How FortiOS selects unused NAT ports Firewall Policy
FortiGate Version 4.0 MR1 Administration Guide
410 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
How FortiOS selects unused NAT ports
Consider the following idealized topology for a university that allows its students to
connect to the Internet through a FortiGate unit:
Figure 221: Example university Internet connection topology
The university does not give a publicly routable IP address to its students. Instead each
student uses DHCP to obtain an IP address from the 10.0.0.0/8 range from the FortiGate
unit. The FortiGate unit then uses Network Address Port Translation (NAPT) to translate
all traffic so that it appears to come from IP address 192.168.1.1.
For example, consider student A (IP address 10.78.33.97) who wants to connect to search
engine (IP address 172.20.120.2) and sends a packet with the following IP addresses and
port numbers:
src-ip: 10.78.33.97
dst-ip: 172.20.120.2
src-port: 10000
dst-port: 80
When this packet passes through the FortiGate unit with NAT enabled the packet is
modified to be:
src-ip: 92.168.1.1
IPS Sensor Select and specify an IPS sensor to have the FortiGate unit apply the
sensor to matching network traffic. You can also select Create new to
add a new IPS Sensor. See “IPS sensors” on page 537.
Application Black/White
List
Select and specify an Application Black/White List sensor to have the
FortiGate unit apply the application control black/white list to matching
network traffic. You can also select Create new to add a new
Application Black/White List. See “Creating a new application control
black/white list” on page 605.
Student Network
10.0.0.0/8
Student A
Student B
Student C
Student Z
Video Sharing
172.20.120.1
Search Engine
172.20.120.2
Social Networking
172.20.120.3
Internet
External IP
address
192.168.1.1
To Next Page
Loading...
Need help?
General
