How Fortios Selects Unused Nat Ports - Fortinet FortiGate Series Administration Manual

How FortiOS selects unused NAT ports

How FortiOS selects unused NAT ports
410
IPS Sensor
Application Black/White
List
Consider the following idealized topology for a university that allows its students to
connect to the Internet through a FortiGate unit:
Figure 221: Example university Internet connection topology
Student Network
10.0.0.0/8
Student A
Student B
Student C
Student Z
The university does not give a publicly routable IP address to its students. Instead each
student uses DHCP to obtain an IP address from the 10.0.0.0/8 range from the FortiGate
unit. The FortiGate unit then uses Network Address Port Translation (NAPT) to translate
all traffic so that it appears to come from IP address 192.168.1.1.
For example, consider student A (IP address 10.78.33.97) who wants to connect to search
engine (IP address 172.20.120.2) and sends a packet with the following IP addresses and
port numbers:
src-ip: 10.78.33.97
dst-ip: 172.20.120.2
src-port: 10000
dst-port: 80
When this packet passes through the FortiGate unit with NAT enabled the packet is
modified to be:
src-ip: 92.168.1.1
Select and specify an IPS sensor to have the FortiGate unit apply the
sensor to matching network traffic. You can also select Create new to
add a new IPS Sensor. See
Select and specify an Application Black/White List sensor to have the
FortiGate unit apply the application control black/white list to matching
network traffic. You can also select Create new to add a new
Application Black/White List. See
black/white list" on page 605.
External IP
address
192.168.1.1
Internet
FortiGate Version 4.0 MR1 Administration Guide
"IPS sensors" on page 537.
"Creating a new application control
Video Sharing
172.20.120.1
Search Engine
172.20.120.2
Social Networking
172.20.120.3
01-410-89802-20090903
http://docs.fortinet.com/
Firewall Policy
• Feedback