Recurring schedule object

Recurring schedules are in effect repeatedly at specified times of specified days of the week. The Recurring schedule is based on a repeating cycle of the days of the week as opposed to every x days or days of the month. This means that you can configure the schedule to be in effect on Tuesday, Thursday, and Saturday but not every 2 days or on odd numbered days of the month.

If a recurring schedule has a stop time that is earlier than the start time, the schedule will take effect at the start time but end at the stop time on the next day. You can use this technique to create recurring schedules that run from one day to the next.

Configuring a Recurring schedule object in the GUI

1. Go to Policy & Objects > Schedules.
2. Select Create New. A drop down menu is displayed. Select Schedule.
3. From the Type options, choose Recurring.
4. Input a Name for the schedule object.
5. If you which to add a Color to the icon in the GUI, you can click on the Change link to choose 1 of 32 color options.
6. From the Days options, choose the day of the week that you would like this schedule to apply to. The schedule will be in effect on the days of the week that have a check mark in the checkbox to the left of the name of the weekday.
7. If the scheduled time is the whole day, leave the All Day toggle switch enabled. If the schedule is for specific times during the day, disable the All Day toggle switch.
8. If the All Day option is disabled, choose a Start Time.

The Start Time is composed of two fields, Hour and Minute. Think of setting the time for a digital clock in 24 hour mode. The Hour value can be an integer from 0 and 23. The Minute value can be from 0 to 59. 0 and 0 would be midnight at the start of the day and 23 and 59 would be one minute to midnight at the end of the day. The value can be entered by keyboard or by using the up and down arrows in the field to select the value.

7. Choose a Stop Time.

Configuration is the same as Start Time.

8. Press OK.

Because recurring schedules do not work with DENY policies, the strategy when designing a schedule should not be to determine when users cannot access a policy but to build the schedules around when it is possible to access the policy.

Example: Firewall Schedule – Recurring

The Company wants to allow the use of Facebook by employees, but only during none business hours and the lunch break.

• The business hours are 9:00 p.m. to 6:00 p.m. l The Lunch break is 12:00 p.m. to 1:00 p.m.
• The plan is to create a schedule to cover the morning business hours and the afternoon business hours and block access to the Facebook web site during that time.

Configuration in the GUI

1. Go to Policy & Objects > Objects > Schedule.
2. Select Create New > Schedule.
3. Fill out the fields with the following information:

Type	Recurring
Name	Morning_Business_Hours
Days	Monday, Tuesday, Wednesday, Thursday, Friday
Start Time	Hour = 9, Minute = 0
Stop Time	Hour = 12, Minute = 0

4. Select OK.
5. Create a second new schedule.

Type	Recurring
Name	Morning_Business_Hours
Days	Monday, Tuesday, Wednesday, Thursday, Friday
Start Time	Hour = 13, Minute = 0
Stop Time	Hour = 18, Minute = 0

6. Select OK.

To verify that the schedule was added correctly:

1. Go to Policy & Objects > Objects > Schedule.
2. Check that the schedule with the name you used has been added to the list of recurring schedules and that the listed settings are correct.

Configuration in the CLI

1. Enter the following CLI command:

config firewall schedule recurring edit Morning_Business_Hours set day monday tuesday wednesday thursday friday set start 09:00 set end 12:00

end

2. Enter the following CLI command:

config firewall schedule recurring edit Afternoon_Business_Hours set day monday tuesday wednesday thursday friday set start 13:00 set end 18:00

end

To verify that the schedule was added correctly:

1. Enter the following CLI command:

config firewall schedule recurring

edit <the name of the schedule you wish to verify> show full-configuration

 

Schedule

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

One-time schedule object

One-Time schedules are in effect only once for the period of time specified in the schedule. This can be useful for testing to limit how long a policy will be in effect in case it is not removed, or it can be used for isolated events such as a conference where you will only need a temporary infrastructure change for a few days.

The time frame for a One-time schedule is configured by using a start time which includes, Year | Month | Day | Hour | Minute and a Stop time which includes the same variables. So while the frequency of the schedule is only once it can last anywhere from 1 minute to multiple years. Configuring a One-time schedule object in the GUI

1. Go to Policy & Objects > Schedules.
2. Select Create New. A drop down menu is displayed. Select Schedule.
3. From the Type options, choose One-time.
4. Input a Name for the schedule object.
5. If you which to add a Color to the icon in the GUI, you can click on the Change link to choose 1 of 32 color options.
6. Choose a Start Date.

Selecting the field with the mouse will bring up a interactive calendar graphic that will allow the user to select the date. The date can also be typed in using the format YYYY/MM/DD.

7. Choose a Start Time.

The Start Time is composed of two fields, Hour and Minute. Think of setting the time for a digital clock in 24 hour mode. The Hour value can be an integer from 0 and 23. The Minute value can be from 0 to 59. 0 and 0 would be midnight at the start of the day and 23 and 59 would be one minute to midnight at the end of the day. The value can be entered by keyboard or by using the up and down arrows in the field to select the value.

6. Choose an End Date.

Configuration is the same as Start Date.

8. Choose a Stop Time.

Configuration is the same as Start Time.

9. Enable/Disable Pre-expiration event log.

This configures the system to create an event log 1 to 100 days before the End Date as a warning in case the schedule needs to be extended.

10. If the Pre-expiration event log is enabled, set the value for Number of days before.
11. Press OK.

Example: Firewall Schedule – One-time

The company wants to change over their web site image to reference the new year. They have decided to take this opportunity to do some hardware upgrades as well. Their web site is business oriented so they have determined that over New Year’s Eve there will be very limited traffic. l They are going to need a maintenance window of 2 hours bracketing midnight on New Year’s Eve.

Configuration in the GUI

1. Go to Policy & Objects > Objects > Schedule.
2. Select Create New > Schedule.
3. Fill out the fields with the following information:

Type		One-time
Name		NewYearsEve_Maintenance
Start Date		2014/12/31 <use the built in calendar>
End Date		2015/01/01 <use the built in calendar>
Start Time		Hour: 23, Minute: 0
Stop Time			Hour: 1Minute: 0
Pre-expiration event log			<disable>

4. Select OK.

To verify that the schedule was added correctly:

1. Go to Policy & Objects > Objects > Schedule.
2. Check that the schedule with the name you used has been added to the list of recurring schedules and that the listed settings are correct.

Configuration in the CLI

1. Enter the following CLI command:

config firewall schedule onetime edit maintenance_window set start 23:00 2012/12/31 set end 01:00 2013/01/01

next

end

To verify that the schedule was added correctly:

1. Enter the following CLI command:

config firewall schedule onetime edit <the name of the schedule you wish to verify> show full-configuration

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Services

While there are a number of services already configured within FortiOS, the firmware allows for administrators to configure there own. The reasons for doing this usually fall into one or more of the following categories:

• The service is not common enough to have a standard configuration l The service is not established enough to have a standard configuration l The service has a standard port number but there is a reason to use a different one:
• Port is already in use by another service l For security reasons, want to avoid standard port

When looking at the list of preconfigured services it may seem like there are a lot, but keep in mind that the theoretical limit for port numbers is 65,535. This gives a fairly good sized range when you are choosing what port to assign a service but there are a few points to keep in mind.

• Most of the well known ports are in the range 0 – 1023 l Most ports assigned by the Internet Corporation for Assigned Names and Numbers (ICANN) will be in the 1024 –

49151 range l Port numbers between 49,152 and 65,535 are often used for dynamic, private or ephemeral ports.

There are 3 Service objects that can be added and configured:

l Categories l Services l Service Groups

Categories

In order to make sorting through the services easier, there is a field to categorize the services. Because selecting a category is part of the process for creating a new service, the configuration of categories will be explained first.

The services can be sorted into the following groups:

• General l Web Access l File Access l Email l Network Services l Authentication l Remote Access l Tunneling l VoIP, Messaging and Other Applications l Web Proxy
• Uncategorized

The categories are for organization purposes so there is not many settings when creating a new one.

Creating a new Service Category

1. Go to Policy & Objects > Services.
2. Select Create New. A drop down menu is displayed. Select Category
3. Input a Name for the category.
4. Input any additional information in the Comments
5. Press OK.

Example

You plan on adding a number of devices such as web cameras that will allow the monitoring of the physical security of your datacenter. A number of non-standard services will have to be created and you would like to keep them grouped together under the heading of “Surveillance”

Example of a New Category in the GUI

1. Go to Policy & Objects > Objects > Services and select Create New > Category.
2. Fill out the fields with the following information

Field		Value
Name		Surveillance
Comments		For DataCenter Surveillance Devices

3. Select

Example of a New Category in the CLI

Enter the following CLI command:

config firewall service category edit Surveillance set comment “For DataCenter Surveillance Devices” end

To verify that the category was added correctly:

1. Go to Policy & Objects > Objects > Services. Select the Category Settings icon . A listing of the categories should be displayed.
2. Enter the following CLI command:

config firewall service category show

This should bring up all of the categories. Check to see that the new one is displayed.

Configuring a new service

Occasionally, the preconfigured list of services will not contain the needed service. There are a few variations in the creation of a service depending upon the protocol type, but the first steps in the creation of the service are common to all the variations.

To create a new service:

1. Go to Policy & Objects > Services.
2. Select Create New. A drop down menu is displayed. Select Service
3. Enter a name in the Name field for the new service
4. Include any description you would like in the Comments field
5. In the Service Type field choose between Firewall and Explicit Proxy.
6. Enable the toggle in the Show in Service List. If you can’t see the service when you need to select it, it serves very little purpose.
7. For the Category field, choose the appropriate category from the Category drop down menu. If none is chosen, the Uncategorized option will be chosen by default.

Protocol Options

This is the section where the configuration options of the service will differ depending on the type of protocol chosen. (The Step numbers will all continue on from the common step sequence).

The protocol options for Firewall service type are: l TCP/UDP/SCTP l ICMP l ICMP6 l IP

The protocol options for Proxy service type are: l ALL l CONNECT l FTP l HTTP l SOCKS-TCP l SOCKS-UDP

TCP/UDP/SCTP

8. For the Protocol Type field, choose TCP/UDP/SCTP from the drop down menu
9. For the Address field, choose IP Range or FQDN (Fully Qualified Domain Name) if there is to be a specific destination for the service. Depending on which type of address is selected, the field value needs to be filled with a FQDN string or an IP address in one of the 3 standard IPv4 address formats: l x.x.x – for a specific address l x.x.x.x/x – for a subnet l x.x.x.x-x.x.x.x – for a range of specific addresses
10. Configure the Destination Port by:

• Select from the drop down menu, TCP, UDP or SCTP l Enter the low end to the port range in the field indicated by grayed out Low.
• Enter the high end of the port range in the field indicated by grayed out High. If there is only a single port in the

range High can be left empty

• Multiple ports or port ranges can be added by using the “+” at the beginning of the row l Rows can be removed by using the trash can symbol at the end of the row

11. If required, you can Specify Source Ports for the service by enabling the toggle switch. l The Src Port will match up with a Destination Port l Src Ports cannot be configured without there being a value for the Destination Port l The same rules for configuring the Destination Ports applies to the Src Ports
12. Select OK to confirm the configuration

Example

Example settings for a TCP protocol service. In this case, it is for an administrative connection to web servers on the DMZ. The protocol used is HTTPS which would normally use port 443, but that is already in use by another service such as Admin access to the firewall or an SSL-VPN connection.

Field	Value
Name	Example.com_WebAdmin
Comments	Admin connection to Example.com Website
Service Type	Firewall
Show in Service List	enabled
Category	Web Access
Protocol Options
Protocol Type	TCP/UDP/SCTP
IP/FQDN	<left blank>
Destination Port	l  Protocol: TCP l Low: 4300 l  High: <left blank>
Specify Source Ports	<disabled>

Creating a new TCP/UDP/SCTP service in the CLI

The following is the creation of the same service using the command line.

config firewall service custom edit Example.com_WebAdmin set comment “Admin connection to Example.com Website”

set category Web Access set protocol TCP/UDP/SCTP set tcp-portrange 4300

end

end

ICMP / ICMP6

8. For the Protocol Type field, choose ICMP or ICMP6 from the drop down menu
9. In the Type field enter the appropriate type number based on the information found in “ICMP Types and Codes” on page 1 or in “ICMPv6 Types and Codes” on page 1, depending on whether the Protocol Type is ICMP or ICMPv6
10. In the Code field enter the appropriate code number for the type, if applicable, based on the information found in

“ICMP Types and Codes” on page 1 or in “ICMPv6 Types and Codes” on page 1, depending on whether the Protocol Type is ICMP or ICMPv6

11. Select OK to confirm the configuration

Example

Example settings for an ICMP.service.In this case it has been set up for some special testing of ICMP packets.

Field	Value
Name	ICMP test #4
Comments	For testing of proprietary network scanner
Service Type	Firewall
Show in Service List	enabled
Category	Network Services
Protocol Options
Protocol Type	ICMP
Type	7
Code	<left blank>

Creating a new ICMP service in the CLI

The following is the creation of the same service using the command line.

config firewall service custom edit ICMP test4 set comment “For testing of proprietary network scanner” set category Network Services set protocol ICMP set icmptype 7 end

end

IP

8. For the Protocol Type field, choose IP from the drop down menu
9. In the Protocol Number field enter the numeric value based on the information found in “Protocol Number” on page 1
10. Select OK to confirm the configuration

Example

Example settings for an IP.service.In this case it has been set up to communicate via an old protocol called QNX

Field	Value
Name	QNX
Comments	For QNX communications to the Development Lab
Service Type	Firewall
Show in Service List	enabled
Category	Uncatagorized
Protocol Options
Protocol Type	IP
Protocol Number	106

Creating a new ICMP service in the CLI

The following is the creation of the same service using the command line.

config firewall service custom edit ICMP test4 set comment “For QNX communications to the Development Lab ” set protocol IP set icmptype 106

end

end

In the CLI examples, the fields for Show in Service List, Service Type and in the example for IP, Category were net set because the values that they would have been set to were the default values and were already correctly set.

ALL/CONNECT/FTP/HTTP/SOCKS-TCP/SOCKS-UDP

These options are available only if the Service Type is set to Explicit Proxy.

8. For the Protocol Type field, choose one of the following from the drop down menu:
   • ALL l CONNECT l FTP l HTTP l SOCKS-TCP l SOCKS-UDP
9. For the Address field, choose IP Range or FQDN (Fully Qualified Domain Name) if there is to be a specific destination for the service. Depending on which type of address is selected, the field value needs to be filled with a FQDN string or an IP address in one of the 3 standard IPv4 address formats: l x.x.x – for a specific address l x.x.x.x/x – for a subnet l x.x.x.x-x.x.x.x – for a range of specific addresses
10. Configure the Destination Port by:
    • Enter the low end to the TCP port range in the field indicated by grayed out Low.
    • Enter the high end of the TCP port range in the field indicated by grayed out High. If there is only a single port in the range High can be left empty
    • Multiple ports or port ranges can be added by using the “+” at the beginning of the row l Rows can be removed by using the trash can symbol at the end of the row
11. If required, you can Specify Source Ports for the service by enabling the toggle switch. l The Src Port will match up with a Destination Port l Src Ports cannot be configured without there being a value for the Destination Port l The same rules for configuring the Destination Ports applies to the Src Ports
12. Select OK to confirm the configuration

Specific Addresses in TCP/UDP/SCTP

In the TCP/UDP/SCTP services it is also possible to set the parameter for a specific IP or Fully Qualified Domain Name address. The IP/FQDN field refers to the destination address of the traffic, not the source. This means for example, that you can set up a custom service that will describe in a policy the TCP traffic over port 80 going to the web site example.com, but you cannot set up a service that describes the TCP traffic over port 80 that is coming from the computer with the address 192.168.29.59.

Service Groups

Just like some of the other firewall components, services can also be bundled into groups for ease of administration.

Creating a ServiceGroup

1. Go to Policy & Objects > Services.
2. Select Create New. A drop down menu is displayed. Select Service Group
3. Input a Group Name to describe the services being grouped

 

4. Input any additional information in the Comments
5. Choose a Type of group.The options are Firewall or Explicit Proxy.
6. Add to the list of Members from the drop down menu. Using the + sign beside the field will allow the addition of multiple services.
7. Press OK.

Example

Example of a New Service Group:

Field	Value
Group Name	Authentication Services
Comments	Services used in Authentication
Type	Firewall
Members	l Kerberos l LDAP l LDAP_UDP l RADIUS

Firewall schedules

Firewall schedules control when policies are in effect. When you add a security policy on a FortiGate unit you need to set a schedule to determine the time frame in which that the policy will be functioning. While it is not set by default, the normal schedule would be always. This would mean that the policy that has been created is always function and always policing the traffic going through the FortiGate. The time component of the schedule is based on a 24 hour clock notation or military time as some people would say.

There are two types of schedules: One-time schedules and recurring schedules.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

ARP Replies

If a FortiGate firewall interface IP address overlaps with one or more IP pool address ranges, the interface responds to ARP requests for all of the IP addresses in the overlapping IP pools. For example, consider a FortiGate unit with the following IP addresses for the port1 and port2 interfaces:

• port1 IP address: 1.1.1.1/255.255.255.0 (range is 1.1.1.0-1.1.1.255) l port2 IP address: 2.2.2.2/255.255.255.0 (range is 2.2.2.0-2.2.2.255) And the following IP pools:
• IP_pool_1: 1.1.1.10-1.1.1.20 l IP_pool_2: 2.2.2.10-2.2.2.20 l IP_pool_3: 2.2.2.30-2.2.2.40

The port1 interface overlap IP range with IP_pool_1 is:

(1.1.1.0-1.1.1.255) and (1.1.1.10-1.1.1.20) = 1.1.1.10-1.1.1.20 The port2 interface overlap IP range with IP_pool_2 is:

(2.2.2.0-2.2.2.255) & (2.2.2.10-2.2.2.20) = 2.2.2.10-2.2.2.20 The port2 interface overlap IP range with IP_pool_3 is:

(2.2.2.0-2.2.2.255) & (2.2.2.30-2.2.2.40) = 2.2.2.30-2.2.2.40 And the result is:

• The port1 interface answers ARP requests for 1.1.1.10-1.1.1.20
• The port2 interface answers ARP requests for 2.2.2.10-2.2.2.20 and for 2.2.2.30-2.2.2.40

Select Enable NAT in a security policy and then select Dynamic IP Pool. Select an IP pool to translate the source address of packets leaving the FortiGate unit to an address randomly selected from the IP pool. Whether or not the external address of an IP Pool will respond to an ARP request can be disabled. You might want to disable the ability to responded to ARP requests so that these address cannot be used as a way into your network or show up on a port scan.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

IP Pools

IP Pools are a mechanism that allow sessions leaving the FortiGate Firewall to use NAT. An IP pool defines a single IP address or a range of IP addresses to be used as the source address for the duration of the session.

These assigned addresses will be used instead of the IP address assigned to that FortiGate interface.

IP Pools

When using IP pools for NATing, there is a limitation that must be taken into account when configuring the pool. If the IP address(es) within the pool are different from the IP address(es) that are assigned to the interface communications based on those IP addresses will fail. For example if the IP addresses assigned to an interface are 172.16.100.1 -172.16.100.14, you cannot choose 10.11.12.50 – 10.11.12.59 for the IP pool.

There are 4 types of IP Pools that can be configured on the FortiGate firewall:

• One-to-One – in this case the only internal address used by the external address is the internal address that it is mapped to.
• Overload – this is the default setting. Internal addresses other than the one designated in the policy can use this address for the purposes of NAT.
• Fixed Port Range – rather than a single address to be used, there is a range of addresses that can be used as the NAT address. These addresses are randomly assigned as the connections are made.
• Port Block Allocation – this setting is used to allocate a block of port numbers for IP pool users. Two variables will also have to be set. The block size can be set from 64 to 4096 and as the name implies describes the number of ports in one block of port numbers. The number of blocks per user determines how many of these blocks will be assigned. This number can range from 1 to 128.

Be careful when calculating the values of the variables. The maximum number of ports that are available on an address is 65,536. If you chose the maximum value for both variables you will get a number far in excess of the available port numbers.

4096 x 128 = 524,288

One of the more common examples is when you have an email server behind your FortiGate firewall and the range of IP addresses assigned to you by your ISP is more than one. If an organization is assigned multiple IP addresses it is normally considered a best practice to assign a specific address other than the one used for the Firewall to the mail server. However, when normal NAT is used the address assigned to the firewall is also assigned to any outbound sessions. Anti-spam services match the source IP address of mail traffic that they receive to the MX record on DNS servers as an indicator for spam. If there is a mismatch the mail may not get through so there is a need to make sure that the NATed address assigned matches the MX record.

You can also use the Central NAT table as a way to configure IP pools.

Source IP address and IP pool address matching when using a range

When the source addresses are translated to an IP pool that is a range of addresses, one of the following three cases may occur:

Scenario 1:

The number of source addresses equals that of IP pool addresses

In this case, the FortiGate unit always matches the IP addressed one to one.

If you enable fixed port in such a case, the FortiGate unit preserves the original source port. This may cause conflicts if more than one security policy uses the same IP pool, or the same IP addresses are used in more than one IP pool.

IP Pools

Scenario 2:

The number of source addresses is more than that of IP pool addresses

In this case, the FortiGate unit translates IP addresses using a wrap-around mechanism. If you enable fixed port in such a case, the FortiGate unit preserves the original source port. But conflicts may occur since users may have different sessions using the same TCP 5 tuples.

Scenario 3:

The number of source addresses is fewer than that of IP pool addresses

In this case, some of the IP pool addresses are used and the rest of them are not be used.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Central NAT Table

The central NAT table enables you to define, and control with more granularity, the address translation performed by the FortiGate unit. With the NAT table, you can define the rules which dictate the source address or address group and which IP pool the destination address uses.

While similar in functionality to IP pools, where a single address is translated to an alternate address from a range of IP addresses, with IP pools there is no control over the translated port. When using the IP pool for source NAT, you can define a fixed port to guarantee the source port number is unchanged. If no fix port is defined, the port translation is randomly chosen by the FortiGate unit. With the central NAT table, you have full control over both the IP address and port translation.

The FortiGate unit reads the NAT rules in a top-down methodology, until it hits a matching rule for the incoming address. This enables you to create multiple NAT policies that dictate which IP pool is used based on the source address. The NAT policies can be rearranged within the policy list as well. NAT policies are applied to network traffic after a security policy.

NAT 64 and NAT46

NAT64 and NAT46 are the terms used to refer to the mechanism that allows IPv6 addressed hosts to communicate with IPv4 addressed hosts and vice-versa. Without such a mechanism an IPv6 node on a network such as a corporate LAN would not be able to communicate with a web site that was still in a IPv4 only environment and IPv4 environments would not be able to connect to IPv6 networks.

One of these setups involves having at least 2 interfaces, 1 on an IPv4 network and 1 on an IPv6 network. The NAT64 server synthesizes AAAA records, used by IPv6 from A records used by IPv4. This way client-server and peer to peer communications will be able to work between an IPv6 only client and an IPv4 server without making changes to either of the end nodes in the communication transaction. The IPv6 network attached to the FortiGate unit should be a 32 bit segment, (for instance 64:ff9b::/96, see RFC 6052 and RFC 6146). IPv4 address will be embedded into the communications from the IPv6 client.

Because the IPv6 range of addresses is so much larger than the IPv4 range, a one to one mapping is not feasible. Therefore the NAT64 function is required to maintain any IPv6 to IPv4 mappings that it synthesizes. This can be done either statically by the administrator or automatically by the service as the packets from the IPv6 network go through the device. The first method would be a stateless translation and the second would be a stateful translation. NAT64 is designed for communication initiated from IPv6 hosts to IPv4 addresses. It is address mapping like this that allows the reverse to occur between established connections. The stateless or manual method is an appropriate solution when the NAT64 translation is taking place in front of legacy IPv4 servers to allow those specific servers to be accessed by remote IPv6-only clients. The stateful or automatic solution is best used closer to the client side when you have to allow some specific IPv6 clients to talk to any of the IPv4-only servers on the Internet.

There are currently issues with NAT64 not being able to make everything accessible. Examples would be SIP, Skype, MSN, Goggle talk, and sites with IPv4 literals. IPv4 literals being IPv4 addresses that are imbedded into content rather than a FQDN.

Policies that employ NAT64 or NAT46 can be configured from the web-based manager as long as the feature is enabled using the Features setting found at System > Config > Features.

l To create a NAT64 policy go to Policy & Objects > NAT64 Policy and select Create New. l To create a NAT46 policy go to Policy > NAT46 Policy and select Create New.

The difference between these NAT policies and regular policies is that there is no option to use the security profiles and sensors.

NAT64 CLAT

NAT64 CLATtraffic is supported by FortiOS. CLAT traffic comes from devices that use the SIIT translator that plays a part in affecting IPv6 – IPv4 NAT translation.

NAT 66

NAT 66 is Network Address Translation between 2 IPv6 network. The basic idea behind NAT 66 is no different than the regular NAT between IPv4 networks that we are all used to. The difference are in the mechanics of how it is performed, mainly because of the complexity and size of the addresses that are being dealt with. In an IPv4 world, the reason for the use of NAT was usually one or a combination of the following 3 reasons:

• Improved security – actual addresses behind NAT are virtually hidden l Amplification of addresses – hundreds of computers can use as little as a single public IP address
• Internal address stability – there is control of internal addressing. The addresses can stay the same even if Internet Service Providers change.

In these days of security awareness the protective properties of NAT are not something that are not normally depended on by themselves to defend a network and with the vastly enlarged IPv6 address scope there is no longer a need to amplify the available addresses. However, the desire to have internal address control still exists. The most common reason for using NAT66 is likely to be the maintaining of the existing address scheme of the internal network despite changes outside of it. Imagine that you have an internal network of 2000 IP addresses and one day the company changes its ISP and thus the addresses assigned to it. Even if most of the addressing is handled by DHCP, changing the address scheme is going to have an impact on operations.

Addressing stability can be achieved by:

• Keeping the same provider – this would depend on the reason for the change. If the cost of this provider has become too expensive this is unlikely. If the ISP is out of business it becomes impossible.
• Transfer the addresses from the old provider to the new one – There is little motivation for an ISP to do you a favor for not doing business with them.
• Get your own autonomous system number – this can be too expensive for smaller organizations. l NAT – this is the only one on the list that is in the control of IT.

There are differences between NAT66 and IPv4 NAT. Because there is no shortage of addresses most organizations will be given a /48 network that can be translated into another /48 network. This allows for a one to one translation, no need for port forwarding. This is a good thing because port forwarding is more complicated in IPv6. In fact, NAT66 will actually just be the rewriting of the prefix on the address.

Example

If your current IPv6 address is

2001:db8:cafe::/48 you could change it to

2001:db8:fea7::/48

There is an exception to the one to one translation. NAT66 cannot translate internal networks that contain 0xffff in bits 49 through 63 – this is due to the way checksums are calculated in TCP/IP: they use the one’s-complement representation of numbers which assigns the value zero to both 0x0000 and 0xffff.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

NAT in Transparent Mode

Similar to operating in NAT mode, when operating a FortiGate unit in Transparent mode you can add security policies and:

l Enable NAT to translate the source addresses of packets as they pass through the FortiGate unit. l Add virtual IPs to translate destination addresses of packets as they pass through the FortiGate unit. l Add IP pools as required for source address translation

A FortiGate unit operating in Transparent mode normally has only one IP address – the management IP. To support NAT in Transparent mode, you can add a second management IP. These two management IPs must be on different subnets. When you add two management IP addresses, all FortiGate unit network interfaces will respond to connections to both of these IP addresses.

Use the following steps to configure NAT in Transparent mode:

1. Add two management IPs
2. Add an IP pool to the WAN1 interface
3. Add an Internal to WAN1 security policy

You can add the security policy from the web-based manager and then use the CLI to enable NAT and add the IP pool.

The usual practice of NATing in transparent mode makes use of two management IP addresses that are on different subnets, but this is not an essential requirement in every case.

If there is a router between the client systems and the FortiGate unit you can use the router’s capabilities of tracking sessions to assign NATed addresses from an IP pool to the clients even if the assigned address don’t belong to a subnet on your network.

 

Example

Client computer has an IP address of 1.1.1.33 on the subnet 1.1.1.0/24.

Router “A” sits between the client computer and the FortiGate (in Transparent mode) with the IP address of 1.1.1.1 on the client’s side of the router and the IP address of 192.168.1.211 on the FortiGate’s side of the router.

Use NAT to assign addresses from an address pool of 9.9.9.1 to 9.9.9.99 to traffic coming from gateway of 192.168.1.211.

To enable the return traffic to get to the original computer, set up a static route than assigns any traffic with a destination of 9.9.9.0/24 to go through the 192.168.1.211 gateway. As long as the session for the outgoing traffic has been maintained, communication between the client computer and the external system on the other side of the FortiGate will work.

.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Benefits of NAT

More IP addresses Available while Conserving Public IP Addresses

As explained earlier, this was the original intent of the technology and does not need to be gone into further.

Financial Savings

Because an organization does not have to purchase IP addresses for every computer in use there is a significant cost savings due to using the process of Network Address Translation.

Security Enhancements

One of the side benefits of the process of NAT is an improvement in security. Individual computers are harder to target from the outside and if port forwarding is being used computers on the inside of a firewall are less likely to have unmonitored open ports accessible from the Internet.

Ease of Compartmentalization of Your Network

With a large available pool of IP addresses to use internally a network administrator can arrange things to be compartmentalized in a rational and easily remembered fashion and networks can be broken apart easily to isolate for reasons of network performance and security.

Example

You have a large organization that for security reasons has certain departments that do not share network resources.

You can have the main section of the organization set up as follows;

Network Devices	192.168.1.1 to 192.168.1.25
Internal Servers	192.168.1.26 to 192.168.1.50
Printers	192.168.1.51 to 192.168.1.75
Administration Personnel	192.168.1.76 to 192.168.1.100
Sales People	192.168.1.101 to 192.168.1.200
Marketing	192.168.1.201 to 192.168.1.250

You could then have the following groups broken off into separate subnets:

Accounting	192.168.100.1 to 192.168.100.255
Research and Development	172.16.1.1 to 172.16.255.255
Executive Management	192.168.50.1 to 192.168.50.255
Web sites and Email Servers	10.0.50.1 to 10.0.50.255

These addresses do not have to be assigned right away but can be used as planned ranges.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!