SNAT 192.168.138.1:1234,
20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80
SNAT 192.168.138.2:1234,
20.20.20.10:80

20.20.20.1:2232, 20.20.20.10:80
82

Fortinet Confidential

Web Server
20.20.20.10

SADDR

SPORT

DADDR

DPORT

20.20.20.1

2232

20.20.20.10

80

REPLY

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.1:1234
DNAT 20.20.20.10:80, 20.20.20.1:2232

20.20.20.10:80, 192.168.138.2:1234

Understanding Dynamic SNAT behavior and limitations


How does the FortiGate track sessions in order to redirect reply traffic?
PC1
192.168.13
8.1
SADDR

SPORT

DADDR

DPORT

20.20.20.10

80

192.168.138.2

5678

PC2
192.168.13
8.2

20.20.20.1

ORIGINAL

SNAT 192.168.138.1:1234,
20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80
SNAT 192.168.138.2:1234,
20.20.20.10:80

20.20.20.1:2232, 20.20.20.10:80
83

Fortinet Confidential

Web Server
20.20.20.10

SADDR

SPORT

DADDR

DPORT

20.20.20.10

80

20.20.20.1

2232

REPLY

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.1:1234
DNAT 20.20.20.10:80, 20.20.20.1:2232

20.20.20.10:80, 192.168.138.2:1234

Understanding Dynamic SNAT behavior and limitations

How many unique NAT


entries to a given Web
Server can be referenced in
a FortiGate
How did you reach that
number?
84

Fortinet Confidential

Understanding Dynamic SNAT behavior and limitations


1. Using source port as part of the unique key brings an intrinsic
limitation: therere 65,535 possible source ports
2. Actually, FortiOS uses a sub-pool of 32,768 ports (28,672-61,440). (*)
3. FortiOS Pool is tied to a unique combination of NAT IP, Destination
IP, Port and Protocol
4. Indicator that this limit is being reached are:

Clash counters increase: Session clash means when a new session need to
be created, an old session already exists so the old one is deleted and new
one is created.

NAT port is exhausted: This entry appears in the system log.

(*) http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30357
85

Fortinet Confidential

Understanding Dynamic SNAT behavior and limitations


FGT_XT_12 # diag sys session stat
misc info:
session_count=1 setup_rate=0 exp_count=0 clash=0
memory_tension_drop=0 ephemeral=0/32768 removeable=0 ha_scan=0
delete=0, flush=0, dev_down=0/0
TCP sessions:
1 in ESTABLISHED state
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=00000000
ids_recv=00000000
url_recv=00000000
av_recv=00000000
fqdn_count=00000000
tcp reset stat:
syncqf=0 acceptqf=0 no-listener=1 data=0 ses=6 ips=0
global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0

86

Fortinet Confidential

Understanding Dynamic SNAT behavior and limitations


1. The best way of overcoming this limitation is using IP Pool Ranges as
SNAT.
2. This way, for a given Destination IP address + Protocol + Port, pool is
increased by N (being N the number of IP addresses in the IP Pool
Range)

Range: 20.20.20.2 20.20.20.2 = 1 * 32,768 = 32,768


Range: 20.20.20.2 20.20.20.5 = 4 * 32,768 = 131,072

If youre doing deployments on large networks you


will probably want to use IP Pool Ranges
87

Fortinet Confidential

Lab 6 Dynamic SNAT w/IP Pool Range


SADDR

SPORT

DADDR

DPORT

192.168.138.1

1234

192.168.138.100

80

SADDR

SPORT

DADDR

DPORT

192.168.138.56

4567

192.168.138.100

80

port1
192.168.138
.10
Host PC
vmnet1
192.168.138
.1
192.168.138
.2
192.168.138
.56

88

Fortinet Confidential

192.168.138.1
00

xserver01
eth1
20.20.20.10
20.20.20.2
20.20.20.5
port2
20.20.20.1

SADDR

SPORT

DADDR

DPORT

20.20.20.3

4321

20.20.20.10

80

SADDR

SPORT

DADDR

DPORT

20.20.20.2

7654

20.20.20.10

80

Lab 6 Dynamic SNAT w/IP Pool Range


1. Create an new IP Pool

Name: IP_Pool_2_to_5

IP Range/Subnet: 20.20.20.2 20.20.20.5

2. Edit firewall policy that allows traffic to XTWebServer01Pub and


configure newly created IP Pool for NAT

89

Fortinet Confidential

Lab 6 Dynamic SNAT w/IP Pool Range

90

Fortinet Confidential

Lab 6 Dynamic SNAT w/IP Pool Range

91

Fortinet Confidential

Lab 6 Dynamic SNAT w/IP Pool Range

92

Fortinet Confidential

Lab 6 Dynamic SNAT w/IP Pool Range


4. Sniff HTTP traffic on outgoing interface: port2

FGT_XT_12 # diag sni packet port2 'port 80 or icmp' 4

5. On the Host PC, open an HTTP session using telnet or just ping using
different source IP addresses

MAC OS X: #

Linux: #

Windows: <dont

5.

MAC OS X: #

6.

Linux: #

7.

Windows (XP dont have this flag): #

telnet -s 192.168.138.X 192.168.138.100 80

telnet b 192.168.138.X 192.168.138.100 80


think you can do this>

ping -S 192.168.138.X 192.168.138.100

ping -I eth0:X 192.168.138.100

192.168.138.100

93

Fortinet Confidential

ping S 192.168.138.X

Lab 6 Dynamic SNAT w/IP Pool Range


6. Review how NAT IP address depends on source IP in original packet.
FGT_XT_12 # diag sniffer packet port2 'icmp or port 80' 1
interfaces=[port2]
filters=[icmp or port 80]
Using Source IP: 192.168.138.1
96.416203 20.20.20.3 -> 20.20.20.10: icmp: echo request
96.420104 20.20.20.10 -> 20.20.20.3: icmp: echo reply
97.416982 20.20.20.3 -> 20.20.20.10: icmp: echo request
97.417217 20.20.20.10 -> 20.20.20.3: icmp: echo reply
Using Source IP: 192.168.138.2
105.204372 20.20.20.4 -> 20.20.20.10: icmp: echo request
105.208867 20.20.20.10 -> 20.20.20.4: icmp: echo reply
106.204815 20.20.20.4 -> 20.20.20.10: icmp: echo request
106.205062 20.20.20.10 -> 20.20.20.4: icmp: echo reply
Using Source IP: 192.168.138.56
112.955957 20.20.20.2 -> 20.20.20.10: icmp: echo request
112.956181 20.20.20.10 -> 20.20.20.2: icmp: echo reply
113.956425 20.20.20.2 -> 20.20.20.10: icmp: echo request
113.956671 20.20.20.10 -> 20.20.20.2: icmp: echo reply

94

Fortinet Confidential

SNAT w/IP Pool Range Behavior


Behavior on different range sizes
1.Original IP Range > IP Pool Range
192.168.138.1 20.20.20.1
192.168.138.2 20.20.20.2
192.168.138.3 20.20.20.1
192.168.138.4 20.20.20.2

192.168.138.254 20.20.20.2
SOURCE IP ADDRESSES ARE TRANSLATED USING A WRAPAROUND MECHANISM
95

Fortinet Confidential

SNAT w/IP Pool Range Behavior (cont.)


Behavior on different range sizes
1.Original IP Range < IP Pool Range
192.168.138.1 20.20.20.1
192.168.138.2 20.20.20.2
192.168.138.3 20.20.20.3
Not used 20.20.20.4

Not used 20.20.20.254


A SUBSET OF IP ADDRESSES WILL NEVER BE USED

96

Fortinet Confidential

SNAT w/IP Pool Range Behavior (cont.)


Behavior on different range sizes
1.Original IP Range = IP Pool Range
192.168.138.1 20.20.20.1
192.168.138.2 20.20.20.2
192.168.138.3 20.20.20.3
192.168.138.4 20.20.20.4

192.168.138.254 20.20.20.254
EACH SOURCE IP IS TRANSLATED ALWAYS TO ITS MATCHING
ADDRESS
97

Fortinet Confidential

SNAT w/IP Pool Range Behavior (cont.)

When ranges size match,


would be fair saying that
behaves as an STATIC 1-to1 NAT?
No, since Source Ports are
being translated randomly
98

Fortinet Confidential

Static SNAT (1-to-1)


So far we saw Dynamic SNAT. Where a N-to-1 or N-to-M mapping
exists
Source Port was translated randomly
Static NAT assures that a given Source IP is always translated to a
predefined IP address in a 1-to-1 fashion
No Source Port translation exist
Source IP Translate Source IP
192.168.138.1:1234 20.20.20.1:1234
192.168.138.2:4325 20.20.20.2:4325
192.168.138.3:5698 20.20.20.3:5698

192.168.138.254:7654 20.20.20.254:7654

99

Fortinet Confidential

Static SNAT (1-to-1)


Therere some applications that need an specific source port to work
VoIP, Videoconference, tunneling applications, etc.
A DNS protocol vulnerability is indirectly affected by NAT port mapping.
To avoid DNS server cache poisoning, it is highly desirable to not
translate UDP source port numbers of outgoing DNS requests from
a DNS server which is behind a firewall which implements NAT (1)
For these cases, you should probably think in Static NAT
(1)

100

http://en.wikipedia.org/wiki/Network_address_translation

Fortinet Confidential

Lab 7 Static SNAT (1-to-1)


SADDR

SPORT

DADDR

DPORT

192.168.138.2

1234

192.168.138.100

80

SADDR

SPORT

DADDR

DPORT

192.168.138.3

4567

192.168.138.100

80

port1
192.168.138
.10
Host PC
vmnet1
192.168.138
.1
192.168.138
.4

101

Fortinet Confidential

192.168.138.1
00

xserver01
eth1
20.20.20.10
20.20.20.2
20.20.20.5
port2
20.20.20.1

SADDR

SPORT

DADDR

DPORT

20.20.20.2

1234

20.20.20.10

80

SADDR

SPORT

DADDR

DPORT

20.20.20.3

4567

20.20.20.10

80

Lab 7 Static SNAT (1-to-1)


1. Create an new Firewall Address

Name: Addr_Range_2_to_5

Subnet / IP Range: 192.168.138.[2-5]

2. Create a firewall policy that allows HTTP/ICMP traffic from


Addr_Range_2_to_5 to any, using IP_Pool_2_to_5 as NAT

3. Make sure to enable Fixed Port on the new rule.

102

Fortinet Confidential

Lab 7 Static SNAT (1-to-1)

103

Fortinet Confidential

Lab 7 Static SNAT (1-to-1)

104

Fortinet Confidential

Lab 7 Static SNAT (1-to-1)


Here is where the magic happens!.

105

Fortinet Confidential

Lab 7 Static SNAT (1-to-1)


4. Sniff HTTP traffic on incoming and outgoing interface

FGT_XT_12 # diag sni packet any 'port 80 and host


20.20.20.10' 4

5. On the Host PC, open an HTTP session using telnet or just ping
using different source IP addresses

106

MAC OS X: #

Linux: #

Windows: <dont

Fortinet Confidential

telnet -s 192.168.138.X 192.168.138.100 80

telnet b 192.168.138.X 192.168.138.100 80


think you can do this>

Lab 7 Static SNAT (1-to-1)


6. Review how NAT IP address depends on source IP in original packet.
FGT_XT_12 # diag sniffer packet any 'port 80 and host 20.20.20.10' 4
interfaces=[any]
filters=[port 80 and host 20.20.20.10]
Using Source IP: 192.168.138.2
2.349765 port1 in 192.168.138.2.58229 -> 20.20.20.10.80: syn 4243720882
2.349838 port2 out 20.20.20.4.58229 -> 20.20.20.10.80: syn 4243720882
Using Source IP: 192.168.138.3
11.728808 port1 in 192.168.138.3.58230 -> 20.20.20.10.80: syn 650004285
11.728942 port2 out 20.20.20.5.58230 -> 20.20.20.10.80: syn 650004285
Using Source IP: 192.168.138.4
19.844453 port1 in 192.168.138.4.58231 -> 20.20.20.10.80: syn 1223648107
19.844592 port2 out 20.20.20.2.58231 -> 20.20.20.10.80: syn 1223648107

107

Fortinet Confidential

Lab 7 Static SNAT w/Port Translation


Port Address Translation is also an option
when doing SNAT
The idea is to translate a range of source
ports into another, same size, range
Thiss one of the benefits of using Central
NAT Table (available since 4.0 Mr2)
Remember that Central NAT Table is for
Source NAT only

108

Fortinet Confidential

Lab 7 Static SNAT w/Port Translation


SADDR

SPORT

DADDR

DPORT

192.168.138.1

60000

20.20.20.10

80

SADDR

SPORT

DADDR

DPORT

192.168.138.1

60001

20.20.20.10

80

port1
192.168.138
.10

Host PC
vmnet1
192.168.138.1:6
0000

109

Fortinet Confidential

20.20.20.1:32
000

xserver01
eth1
20.20.20.10

port2
20.20.20.1
SADDR

SPORT

DADDR

DPORT

20.20.20.1

32000

20.20.20.10

80

SADDR

SPORT

DADDR

DPORT

20.20.20.1

32001

20.20.20.10

80

Lab 7 Static SNAT w/Port Translation


1. Enable Central NAT Table

Go to System Admin Settings

Enable Central NAT Table in GUI options

2. Create a firewall rule on top of the others allowing HTTP traffic from
any source to any destination. Allow NAT and use Central NAT table
for this rule.
3. Create a new entry in Central NAT table

110

Source Address: all

Translated Address: IP_Pool_2_to_5

Original Source Port: 1

Translated Port: 180 184

Fortinet Confidential

Lab 7 Static SNAT w/Port Translation

111

Fortinet Confidential

Lab 7 Static SNAT w/Port Translation

112

Fortinet Confidential

Lab 7 Static SNAT w/Port Translation

113

Fortinet Confidential

Lab 7 Static SNAT w/Port Translation

4.Browse to http://20.20.20.10 while


sniffing traffic
We cant control which source port
the operating system is going to pick.
Hopefully will be in the specified
range in the Central NAT Table

114

Fortinet Confidential

Lab 7 Static SNAT w/Port Translation

FGT_XT_12 # diag sni packet any 'host 20.20.20.10' 4


interfaces=[any]
filters=[host 20.20.20.10]
5.684952 port1 in 192.168.138.1.60764 -> 20.20.20.10.80: syn 205570712
5.685011 port2 out 20.20.20.3.29763 -> 20.20.20.10.80: syn 205570712
5.691359 port2 in 20.20.20.10.80 -> 20.20.20.3.29763: syn 3656265083 ack
205570713
5.691394 port1 out 20.20.20.10.80 -> 192.168.138.1.60764: syn 3656265083 ack
205570713
5.691531 port1 in 192.168.138.1.60764 -> 20.20.20.10.80: ack 3656265084
5.691542 port2 out 20.20.20.3.29763 -> 20.20.20.10.80: ack 3656265084
5.692194 port1 in 192.168.138.1.60764 -> 20.20.20.10.80: psh 205570713 ack
3656265084
5.692205 port2 out 20.20.20.3.29763 -> 20.20.20.10.80: psh 205570713 ack
60764 (Original) 32001 (First
3656265084
5.693810 port2 in 20.20.20.10.80
-> 20.20.20.3.29763:
Original Range)
+ 1000 (First ack 205571060
5.693826 port1 out 20.20.20.10.80
192.168.138.1.60764:
ack 205571060
translated ->
range)
= 29763

115

Fortinet Confidential

Lab 7 Static SNAT w/Port Translation

FGT_XT_12 # diag deb enable


FGT_XT_12 # diag de flow filter daddr 20.20.20.10
FGT_XT_12 # diag deb flo sho con enable
show trace messages on console
FGT_XT_12 # diag deb flo trace start 10
FGT_XT_12 # id=36871 trace_id=26 msg="vd-root received a packet(proto=6,
192.168.138.1:60769->20.20.20.10:80) from port1."
id=36871 trace_id=26 msg="allocate a new session-00001e4d"
id=36871 trace_id=26 msg="find a route: gw-20.20.20.10 via port2"
id=36871 trace_id=26 msg="find SNAT: IP-20.20.20.1, port-25573"
id=36871 trace_id=26 msg="find SNAT: IP-20.20.20.3(from IPPOOL), port-29768"
id=36871 trace_id=26 msg="Allowed by Policy-3: SNAT"
id=36871 trace_id=26 msg="SNAT 192.168.138.1->20.20.20.3:29768

116

Fortinet Confidential

Lab 7 Static SNAT (1-to-1)


FGT_XT_12 # diag sys session list
session info: proto=6 proto_state=01 duration=2 expire=3597 timeout=3600 flags=00000000
sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
ACTION FOR
reply-shaper=
ORIGINAL DIRECTION
per_ip_shaper=
TRAFFIC
ha_id=0 hakey=40459
policy_dir=0 tunnel=/
state=may_dirty
statistic(bytes/packets/allow_err): org=1092/6/1 reply=865/4/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.10/192.168.138.1
hook=post dir=org act=snat 192.168.138.1:60770->20.20.20.10:80(20.20.20.3:29769)
hook=pre dir=reply act=dnat 20.20.20.10:80->20.20.20.3:29769(192.168.138.1:60770)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=00001e4e tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=192.168.138.1, bps=484
ACTION FOR REPLY
total session 1

DIRECTION TRAFFIC

FGT_XT_12 #

117

Fortinet Confidential

Load Balancing NAT

September 22, 2015


118

Fortinet Confidential

Load Balancing with FortiGate


You can configure FortiOS load balancing to
intercept incoming traffic with a virtual server and
share it among one or more backend real servers.
The FortiGate unit enables multiple real servers to
respond as if they were a single device to the
outside world.
Up to eight Real Servers can be load balanced in
one VIP
Things that wont work: Authentication, WAN
Optimization and Web Caching
119

Fortinet Confidential

Load Balancing with FortiGate


When load balancing, therere some important
concepts to keep in mind:
1.Load Balancing Algorithm: Defines how the traffic
will be distributed among real servers. FGT supports
the following LB algorithms:
Source IP Hash: Traffic load is statically spread evenly
across all real servers. Non dependent on how busy
individual real servers are. Provides some persistence
because all sessions from the same source address always
go to the same real server. Distribution is stateless; if a real
server is added or removed (or goes up or down) the
distribution is changed and persistence could be lost.
120

Fortinet Confidential

Load Balancing with FortiGate


When load balancing, therere some important
concepts to keep in mind:
1.Load Balancing Algorithm: Defines how the traffic
will be distributed among real servers. FGT supports
the following LB algorithms:
Round Robin: Directs new requests to the next real server,
and treats all real servers as equals regardless of response
time or number of connections. Dead real servers or non
responsive real servers are avoided.

121

Fortinet Confidential

Load Balancing with FortiGate


When load balancing, therere some important
concepts to keep in mind:
1.Load Balancing Algorithm: Defines how the traffic
will be distributed among real servers. FGT supports
the following LB algorithms:
Weighted: Behaves like a weighted round robin. Real
servers with a higher weight value receive a larger
percentage of connections. Set the real server weight when
adding a real server.

122

Fortinet Confidential

Load Balancing with FortiGate


When load balancing, therere some important
concepts to keep in mind:
1.Load Balancing Algorithm: Defines how the traffic
will be distributed among real servers. FGT supports
the following LB algorithms:
First Alive: Always directs sessions to the first alive real
server (order of the real servers). Provides real server
failover. For example, if you add real servers A, B and C in
that order, then all sessions always go to A as long as it is
alive. If A goes down then sessions go to B and if B goes
down sessions go to C. If A comes back up sessions go
back to A.
123

Fortinet Confidential

Load Balancing with FortiGate


When load balancing, therere some important
concepts to keep in mind:
1.Load Balancing Algorithm: Defines how the traffic
will be distributed among real servers. FGT supports
the following LB algorithms:
Least RTT (Round Trip Time): Directs sessions to the
real server with the least round trip time. The round trip
time is determined by a Ping health check monitor and is
defaulted to 0 if no Ping health check monitors are added
to the virtual server.

124

Fortinet Confidential

Load Balancing with FortiGate


When load balancing, therere some important
concepts to keep in mind:
1.Load Balancing Algorithm: Defines how the traffic
will be distributed among real servers. FGT supports
the following LB algorithms:
Least Sessions: Directs requests to the real server that
has the least number of current connections. This method
works best in environments where the real servers or other
equipment you are load balancing all have similar
capabilities. This load balancing method uses the FortiGate
session table to track the number of sessions being
processed by each real server.
125

Fortinet Confidential

Load Balancing with FortiGate


When load balancing, therere some important
concepts to keep in mind:
1.Load Balancing Algorithm: Defines how the traffic
will be distributed among real servers. FGT supports
the following LB algorithms:
HTTP Host: Load balances HTTP host connections
across multiple real servers using the hosts HTTP header
to guide the connection to the correct real server. For
example: www.mycompany.com goes to 20.20.20.10,
www.mycompany.org goes to 20.20.20.20 and the rest of
traffic goes to 20.20.20.30

126

Fortinet Confidential

Load Balancing with FortiGate


When load balancing, therere some important
concepts to keep in mind:
2.Health-Check: Mechanisms to check server
and application status and determine if theyre
able to receive connections:
PING: Verifies that the IP address is reachable from
the FortiGate by means of ICMP Echo
Request/Response. ONLY checks reachability

127

Fortinet Confidential

Load Balancing with FortiGate


When load balancing, therere some important
concepts to keep in mind:
2.Health-Check: Mechanisms to check server
and application status and determine if theyre
able to receive connections:
TCP: Opens a socket to the specified port, making
sure theres Layer 4 connectivity (i.e. some process is
listening on that port)

128

Fortinet Confidential

Load Balancing with FortiGate


When load balancing, therere some important
concepts to keep in mind:
2.Health-Check: Mechanisms to check server
and application status and determine if theyre
able to receive connections:
HTTP: In this case the health-checker will perform a
GET request to the specified URL, making sure not
only the Web Server is up and running, but the
application is actually working. A MATCHing condition
can be specified to check its retrieving the correct
content (e.g. there was no defacement)

129

Fortinet Confidential

Load Balancing with FortiGate


When load balancing, therere some important
concepts to keep in mind:
3.Session Persistence: Is the mechanisms to
assure that connections belonging to the same
user session end-up always in the same Real
Server. This is mandatory in transactional sites
for example.
HTTP Cookie: Inserts a cookie in the user session to
track persistence
SSL Session ID: Works on HTTPS only and track
persistence by the ID generated in the SSL Session
130

Fortinet Confidential

Load Balancing with FortiGate


When load balancing, therere some important
concepts to keep in mind:
4.Session Multiplexing: Leverage HTTP/1.1
feature that allows to encapsulate multiple HTTP
requests over a single connection. This ability
frees-up resources on real servers by avoiding
session setup.
Preserve Client IP will insert X-Forwarded-For
header so the real servers can track clients IP
address. If not enable, they will only see FGTs IP
address
131

Fortinet Confidential

Load Balancing with FortiGate Session Multiplexing

Behavior without Session Multiplexing

PC1
Web Server

PC2

Web Server established three sessions, allocating


CPU for the session setup and memory for the
session information

PC3

132

Fortinet Confidential

Load Balancing with FortiGate Session Multiplexing

Behavior with Session Multiplexing

PC1
Web Server

PC2

HTTP/1.1
Persistence
Session

Web Server established just one session =


More resources to be used with other clients

PC3

133

Fortinet Confidential

Load Balancing with FortiGate


When load balancing, therere some important
concepts to keep in mind:
5.SSL Offloading: The FortiGate can offload SSL
3.0 and TLS1.0 on specific hardware (FortiASIC)
freeing-up Real Server resources.
Half-Mode Offloading: Will create a secure channel
between the FGT and the client and a clean channel
between the FGT and the server. Real Servers dont
process encryption
Full-Mode Offloading: Will create a secure channel on
both sides of the FGT. Real Server process encryption
with abbreviated handshake.
134

Fortinet Confidential

Load Balancing with FortiGate SSL Offloading


Half-Mode Encryption
FortiGate needs Certificate and Private Key of the web sited
Web Server

PC1

Encrypted

Clean

FortiGate will be in charge of processing encryption/decryption

135

Fortinet Confidential

Load Balancing with FortiGate SSL Offloading


Half-Mode Encryption
FortiGate needs Certificate and Private Key of the web sited
Web Server needs a Certificate and Private Key as wellWeb Server

PC1

Encrypted

Encrypted

Both, FortiGate and Web Server will be processing


encryption/decryption

136

Fortinet Confidential

Lab 8 Load Balancing VIP

SADDR

SPORT

DADDR

DPORT

192.168.138.1

23456

192.168.138.100

443

xserver01
eth1
20.20.20.10

xserver02
eth1
20.20.20.20

port1
192.168.138
.10

Host PC
vmnet1
192.168.13
8.1

137

Fortinet Confidential

192.168.138.101

port2
20.20.20.1

SADDR

SPORT

DADDR

DPORT

192.168.138.1

1234

20.20.20.10

80

SADDR

SPORT

DADDR

DPORT

192.168.138.1

3456

20.20.20.20

80

Lab 8 Load Balancing VIP

1.Create a health-checker for HTTP

138

Name: XT_HTTP_Check

Type: HTTP

Port: 80

URL: /index.html

Matched Content: XTREME

Leave defaults for the rest

Fortinet Confidential

Lab 8 Load Balancing VIP


3. Create a Virtual Server

Name: LB_Public_IP

Type: HTTP

Interface: port1

Virtual Server IP: 192.168.138.101

Virtual Server Port: 80

Load Balance Method: Round Robin

Health Check: Select the recently created health-checker

4. Create both Real-Servers

139

Virtual Server: LB_Public_IP

IP Address: 20.20.20.10 and 20.20.20.20

Port: 80

Fortinet Confidential

Lab 8 Load Balancing VIP

4.Create a firewall policy allowing HTTP traffic from port1 to port2 with
newly created Load-Balance VIP as destination.
4.Make sure this policy is on top of the others.

140

Fortinet Confidential

Lab 8 Load Balancing VIP

141

Fortinet Confidential

Lab 8 Load Balancing VIP

142

Fortinet Confidential

Lab 8 Load Balancing VIP

Active: Receive connections


Disabled: Dont receive
connections
Standby: Becomes active if
another fails (n+1)

143

Fortinet Confidential

Its possible to define


different health-check
per real server using
CLI

Lab 8 Load Balancing VIP

144

Fortinet Confidential

Lab 8 Load Balancing VIP


6. Monitor real-server health on GUI and CLI

145

Fortinet Confidential

Lab 8 Load Balancing VIP


7. Lets generate some sessions and check if theyre DNATed with different
IP addresses. Browse from the Host PC to http://192.168.138.101
FGT_XT_12 # diag sniffer packet port2 'port
interfaces=[port2]
filters=[port 80]
4.110573 20.20.20.1.4447 -> 20.20.20.20.80:
4.110681 20.20.20.1.4448 -> 20.20.20.10.80:
4.110793 20.20.20.20.80 -> 20.20.20.1.4447:
4.110824 20.20.20.1.4447 -> 20.20.20.20.80:
4.110879 20.20.20.10.80 -> 20.20.20.1.4448:
4.110917 20.20.20.1.4448 -> 20.20.20.10.80:
4.110991 20.20.20.1.4448 -> 20.20.20.10.80:
4.111045 20.20.20.1.4447 -> 20.20.20.20.80:
4.111122 20.20.20.10.80 -> 20.20.20.1.4448:
4.111232 20.20.20.20.80 -> 20.20.20.1.4447:
4.111549 20.20.20.10.80 -> 20.20.20.1.4448:
4.111571 20.20.20.1.4448 -> 20.20.20.10.80:
4.111619 20.20.20.20.80 -> 20.20.20.1.4447:
4.111637 20.20.20.1.4447 -> 20.20.20.20.80:
4.111690 20.20.20.10.80 -> 20.20.20.1.4448:

146

Fortinet Confidential

80' 1

syn
syn
syn
ack
syn
ack
psh
psh
ack
ack
psh
ack
psh
ack
fin

1375892443
293125801
2610757897 ack 1375892444
2610757898
1901104108 ack 293125802
1901104109
293125802 ack 1901104109
1375892444 ack 2610757898
293125867
1375892509
1901104109 ack 293125867
1901104461
2610757898 ack 1375892509
2610758250
1901104461 ack 293125867

Lab 8 Load Balancing VIP


FGT_XT_12 # diag sys session filter dport 80
FGT_XT_12 # diag sys session list
session info: proto=6 proto_state=05 duration=0 expire=0 timeout=3600 flags=00000000
sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
Q: Is this the loadper_ip_shaper=
balance session?
ha_id=0 hakey=10251
policy_dir=0 tunnel=/
state=local
statistic(bytes/packets/allow_err): org=385/6/1 reply=620/5/1 tuples=2
orgin->sink: org out->post, reply pre->in dev=7->3/3->7 gwy=0.0.0.0/20.20.20.1
hook=out dir=org act=noop 20.20.20.1:6775->20.20.20.10:80(0.0.0.0:0)
A: Health Checkers
hook=in dir=reply act=noop 20.20.20.10:80->20.20.20.1:6775(0.0.0.0:0)
session. Theres no
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 id_policy_id=0 auth_info=0 chk_client_info=0NAT
vd=0 there
serial=00002c6f tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=20.20.20.1, bps=2010

147

Fortinet Confidential

Lab 8 Load Balancing VIP


FGT_XT_12 # diag sys session filter dport 80
FGT_XT_12 # diag sys session list
session info: proto=6 proto_state=01 duration=1 expire=3598 timeout=3600 flags=00000000
sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=40459
policy_dir=0 tunnel=/
state=log may_dirty
statistic(bytes/packets/allow_err): org=571/4/1 reply=584/3/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.10/192.168.138.1
hook=pre dir=org act=dnat 192.168.138.1:54004->192.168.138.101:80(20.20.20.10:80)
hook=post dir=reply act=snat 20.20.20.10:80->192.168.138.1:54004(192.168.138.101:80)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=5 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=00002cc0 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=192.168.138.1, bps=151

This one is the loadbalanced session

148

Fortinet Confidential

Lab 8 Load Balancing VIP


7. Change index.html and re-check health status.

149

Login to any of the Web Servers and move index.html

$ mv index.html index.html.2

Fortinet Confidential

Lab 8 Load Balancing VIP


8. Edit Virtual Server object and select Persistence using HTTP
Cookie.
9. Browse again to the http://192.168.138.101 and check individual
cookies. Is there anyone from that site?

Cookie Name: FGTServer

10. As long as the cookie remains valid you will be always redirected to
the same Web Server

150

Fortinet Confidential

Lab 8 Load Balancing VIP

151

Fortinet Confidential

Lab 8 Load Balancing VIP

152

Fortinet Confidential

Working with SIP ALG

September 22, 2015


153

Fortinet Confidential

How SIP ALG works

154

Fortinet Confidential

How the SIP ALP performs NAT


Using NAT with SIP is more complex because of the IP addresses and
media stream port numbers used in SIP message headers and bodies.
The SIP ALG must translate the private network addresses in the SIP
message to IP addresses and port numbers that are valid on the Internet.
When the response message is sent back to the caller, the SIP ALG must
translate these addresses back to valid private network addresses.
The SIP ALG opens pinholes to accept these media sessions, using the
information in the SIP messages to determine the pinholes to open. The
ALG may also perform port translation on the media sessions.

155

Fortinet Confidential

SIP scenario source NAT:INVITE Request

156

Fortinet Confidential

SIP scenario source NAT:200 OK returned

157

Fortinet Confidential

SIP NAT Configuration Source NAT


Add Firewall Addresses:
config firewall address
edit Phone_A
set associated interface internal
set type ipmask
set subnet 10.31.101.20 255.255.255.255
next
edit Phone_B
set associated interface wan1
set type ipmask
set subnet 172.20.120.30 255.255.255.255
end

158

Fortinet Confidential

SIP NAT Configuration Source NAT


Add Security Policies:
config firewall policy
edit 0
set srcintf internal
set dstintf wan1
set srcaddr Phone_A
set dstaddr Phone_B
set action accept
set schedule always
set service SIP
set nat enable
set utm-status enable
set profile-protocol-options
default
set voip-profile default

159

Fortinet Confidential

next edit 0
set srcintf wan1
set dstintf internal
set srcaddr Phone_B
set dstaddr Phone_A
set action accept
set schedule always
set service SIP
set nat enable
set utm-status enable
set profile-protocol-options
default
set voip-profile default
end

SIP scenario destination NAT: INVITE request

160

Fortinet Confidential

SIP scenario destination NAT: 200 OK Returned

161

Fortinet Confidential

SIP NAT Configuration Destination NAT


Add SIP Proxy Server Virtual IP and Firewall Addresses:
config firewall vip
edit SIP_Proxy_VIP
set type static-nat
set extip 172.20.120.50
set mappedip 10.31.101.50
set extintf port1
end
config firewall address
edit SIP_Proxy_Server
set associated interface port2
set type ipmask
set subnet 10.31.101.50 255.255.255.255
end

162

Fortinet Confidential

SIP NAT Configuration Destination NAT


Add Security Policies:
config firewall policy
edit 0
set srcintf port1
set dstintf port2
set srcaddr all
set dstaddr SIP_Proxy_VIP
set action accept
set schedule always
set service SIP
set nat enable
set utm-status enable
set profile-protocol-options
default
set voip-profile default
end

163

Fortinet Confidential

config firewall policy


edit 0
set srcintf port2
set dstintf port1
set srcaddr SIP_Proxy_Server
set dstaddr all
set action accept
set schedule always
set service SIP
set nat enable
set utm-status enable
set profile-protocol-options
default
set voip-profile default
end

Sneak Peek on IPv6 with FortiOS 5.0

September 22, 2015


164

Fortinet Confidential

NAT64

Typical scenario

Well-known prefix [RFC 6052]: 64:ff9b::/96


e.g. 172.20.120.12 >> 64:ff9b::ac14:ac0c /96
165

Fortinet Confidential

IPv6 NAT for IPv4 Connectivity

For IPv6 initialized traffic to a IPv4 network


That is, traffic flows using firewall policy with

Src IPv6 address


Dest IPv4 address

NAT64 implemented with

config system nat64 to set prefix (1 per Vdom)


config firewall policy64 for the forwarding policy

Currently CLI only

166

Fortinet Confidential

NAT64 Configuration

IPv6 prefix setting (per Vdom)

config
set
set
set
end

system nat64
status [disable*|enable]
ipv6prefix <::/96> //default 64:FF9B::/96
always-synthetize-aaaa-record [disable*|enable]

Forwarding policy

config firewall policy64


edit 1
set srcintf "port1"
set dstintf "port4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
end
167

Fortinet Confidential

IPv6 network interface


Dest. IPv4 interface

IPv6 NAT for IPv6 Connectivity

NAT66 desired for:


Privacy reasons to obfuscate src IPv6 address
Address independency (Move to another ISP)
Can define NAT pool to specify address(es) instead
of out-going interfaces address
RFC 6296 for NAT66 still EXPERIMENTAL status

168

Fortinet Confidential

NAT66 Configuration

CLI only for now


New commands

config firewall policy6


edit <policy id>
set nat [enable|disable*]
set ippool [enable|disable*]
set poolname <ippool6-name>
next
end
config firewall ippool6
edit <ippool6 name>
set name <ip pool's name>
set endip <ip6 addr>
set startip <ip6 addr>
next
end
169

Fortinet Confidential

Optional

Optional

Thank You
Obrigado
Gracias
John Len SE Andean Region
jleon@fortinet.com

170

Fortinet Confidential

Marcelo Mayorga Mgr., System Engineering


CALA
mmayorga@fortinet.com

Вам также может понравиться