201204 xtreme team 2012 fortigate advanced nat mmayorga jleon en v3 - copia

1 Fortinet Confidential

FortiGate NAT

Deep Dive

John León – SE Andean Region

[email protected]

Marcelo Mayorga – Mgr., System Engineering CALA

[email protected]


Setting expectations…

• Mainly this is a hands-on

track

• We expect that you know

what NAT is and how to

configure basic NAT on

FortiOS

• You’re here not only to listen

but to ask questions, share

experiences and participate!


April 18, 2023

Some initial words on NAT


What is NAT?

Everything started when IPv4 was

created…

•IPv4 allows 232 IP addresses = 4.2+

billion

•Today there’re more than 9 billion

Internet connected devices(1)

•NOT ENOUGH(1) http://www.readwriteweb.com/archives/more_than_50_of_devices_at_ces_were_internet_connected.php


What is NAT? (cont.)

• Allows IP address sharing

• NAT is the process of converting one IP

address to another on a given packet.

• Usually the convertion happens between a

private (non-routable) and a public

(routable) IP address.


Why does anyone need NAT?

Then, what are routable and non-routable IP addresses

•RFC 1918: IANA defines a set of IP addresses to be used as private address space (i.e. they should not be routed in the Internet)

» Class A: 10.0.0.0/8 = 10.0.0.0 – 10.255.255.255» Class B: 172.16.0.0/12 = 172.16.0.0 – 172.31.255.255» Class C: 192.168.0.0/16 = 192.168.0.0 – 192.168.255.255


Why does anyone need NAT? (cont.)

What other advantages offers NAT?•Security: NAT allows to hide internal IP addressing scheme, making it “invisible” to the outside world

•Makes connections with other networks possible (e.g. overlapping networks)


Yeap… there’re some drawbacks as well

•NAT breaks a core principle of

Internet:

•Provide end-to-end connectivity

•Application Layer Gateways and

techniques such as Traversal

NAT appeared as workarounds.

•The existence of NAT has

delayed IPv6 deployments


Application

Presentation

Session

Transport

Data Link

Physical

Network

Application

Presentation

Session

Transport

Data Link

Physical

Network

My Web Proxy also changes IP addresses!

• NAT happens in the Network Layer• A NATing device keeps the same connection

Application

Presentation

Session

Transport

Data Link

Physical

Network

CLIENT192.168.138.32

192.168.138.1

200.20.32.1

SERVER200.20.32.32

192.168.138.32 200.20.32.32


Application

Presentation

Session

Transport

Data Link

Physical

Network

Application

Presentation

Session

Transport

Data Link

Physical

Network

My Web Proxy also changes IP Address!

• A Proxy works at the Application Layer• When a Proxy is in the path you’ll actually end-up with TWO

connections

Application

Presentation

Session

Transport

Data Link

Physical

Network

CLIENT192.168.138.32

192.168.138.1

200.20.32.1

SERVER200.20.32.32

192.168.138.32 192.168.138.1 200.20.32.1 200.20.32.32


April 18, 2023

NAT in FortiOS


Packet Flow within FortiOS


Session Setup and Offloading on NP based platforms

SYN



SYN/ACK



ACK



Session information

pushed to the NP



Subsequent traffic is handled by the NP doesn’t go to the

CPU

NAT is a resource intensive task so having a platform able to offload this

on hardware is an important advantage in high-end environments


Performance

8 Gbps throughput IP packet forwarding (Bi-directional with 4 GE port) .

Over 1 million sessions of searching and dynamic network address translation (DNAT)

Over 2Gbps throughput IPsec ESP encryption/decryption processing.

Enhanced Extension Interface to support 8-GE with 16Gbps throughput.

Traffic Features

Session timeout feature. IP/TCP/UDP checksum

calculation offloading. Packet de-fragmentation. Jumbo packet support up to

18KB

Application Features

TCP offloading features Traffic shaping and firewall

basic policy check IPS anomaly filtering and

logging Up to 4096 Virtual Domain

support

FortiASIC Network Processors (NP)

NP4

Performance

20 Gbps throughput IP packet forwarding (40 Gbps Bi-directional with 2 XAUI ports)

Up to10 million sessions of searching and dynamic network address translation (DNAT)

6-8 Gbps IPsec ESP encryption/decryption processing

Seamlessly scalable system with switch chips to support any throughput.

Traffic Features

Session timeout feature IP/TCP/UDP checksum calculation

offloading Jumbo packet support up to 9 KB. Policy based traffic shaping

Application Features

TCP offloading features Traffic shaping and counting per

session / per VLAN Firewall policy check IPS anomaly filtering and logging Up to 4096 Virtual Domain support Packet fragmentation / de-

fragmentation

NP2


April 18, 2023

Lab 1 – Understanding Packet Flow


About the environment…

Virtual Machines:

1.FortiGate-VM 4.3.6 (Build0521)» admin/<blank>

2.xserver01: » Ubuntu Linux 10.10

» Apache 2.2.16

» Whireshark

» xuser/xuser

3.xserver02: » Ubuntu Linux 10.10

» Apache 2.2.16

» vsftpd 2.3.0

» xuser/xuser

Port1 (Host-only)192.168.138.10

Port2 (Host-only)20.20.20.1

Host PCVmnet1: 192.168.138.1

xserver01eth120.20.20.10


Between the Host PC and the FGT use whatever IP addressing you want, just be careful during labs

FGT-VM is LENC (Low Encryption) so access to it will be using HTTP

and Telnet


Start your engines!

1. Start VM machines2. Check that you’re able to ping:

» From Host PC 192.168.138.10» From FG-VM 20.20.20.10 and 20.20.20.20

3. Add a route on your host machine to the 20.20.20.0/24 network through your FortiGate

» MACOSX: # sudo route add 20.20.20.0/24 192.168.138.10» Windows: # route add 20.20.20.0 mask 255.255.255.0

192.168.138.10

» Linux: # sudo route add –net 20.20.20.0/24 gw 192.168.138.10» Verify with: # netstat –nr


Start your engines! (cont.)

4. Add the following secondary IP addresses to your Host PC on the host-only virtual NIC :

» 50.50.50.1/24» 192.168.138.2/24» 192.168.138.3/24» 192.168.138.4/24» 192.168.138.5/24» 192.168.138.56/24» MACOSX: # sudo ifconfig vmnet1 inet 50.50.50.1/24 add

» Windows: Use Control Panel -> Network Connections» Linux: # sudo ifconfig eth0:1 50.50.50.1 up» Verify with: ifconfig (Mac OSX/Linux) / ipconfig (Windows)


Lab 1 – Packet Flow

Host PCvmnet1192.168.138.1

port1192.168.138.10

port220.20.20.1




1. Allow all traffic between port1 and port2



3. Sample a flow for HTTP traffic and analyze steps

FGT_XT_12 # diag deb enable

FGT_XT_12 # diag deb flow filter dport 80

FGT_XT_12 # diag deb flow show console enable

show trace messages on console

FGT_XT_12 # diag deb flow filter daddr 20.20.20.10

FGT_XT_12 # diag deb flow trace start 1

3. Browse to http://20.20.20.10 from the Host PC



Packet flow inside FortiGate

FGT_XT_12 # id=36871 trace_id=1 msg="vd-root received a packet(proto=6, 192.168.138.1:56174->20.20.20.10:80) from port1.”

id=36871 trace_id=1 msg="allocate a new session-00000058"

id=36871 trace_id=1 msg="find a route: gw-20.20.20.10 via port2"

id=36871 trace_id=1 msg="Allowed by Policy-1:”

Is this an existing session

?

Route for this network

?

Receive and

parse

packet data

From: 192.168.138.1:56174To: 20.20.20.10:80On:port1

No Allocate a new

session in

state table

Session ID:00000058

GW:20.20.20.10

Interface:port2

Search within the security

policy

AllowedPolicy ID:1Is the

traffic allowed?

Forward packet



5. Filter and review session information

FGT_XT_12 # diag sys session filter dst 20.20.20.10

FGT_XT_12 # diag sys session list



session info: proto=6 proto_state=01 duration=1 expire=3598 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

origin-shaper=

reply-shaper=

per_ip_shaper=

ha_id=0 hakey=40459

policy_dir=0 tunnel=/

state=log may_dirty

statistic(bytes/packets/allow_err): org=541/4/1 reply=581/3/1 tuples=2

orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.10/192.168.138.1

hook=pre dir=org act=noop 192.168.138.1:56175->20.20.20.10:80(0.0.0.0:0)

hook=post dir=reply act=noop 20.20.20.10:80->192.168.138.1:56175(0.0.0.0:0)

pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0

serial=00000058 tos=ff/ff ips_view=0 app_list=0 app=0

dd_type=0 dd_rule_id=0

per_ip_bandwidth meter: addr=192.168.138.1, bps=335

total session 1


April 18, 2023

Destination NATOne-to-one

DNAT on different subnets

Port Address Translation


Destination NAT (DNAT)

• Changes Destination IP address

• Unless specified there’s no port

translation (statically)

• Usually used to publish a

service/server that has a private

IP address with a public, routable

one.


Lab 2 – Static Destination NAT (DNAT)

SADDR SPORT DADDR DPORT

192.168.138.1 23456 192.168.138.100 80

port1192.168.138.10

port220.20.20.1


192.168.138.1 23456 20.20.20.10 80

192.168.138.100Host PC

vmnet1192.168.138.1




1. Publish Web Service on xserver01 with IP address 192.168.138.20. Create a new VIP with the following information:

•Name: XTWebServer01Pub•External IP: 192.168.138.100•Mapped IP 20.20.20.10•External Interface: port1

2. Modify recently created policy changing Destination Address to XTWebServer01Pub



4. Do a debug flow and review how it changed while browsing to http://192.168.138.100

FGT_XT_12 # diag deb fl filter daddr 192.168.138.100

FGT_XT_12 # diag deb flo trace start 1

FGT_XT_12 # id=36871 trace_id=2 msg="vd-root received a packet(proto=6, 192.168.138.1:56200->192.168.138.100:80) from port1."

id=36871 trace_id=2 msg="allocate a new session-0000007a"

id=36871 trace_id=2 msg="find SNAT: IP-20.20.20.10(from IPPOOL), port-80"

id=36871 trace_id=2 msg="VIP-20.20.20.10:80, outdev-port1"

id=36871 trace_id=2 msg="DNAT 192.168.138.100:80->20.20.20.10:80"


id=36871 trace_id=2 msg="Allowed by Policy-1:"

Routing happens after DNAT

What is this SNAT?



5. List session table and review differences on NATed sessions




origin-shaper=

reply-shaper=

per_ip_shaper=

ha_id=0 hakey=40459


state=may_dirty



hook=pre dir=org act=dnat 192.168.138.1:56200->192.168.138.100:80(20.20.20.10:80)

hook=post dir=reply act=snat 20.20.20.10:80->192.168.138.1:56200(192.168.138.100:80)



serial=0000007a tos=ff/ff ips_view=0 app_list=0 app=0



total session 1

DIRECTION: The action applies to original or reply direction traffic

ACTION: Doing SNAT or DNAT

Source IP Address : Source Port

Destination IP Address : Destination Port

Translated IP Address : Translated Port (either source or destination, depending

on action)



5. List session table and review differences on NATed sessions




origin-shaper=

reply-shaper=

per_ip_shaper=

ha_id=0 hakey=40459


state=may_dirty







serial=0000007a tos=ff/ff ips_view=0 app_list=0 app=0



total session 1

ACTION FOR ORIGINAL DIRECTION

TRAFFIC

ACTION FOR REPLY DIRECTION TRAFFIC



What has changed in L3 header?. What about L4 header?1.From xserver01, connect to FortiGate (telnet 20.20.20.1)2.Sniff traffic on port TCP/80, use any interface and maximum verbosity# diag sniffer packet any 'port 80' 6

2.Browse to http://192.168.138.100 from Host PC3.Copy and save the output to $ ~/Desktop/XT2012_Tools/traffic.txt 4.Convert the output to PCAP with fgt2eth.pl $ ~/Desktop/XT2012_Tools/fgt2eth.pl -in traffic.txt -out traffic.pcap

5.Open traffic.pcap with Wireshark ($ wireshark traffic.pcap) and review SYN packet before and after the firewall (port1 and port2).



• Before



• After


Layer 2 Resolution – Proxy ARP

• ARP (Address Resolution Protocol) is a Layer 2 protocol in charge of binding Layer 3 addresses (IP) to Layer 2 addresses (MAC)

FortiGateport1MAC: 00:0C:29:F7:65:46IP: 192.168.138.10

PC1vmnet1MAC: 00:50:56:C0:00:01IP: 192.168.138.1

SMAC DMAC SENDER IP DEST IP

00:50:56:C0:00:01 ff:ff:ff:ff:ff:ff 192.168.138.1 192.168.138.10

Who has 192.168.138.10? - Please tell 192.168.138.1



• ARP (Address Resolution Protocol) is a Layer 2 protocol that for example is in charge of binding Layer 3 addresses (IP) to Layer 2 addresses (MAC)


00:0C:29:F7:65:46

00:50:56:C0:00:01 192.168.138.10 192.168.138.1

192.168.138.10 is at 00:0C:29:F7:65:46


PC1vmnet1MAC: 00:50:56:C0:00:01IP: 192.168.138.1



• MAC addresses are tied to NICs.• What happens when NAT is part of the equation?• No NIC actually has IP address 192.168.138.100


VIP: 192.168.138.100

PC1vmnet1MAC: 00:50:56:C0:00:01IP: 192.168.138.1


00:50:56:C0:00:01 ff:ff:ff:ff:ff:ff 192.168.138.1 192.168.138.100

Who has 192.168.138.100? - Please tell 192.168.138.1


• MAC addresses are tied to NICs.• What happens when NAT is part of the equation?• No NIC actually has IP address 192.168.138.100• FortiGate will answer that request with its own MAC Address (thanks to

Proxy ARP configuration)



00:0C:29:F7:65:46

00:50:56:C0:00:01 192.168.138.100 192.168.138.1

192.168.138.100 is at 00:0C:29:F7:65:46


PC1vmnet1MAC: 00:50:56:C0:00:01IP: 192.168.138.1

VIP: 192.168.138.100

This means: answer ARP request for this

external IP (enabled by default)


Destination NAT (DNAT) on different subnet

• In previous exercise we publish

the Web Server using an IP

address in the same range of the

one configured in the FortiGate

• What if my ISP provides me with a

new pool of IP address?

• Let’s see how to manage those

scenarios


Lab 3 – DNAT on different subnet


192.168.138.1 23456 50.50.50.10 80

port1192.168.138.10

port220.20.20.1


192.168.138.1 23456 20.20.20.10 80

50.50.50.10Host PCvmnet1192.168.138.150.50.50.1




1. What would happen if we try to publish an IP address from a different network?

2. Create a new VIP and publish the Web Server with IP address 50.50.50.10

» Name: XTWebServer05Pub» External Interface: port1» External IP: 50.50.50.10 – 50.50.50.10» Mapped IP: 20.20.20.10



3. Create a new firewall policy allowing HTTP traffic for XTWebServer05Pub

FGT_XT_12 (3) # showconfig firewall policy edit 3 set srcintf "port1" set dstintf "port2" set srcaddr "all" set dstaddr "XTWebServer05Pub" set action accept set schedule "always" set service "HTTP" set logtraffic enable nextend



3. Try to access the web server using the new IP address in the URL; http://50.50.50.10

4. Is it working?

CHALLENGE 1

Find out and explain to the team what’s going on

Time: 5 minutes tops

Tips: Use the same debugging tools we used already



CHALLENGE 1 1.Sniffer shows that traffic doesn’t leave the FortiGate

FGT_XT_12 # diag sniffer packet any 'port 80' 4

interfaces=[any]

filters=[port 80]

5.100864 port1 in 50.50.50.1.55916 -> 50.50.50.10.80: syn 1988918947

6.203151 port1 in 50.50.50.1.55916 -> 50.50.50.10.80: syn 1988918947

7.307608 port1 in 50.50.50.1.55916 -> 50.50.50.10.80: syn 1988918947



CHALLENGE 1 2.Review traffic flow

FGT_XT_12 # diag deb flo filter dport 80

FGT_XT_12 # diag deb flo show con enable








id=36871 trace_id=1 msg="reverse path check fail, drop”

Reverse Path Forwarding (RPF)

(a.k.a. anti-spoofing) won’t let this packet go

through



CHALLENGE 1 3.Add a route to the 50.50.50.0/24 network on port1 and try browsing again

FGT_XT_12 # conf router static FGT_XT_12 (static) # showconfig router static edit 1 set device "port1" set dst 50.50.50.0 255.255.255.0 nextend


Reverse Path Forwarding and NAT

• The FortiGate implements a mechanism called RPF (Reverse Path Forwarding), or Anti Spoofing, which prevents an IP packet to be forwarded if its Source IP does not either:»Belong to a locally attached subnet (local interface)»Be in the routing of the FortiGate from another source (static route, RIP, OSPF,

BGP)

FGT_XT_12 # get router info routing-table all

S* 0.0.0.0/0 [10/0] via 192.168.138.1, port1C 20.20.20.0/24 is directly connected, port2C 192.168.138.0/24 is directly connected, port1

Only traffic coming from 20.20.20.0/24 will be allowed

on port2

Any traffic will be allowed on port1 since there’s a default gateway defined

on it


Port Address Translation (PAT)

• The idea behind PAT is being able

to translate Layer 4 ports

• This could be useful for instance

to:

»Publish services on different ports

than those on which are “listening”

internally

»Use the same public IP address to

publish different services


Lab 4 – Port Address Translation (PAT)


192.168.138.1 23456 192.168.138.100 8080

port1192.168.138.10

port220.20.20.1


192.168.138.1 23456 20.20.20.10 80

192.168.138.100:8080





192.168.138.1 43213 20.20.20.20 21


192.168.138.1 43213 192.168.138.100 21

192.168.138.100:21



1. Publish the Web Server on the port TCP/8080• Edit VIP XTWebServer01Pub• Enable port forwarding and translate port TCP/8080 to TCP/80



2. Create a new VIP to publish the FTP Server using the same IP address and taking advantage of Port Forwarding

• Name: XTFTPServer01Pub• External Interface: port1• External IP: 192.168.138.100• Mapped IP 20.20.20.20• Enable Port Forwarding, keeping port 21 without translation

IMPORTANT: VIPs with same external IP

address will always require “Port

Forwarding” enabled



3. Add a firewall policy to allow FTP traffic to the newly created VIP



4. Access the Web Server URL: http://192.168.138.100:8080 while doing a debug flow

5. Differences in flow with and without Port Forwarding

FGT_XT_12 # diag deb flow trace start 1


id=36871 trace_id=3 msg="allocate a new session-000000a5"





id=36871 trace_id=3 msg="Allowed by Policy-2:”



6. Differences in session list with and without Port Forwarding

FGT_XT_12 # diag sys session filter dport 8080



origin-shaper=

reply-shaper=

per_ip_shaper=

ha_id=0 hakey=40459


state=may_dirty







serial=000000a5 tos=ff/ff ips_view=0 app_list=0 app=0



total session 1


TRAFFIC




4. Access the FTP Server from Host PC (ftp 192.168.138.100) while debug flow is running

5. Review flow





id=36871 trace_id=15 msg="allocate a new session-000005ad"





id=36871 trace_id=15 msg="Allowed by Policy-4:"

id=36871 trace_id=15 msg="run helper-ftp(dir=original)"



5. Differences in session list with and without Port Forwarding




origin-shaper=

reply-shaper=

per_ip_shaper=

ha_id=0 hakey=40469


state=log may_dirty







serial=000005af tos=ff/ff ips_view=0 app_list=0 app=0



total session 1


TRAFFIC



The Match VIP dilemma

1. Add a rule on top of the others that DENIES all traffic2. Browse to http://192.168.138.1003. What happened?

VIP rules are processed a little different than other rules. They take precedence over “regular” rules.

There’re two ways of denying traffic to a VIP1. Create a DENY rule specifying the VIP as destination2. Enable “# match-vip enable” on the firewall rule that DENIES

traffic


April 18, 2023

Source NATDynamic SNAT

Dynamic SNAT with Ranges

Static SNAT


Dynamic Source NAT

• DSNAT is probably the most used

type of NAT

• Almost every organization with

uses this type of NAT so their

employees can surf the Web

• Allows to share a public IP

address among many users


Lab 5 – Dynamic SNAT


192.168.138.1 23456 192.168.138.100 80

port1192.168.138.10

port220.20.20.1


20.20.20.1 45123 20.20.20.10 80

192.168.138.100Host PC

vmnet1192.168.138.1


20.20.20.1



1. Edit VIP XTWebServer01Pub and modify External Service Port to 80

2. Edit firewall policy that allows traffic from XTWebServer01Pub and enable NAT.



3. Access to Web Server: http://192.168.138.100 while sampling a traffic flow

FGT_XT_12 # diag deb ena


FGT_XT_12 # diag deb flo filter daddr 192.168.138.100

FGT_XT_12 # diag deb flo sho console enable



FGT_XT_12 # diag sys session listid=36871 trace_id=16 msg="vd-root received a packet(proto=6, 192.168.138.1:50540->192.168.138.100:80) from port1."






id=36871 trace_id=16 msg="find SNAT: IP-20.20.20.1, port-34792"

id=36871 trace_id=16 msg="Allowed by Policy-2: SNAT"

id=36871 trace_id=16 msg="SNAT 192.168.138.1->20.20.20.1:34792"

SNAT happens at the end



4. Reviewing session list





origin-shaper=

reply-shaper=

per_ip_shaper=

ha_id=0 hakey=40459


state=log may_dirty




hook=post dir=org act=snat 192.168.138.1:50540->20.20.20.10:80(20.20.20.1:34792)

hook=pre dir=reply act=dnat 20.20.20.10:80->20.20.20.1:34792(192.168.138.1:50540)




serial=00000710 tos=ff/ff ips_view=0 app_list=0 app=0



total session 1


TRAFFIC



Understanding Dynamic SNAT behavior and limitations

How does the FortiGate track sessions in order to redirect reply traffic?

PC1192.168.138.1

Web Server20.20.20.10

20.20.20.1

PC2192.168.138.2


192.168.138.1 1234 20.20.20.10 80


20.20.20.1 1234 20.20.20.10 80

ORIGINAL REPLY

SNAT 192.168.138.1:1234, 20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.1:1234




PC1192.168.138.1


20.20.20.1

PC2192.168.138.2


20.20.20.10 80 192.168.138.1 1234


20.20.20.10 80 20.20.20.1 1234

ORIGINAL REPLY

SNAT 192.168.138.1:1234, 20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.1:1234




PC1192.168.138.1


20.20.20.1

PC2192.168.138.2


192.168.138.2 5678 20.20.20.10 80


20.20.20.1 5678 20.20.20.10 80

ORIGINAL REPLY

SNAT 192.168.138.1:1234, 20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.1:1234

SNAT 192.168.138.2:5678, 20.20.20.10:80

20.20.20.1:5678, 20.20.20.10:80

DNAT 20.20.20.10:80, 20.20.20.1:5678

20.20.20.10:80, 192.168.138.2:5678




PC1192.168.138.1


20.20.20.1

PC2192.168.138.2


20.20.20.10 80 192.168.138.2 5678


20.20.20.10 80 20.20.20.1 5678

ORIGINAL REPLY

SNAT 192.168.138.1:1234, 20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.1:1234

SNAT 192.168.138.2:5678, 20.20.20.10:80

20.20.20.1:5678, 20.20.20.10:80

DNAT 20.20.20.10:80, 20.20.20.1:5678

20.20.20.10:80, 192.168.138.2:5678




PC1192.168.138.1


20.20.20.1

PC2192.168.138.2


192.168.138.2 1234 20.20.20.10 80


20.20.20.1 1234 20.20.20.10 80

ORIGINAL REPLY

SNAT 192.168.138.1:1234, 20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.1:1234

SNAT 192.168.138.2:1234, 20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.2:1234




PC1192.168.138.1


20.20.20.1

PC2192.168.138.2 SADDR SPORT DADDR DPORT

20.20.20.10 80 20.20.20.1 1234

ORIGINAL REPLY

SNAT 192.168.138.1:1234, 20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.1:1234

SNAT 192.168.138.2:1234, 20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.2:1234

CONFLICT!




PC1192.168.138.1


20.20.20.1

PC2192.168.138.2


192.168.138.2 1234 20.20.20.10 80


20.20.20.1 2232 20.20.20.10 80

ORIGINAL REPLY

SNAT 192.168.138.1:1234, 20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.1:1234

SNAT 192.168.138.2:1234, 20.20.20.10:80

20.20.20.1:2232, 20.20.20.10:80

DNAT 20.20.20.10:80, 20.20.20.1:2232

20.20.20.10:80, 192.168.138.2:1234




PC1192.168.138.1


20.20.20.1

PC2192.168.138.2 SADDR SPORT DADDR DPORT

20.20.20.10 80 20.20.20.1 2232

ORIGINAL REPLY

SNAT 192.168.138.1:1234, 20.20.20.10:80

20.20.20.1:1234, 20.20.20.10:80

DNAT 20.20.20.10:80, 20.20.20.1:1234

20.20.20.10:80, 192.168.138.1:1234

SNAT 192.168.138.2:1234, 20.20.20.10:80

20.20.20.1:2232, 20.20.20.10:80

DNAT 20.20.20.10:80, 20.20.20.1:2232

20.20.20.10:80, 192.168.138.2:1234


20.20.20.10 80 192.168.138.2 5678



How many unique NAT entries to a given Web

Server can be referenced in a FortiGate

How did you reach that number?



1. Using source port as part of the “unique key” brings an intrinsic limitation: there’re 65,535 possible source ports

2. Actually, FortiOS uses a sub-pool of 32,768 ports (28,672-61,440).(*)

3. FortiOS’ Pool is tied to a unique combination of NAT IP, Destination IP, Port and Protocol

4. Indicator that this limit is being reached are:» Clash counter’s increase: Session clash means when a new session need to

be created, an old session already exists so the old one is deleted and new one is created.

» NAT port is exhausted: This entry appears in the system log.(*) http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30357



FGT_XT_12 # diag sys session stat

misc info: session_count=1 setup_rate=0 exp_count=0 clash=0

memory_tension_drop=0 ephemeral=0/32768 removeable=0 ha_scan=0

delete=0, flush=0, dev_down=0/0

TCP sessions:

1 in ESTABLISHED state

firewall error stat:

error1=00000000

error2=00000000

error3=00000000

error4=00000000

tt=00000000

cont=00000000

ids_recv=00000000

url_recv=00000000

av_recv=00000000

fqdn_count=00000000

tcp reset stat:

syncqf=0 acceptqf=0 no-listener=1 data=0 ses=6 ips=0

global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0



1. The best way of overcoming this limitation is using IP Pool Ranges as SNAT.

2. This way, for a given Destination IP address + Protocol + Port, pool is increased by N (being N the number of IP addresses in the IP Pool Range)

Range: 20.20.20.2 – 20.20.20.2 = 1 * 32,768 = 32,768

Range: 20.20.20.2 – 20.20.20.5 = 4 * 32,768 = 131,072

If you’re doing deployments on large networks you will probably want to use IP Pool Ranges


Lab 6 – Dynamic SNAT w/IP Pool Range

port1192.168.138.10

port220.20.20.1192.168.138.1

00Host PCvmnet1192.168.138.1192.168.138.2192.168.138.56



192.168.138.1 1234 192.168.138.100 80


20.20.20.3 4321 20.20.20.10 80


20.20.20.2 7654 20.20.20.10 80


192.168.138.56 4567 192.168.138.100 80

20.20.20.2 – 20.20.20.5



1. Create an new IP Pool» Name: IP_Pool_2_to_5

» IP Range/Subnet: 20.20.20.2 – 20.20.20.5

2. Edit firewall policy that allows traffic to XTWebServer01Pub and

configure newly created IP Pool for NAT



4. Sniff HTTP traffic on outgoing interface: port2» FGT_XT_12 # diag sni packet port2 'port 80 or icmp' 4

5. On the Host PC, open an HTTP session using telnet or just ping using different source IP addresses

» MAC OS X: # telnet -s 192.168.138.X 192.168.138.100 80» Linux: # telnet –b 192.168.138.X 192.168.138.100 80» Windows: <don’t think you can do this>

5. MAC OS X: # ping -S 192.168.138.X 192.168.138.100

6. Linux: # ping -I eth0:X 192.168.138.100

7. Windows (XP don’t have this flag): # ping –S 192.168.138.X 192.168.138.100



6. Review how NAT IP address depends on source IP in original packet.FGT_XT_12 # diag sniffer packet port2 'icmp or port 80' 1

interfaces=[port2]

filters=[icmp or port 80]

Using Source IP: 192.168.138.1

96.416203 20.20.20.3 -> 20.20.20.10: icmp: echo request

96.420104 20.20.20.10 -> 20.20.20.3: icmp: echo reply


97.417217 20.20.20.10 -> 20.20.20.3: icmp: echo reply



105.208867 20.20.20.10 -> 20.20.20.4: icmp: echo reply


106.205062 20.20.20.10 -> 20.20.20.4: icmp: echo reply



112.956181 20.20.20.10 -> 20.20.20.2: icmp: echo reply


113.956671 20.20.20.10 -> 20.20.20.2: icmp: echo reply


SNAT w/IP Pool Range Behavior

• Behavior on different range sizes1.Original IP Range > IP Pool Range

192.168.138.1 20.20.20.1192.168.138.2 20.20.20.2192.168.138.3 20.20.20.1192.168.138.4 20.20.20.2

…192.168.138.254 20.20.20.2

SOURCE IP ADDRESSES ARE TRANSLATED USING A WRAP-AROUND MECHANISM


SNAT w/IP Pool Range Behavior (cont.)

• Behavior on different range sizes1.Original IP Range < IP Pool Range

192.168.138.1 20.20.20.1192.168.138.2 20.20.20.2192.168.138.3 20.20.20.3

Not used 20.20.20.4…

Not used 20.20.20.254

A SUBSET OF IP ADDRESSES WILL NEVER BE USED



• Behavior on different range sizes1.Original IP Range = IP Pool Range

192.168.138.1 20.20.20.1192.168.138.2 20.20.20.2192.168.138.3 20.20.20.3192.168.138.4 20.20.20.4

…192.168.138.254 20.20.20.254

EACH SOURCE IP IS TRANSLATED ALWAYS TO ITS MATCHING ADDRESS



When ranges size match, would be fair saying that

behaves as an STATIC 1-to-1 NAT?

No, since Source Ports are being translated randomly


Static SNAT (1-to-1)

• So far we saw Dynamic SNAT. Where a N-to-1 or N-to-M mapping exists

• Source Port was translated randomly

• Static NAT assures that a given Source IP is always translated to a predefined IP address in a 1-to-1 fashion

• No Source Port translation exist

Source IP Translate Source IP

192.168.138.1:1234 20.20.20.1:1234192.168.138.2:4325 20.20.20.2:4325192.168.138.3:5698 20.20.20.3:5698

…192.168.138.254:7654 20.20.20.254:7654


Static SNAT (1-to-1)

• There’re some applications that need an specific source port to work• VoIP, Videoconference, tunneling applications, etc.

A DNS protocol vulnerability is indirectly affected by NAT port mapping. To avoid DNS server cache poisoning, it is highly desirable to not translate UDP source port numbers of outgoing DNS requests from a DNS server which is behind a firewall which implements NAT(1)

• For these cases, you should probably think in Static NAT

(1) http://en.wikipedia.org/wiki/Network_address_translation


Lab 7 – Static SNAT (1-to-1)

port1192.168.138.10

port220.20.20.1192.168.138.1

00Host PCvmnet1192.168.138.1192.168.138.4



192.168.138.2 1234 192.168.138.100 80


20.20.20.2 1234 20.20.20.10 80


20.20.20.3 4567 20.20.20.10 80


192.168.138.3 4567 192.168.138.100 80

20.20.20.2 – 20.20.20.5



1. Create an new Firewall Address» Name: Addr_Range_2_to_5

» Subnet / IP Range: 192.168.138.[2-5]

2. Create a firewall policy that allows HTTP/ICMP traffic from

Addr_Range_2_to_5 to “any”, using IP_Pool_2_to_5 as NAT

3. Make sure to enable “Fixed Port” on the new rule.



• Here is where the magic happens!.



4. Sniff HTTP traffic on incoming and outgoing interface» FGT_XT_12 # diag sni packet any 'port 80 and host

20.20.20.10' 4

5. On the Host PC, open an HTTP session using telnet or just ping using different source IP addresses

» MAC OS X: # telnet -s 192.168.138.X 192.168.138.100 80» Linux: # telnet –b 192.168.138.X 192.168.138.100 80» Windows: <don’t think you can do this>



6. Review how NAT IP address depends on source IP in original packet.

FGT_XT_12 # diag sniffer packet any 'port 80 and host 20.20.20.10' 4

interfaces=[any]

filters=[port 80 and host 20.20.20.10]


2.349765 port1 in 192.168.138.2.58229 -> 20.20.20.10.80: syn 4243720882

2.349838 port2 out 20.20.20.4.58229 -> 20.20.20.10.80: syn 4243720882


11.728808 port1 in 192.168.138.3.58230 -> 20.20.20.10.80: syn 650004285

11.728942 port2 out 20.20.20.5.58230 -> 20.20.20.10.80: syn 650004285


19.844453 port1 in 192.168.138.4.58231 -> 20.20.20.10.80: syn 1223648107

19.844592 port2 out 20.20.20.2.58231 -> 20.20.20.10.80: syn 1223648107


Lab 7 – Static SNAT w/Port Translation

• Port Address Translation is also an option when doing SNAT

• The idea is to translate a range of source ports into another, same size, range

• This’s one of the benefits of using Central NAT Table (available since 4.0 Mr2)

• Remember that Central NAT Table is for Source NAT only



port1192.168.138.10

port220.20.20.1Host PC

vmnet1192.168.138.1:60000



192.168.138.1 60000 20.20.20.10 80


20.20.20.1 32000 20.20.20.10 80


20.20.20.1 32001 20.20.20.10 80


192.168.138.1 60001 20.20.20.10 80

20.20.20.1:32000



1. Enable Central NAT Table• Go to System Admin Settings• Enable Central NAT Table in GUI options

2. Create a firewall rule on top of the others allowing HTTP traffic from any source to any destination. Allow NAT and use Central NAT table for this rule.

3. Create a new entry in Central NAT table» Source Address: all» Translated Address: IP_Pool_2_to_5» Original Source Port: 1» Translated Port: 180 – 184



4.Browse to http://20.20.20.10 while sniffing traffic

•We can’t control which source port the operating system is going to pick. Hopefully will be in the specified range in the Central NAT Table



FGT_XT_12 # diag sni packet any 'host 20.20.20.10' 4interfaces=[any]

filters=[host 20.20.20.10]

5.684952 port1 in 192.168.138.1.60764 -> 20.20.20.10.80: syn 205570712

5.685011 port2 out 20.20.20.3.29763 -> 20.20.20.10.80: syn 205570712

5.691359 port2 in 20.20.20.10.80 -> 20.20.20.3.29763: syn 3656265083 ack 205570713

5.691394 port1 out 20.20.20.10.80 -> 192.168.138.1.60764: syn 3656265083 ack 205570713

5.691531 port1 in 192.168.138.1.60764 -> 20.20.20.10.80: ack 3656265084

5.691542 port2 out 20.20.20.3.29763 -> 20.20.20.10.80: ack 3656265084

5.692194 port1 in 192.168.138.1.60764 -> 20.20.20.10.80: psh 205570713 ack 3656265084

5.692205 port2 out 20.20.20.3.29763 -> 20.20.20.10.80: psh 205570713 ack 3656265084

5.693810 port2 in 20.20.20.10.80 -> 20.20.20.3.29763: ack 205571060

5.693826 port1 out 20.20.20.10.80 -> 192.168.138.1.60764: ack 205571060

60764 (Original) – 32001 (First Original Range) + 1000 (First

translated range) = 29763




FGT_XT_12 # diag de flow filter daddr 20.20.20.10

FGT_XT_12 # diag deb flo sho con enable




id=36871 trace_id=26 msg="allocate a new session-00001e4d"


id=36871 trace_id=26 msg="find SNAT: IP-20.20.20.1, port-25573"


id=36871 trace_id=26 msg="Allowed by Policy-3: SNAT"

id=36871 trace_id=26 msg="SNAT 192.168.138.1->20.20.20.3:29768”





origin-shaper=

reply-shaper=

per_ip_shaper=

ha_id=0 hakey=40459


state=may_dirty



hook=post dir=org act=snat 192.168.138.1:60770->20.20.20.10:80(20.20.20.3:29769)

hook=pre dir=reply act=dnat 20.20.20.10:80->20.20.20.3:29769(192.168.138.1:60770)



serial=00001e4e tos=ff/ff ips_view=0 app_list=0 app=0



total session 1

FGT_XT_12 #


TRAFFIC



April 18, 2023

Load Balancing NAT


Load Balancing with FortiGate

• You can configure FortiOS load balancing to intercept incoming traffic with a virtual server and share it among one or more backend real servers.

• The FortiGate unit enables multiple real servers to respond as if they were a single device to the outside world.

• Up to eight Real Servers can be load balanced in one VIP

• Things that won’t work: Authentication, WAN Optimization and Web Caching



When load balancing, there’re some important concepts to keep in mind:

1.Load Balancing Algorithm: Defines how the traffic will be distributed among real servers. FGT supports the following LB algorithms:

»Source IP Hash: Traffic load is statically spread evenly across all real servers. Non dependent on how busy individual real servers are. Provides some persistence because all sessions from the same source address always go to the same real server. Distribution is stateless; if a real server is added or removed (or goes up or down) the distribution is changed and persistence could be lost.





»Round Robin: Directs new requests to the next real server, and treats all real servers as equals regardless of response time or number of connections. Dead real servers or non responsive real servers are avoided.





»Weighted: Behaves like a weighted round robin. Real servers with a higher weight value receive a larger percentage of connections. Set the real server weight when adding a real server.





»First Alive: Always directs sessions to the first alive real server (order of the real servers). Provides real server failover. For example, if you add real servers A, B and C in that order, then all sessions always go to A as long as it is alive. If A goes down then sessions go to B and if B goes down sessions go to C. If A comes back up sessions go back to A.





»Least RTT (Round Trip Time): Directs sessions to the real server with the least round trip time. The round trip time is determined by a Ping health check monitor and is defaulted to 0 if no Ping health check monitors are added to the virtual server.





»Least Sessions: Directs requests to the real server that has the least number of current connections. This method works best in environments where the real servers or other equipment you are load balancing all have similar capabilities. This load balancing method uses the FortiGate session table to track the number of sessions being processed by each real server.





»HTTP Host: Load balances HTTP host connections across multiple real servers using the host’s HTTP header to guide the connection to the correct real server. For example: www.mycompany.com goes to 20.20.20.10, www.mycompany.org goes to 20.20.20.20 and the rest of traffic goes to 20.20.20.30




2.Health-Check: Mechanisms to check server and application status and determine if they’re able to receive connections:

»PING: Verifies that the IP address is reachable from the FortiGate by means of ICMP Echo Request/Response. ONLY checks reachability





»TCP: Opens a socket to the specified port, making sure there’s Layer 4 connectivity (i.e. some process is “listening” on that port)





»HTTP: In this case the health-checker will perform a GET request to the specified URL, making sure not only the Web Server is up and running, but the application is actually working. A MATCHing condition can be specified to check it’s retrieving the correct content (e.g. there was no defacement)




3.Session Persistence: Is the mechanisms to assure that connections belonging to the same user session end-up always in the same Real Server. This is mandatory in transactional sites for example.

»HTTP Cookie: Inserts a cookie in the user session to track persistence

»SSL Session ID: Works on HTTPS only and track persistence by the ID generated in the SSL Session




4.Session Multiplexing: Leverage HTTP/1.1 feature that allows to encapsulate multiple HTTP requests over a single connection. This ability frees-up resources on real servers by avoiding session setup.

Preserve Client IP will insert X-Forwarded-For

header so the real servers can track client’s IP address. If not enable, they will only see FGT’s IP address


Load Balancing with FortiGate – Session Multiplexing

Behavior without Session Multiplexing

Web Server

PC2

PC1

PC3Web Server established three sessions, allocating CPU for the session setup and memory for the session information


Load Balancing with FortiGate – Session Multiplexing

Behavior with Session Multiplexing

Web Server

PC2

PC1

PC3Web Server established just one session = More resources to be used with other clients

HTTP/1.1 Persistence Session




5.SSL Offloading: The FortiGate can offload SSL 3.0 and TLS1.0 on specific hardware (FortiASIC) freeing-up Real Server resources.

»Half-Mode Offloading: Will create a secure channel between the FGT and the client and a clean channel between the FGT and the server. Real Servers don’t process encryption

»Full-Mode Offloading: Will create a secure channel on both sides of the FGT. Real Server process encryption with abbreviated handshake.


Load Balancing with FortiGate – SSL Offloading

Half-Mode Encryption•FortiGate needs Certificate and Private Key of the web sited

Web Server

PC1

FortiGate will be in charge of processing encryption/decryption

Encrypted Clean


Load Balancing with FortiGate – SSL Offloading

Half-Mode Encryption•FortiGate needs Certificate and Private Key of the web sited•Web Server needs a Certificate and Private Key as well

Web Server

PC1

Both, FortiGate and Web Server will be processing encryption/decryption

Encrypted Encrypted


Lab 8 – Load Balancing VIP


192.168.138.1 23456 192.168.138.100 443

port1192.168.138.10

port220.20.20.1


192.168.138.1 1234 20.20.20.10 80





192.168.138.1 3456 20.20.20.20 80

192.168.138.101



1.Create a health-checker for HTTP• Name: XT_HTTP_Check• Type: HTTP• Port: 80• URL: /index.html• Matched Content: XTREME• Leave defaults for the rest



3. Create a Virtual Server• Name: LB_Public_IP• Type: HTTP• Interface: port1• Virtual Server IP: 192.168.138.101• Virtual Server Port: 80• Load Balance Method: Round Robin• Health Check: Select the recently created health-checker

4. Create both Real-Servers• Virtual Server: LB_Public_IP• IP Address: 20.20.20.10 and 20.20.20.20• Port: 80



4.Create a firewall policy allowing HTTP traffic from port1 to port2 with newly created Load-Balance VIP as destination.

4.Make sure this policy is on top of the others.



It’s possible to define different health-check per real server using

CLI

Active: Receive connections

Disabled: Don’t receive connections

Standby: Becomes active if another fails (n+1)



6. Monitor real-server health on GUI and CLI



7. Let’s generate some sessions and check if they’re DNATed with different IP addresses. Browse from the Host PC to http://192.168.138.101

FGT_XT_12 # diag sniffer packet port2 'port 80' 1

interfaces=[port2]

filters=[port 80]

4.110573 20.20.20.1.4447 -> 20.20.20.20.80: syn 1375892443

4.110681 20.20.20.1.4448 -> 20.20.20.10.80: syn 293125801

4.110793 20.20.20.20.80 -> 20.20.20.1.4447: syn 2610757897 ack 1375892444

4.110824 20.20.20.1.4447 -> 20.20.20.20.80: ack 2610757898

4.110879 20.20.20.10.80 -> 20.20.20.1.4448: syn 1901104108 ack 293125802

4.110917 20.20.20.1.4448 -> 20.20.20.10.80: ack 1901104109

4.110991 20.20.20.1.4448 -> 20.20.20.10.80: psh 293125802 ack 1901104109

4.111045 20.20.20.1.4447 -> 20.20.20.20.80: psh 1375892444 ack 2610757898

4.111122 20.20.20.10.80 -> 20.20.20.1.4448: ack 293125867

4.111232 20.20.20.20.80 -> 20.20.20.1.4447: ack 1375892509

4.111549 20.20.20.10.80 -> 20.20.20.1.4448: psh 1901104109 ack 293125867

4.111571 20.20.20.1.4448 -> 20.20.20.10.80: ack 1901104461

4.111619 20.20.20.20.80 -> 20.20.20.1.4447: psh 2610757898 ack 1375892509

4.111637 20.20.20.1.4447 -> 20.20.20.20.80: ack 2610758250

4.111690 20.20.20.10.80 -> 20.20.20.1.4448: fin 1901104461 ack 293125867






origin-shaper=

reply-shaper=

per_ip_shaper=

ha_id=0 hakey=10251


state=local


orgin->sink: org out->post, reply pre->in dev=7->3/3->7 gwy=0.0.0.0/20.20.20.1

hook=out dir=org act=noop 20.20.20.1:6775->20.20.20.10:80(0.0.0.0:0)

hook=in dir=reply act=noop 20.20.20.10:80->20.20.20.1:6775(0.0.0.0:0)



serial=00002c6f tos=ff/ff ips_view=0 app_list=0 app=0



Q: Is this the load-balance session?

A: Health Checker’s session. There’s no

NAT there






origin-shaper=

reply-shaper=

per_ip_shaper=

ha_id=0 hakey=40459


state=log may_dirty







serial=00002cc0 tos=ff/ff ips_view=0 app_list=0 app=0



This one is the load-balanced session



7. Change index.html and re-check health status.• Login to any of the Web Servers and move index.html• $ mv index.html index.html.2



8. Edit Virtual Server object and select Persistence using HTTP Cookie.

9. Browse again to the http://192.168.138.101 and check individual cookies. Is there anyone from that site?

» Cookie Name: FGTServer

10. As long as the cookie remains valid you will be always redirected to the same Web Server


April 18, 2023

Working with SIP ALG


How SIP ALG works


How the SIP ALP performs NAT

• Using NAT with SIP is more complex because of the IP addresses and media stream port numbers used in SIP message headers and bodies.

• The SIP ALG must translate the private network addresses in the SIP message to IP addresses and port numbers that are valid on the Internet.

• When the response message is sent back to the caller, the SIP ALG must translate these addresses back to valid private network addresses.

• The SIP ALG opens pinholes to accept these media sessions, using the information in the SIP messages to determine the pinholes to open. The ALG may also perform port translation on the media sessions.


SIP scenario source NAT:INVITE Request


SIP scenario source NAT:200 OK returned


SIP NAT Configuration Source NAT

Add Firewall Addresses:

config firewall address

edit Phone_A

set associated interface internal

set type ipmask

set subnet 10.31.101.20 255.255.255.255

next

edit Phone_B

set associated interface wan1

set type ipmask

set subnet 172.20.120.30 255.255.255.255

end


SIP NAT Configuration Source NAT

Add Security Policies:config firewall policy

edit 0

set srcintf internal

set dstintf wan1

set srcaddr Phone_A

set dstaddr Phone_B

set action accept

set schedule always

set service SIP

set nat enable

set utm-status enable

set profile-protocol-options default

set voip-profile default

next edit 0

set srcintf wan1

set dstintf internal

set srcaddr Phone_B

set dstaddr Phone_A

set action accept

set schedule always

set service SIP

set nat enable




end


SIP scenario destination NAT: INVITE request


SIP scenario destination NAT: 200 OK Returned


SIP NAT Configuration Destination NAT

Add SIP Proxy Server Virtual IP and Firewall Addresses:config firewall vip

edit SIP_Proxy_VIP

set type static-nat

set extip 172.20.120.50

set mappedip 10.31.101.50

set extintf port1

end

config firewall address

edit SIP_Proxy_Server

set associated interface port2

set type ipmask

set subnet 10.31.101.50 255.255.255.255

end


SIP NAT Configuration Destination NAT

Add Security Policies:config firewall policy

edit 0

set srcintf port1

set dstintf port2

set srcaddr all

set dstaddr SIP_Proxy_VIP

set action accept

set schedule always

set service SIP

set nat enable




end

config firewall policy

edit 0

set srcintf port2

set dstintf port1

set srcaddr SIP_Proxy_Server

set dstaddr all

set action accept

set schedule always

set service SIP

set nat enable




end


April 18, 2023

Sneak Peek on IPv6 with FortiOS 5.0


• Typical scenario

• Well-known prefix [RFC 6052]: 64:ff9b::/96• e.g. 172.20.120.12 >> 64:ff9b::ac14:ac0c /96

NAT64


• For IPv6 initialized traffic to a IPv4 networkThat is, traffic flows using firewall policy with

• Src IPv6 address• Dest IPv4 address

• NAT64 implemented with• config system nat64 to set prefix (1 per Vdom)• config firewall policy64 for the forwarding policy

• Currently CLI only

IPv6 NAT for IPv4 Connectivity


• IPv6 prefix setting (per Vdom)config system nat64 set status [disable*|enable] set ipv6prefix <::/96> //default 64:FF9B::/96 set always-synthetize-aaaa-record [disable*|enable]end

• Forwarding policyconfig firewall policy64 edit 1 set srcintf "port1" set dstintf "port4" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" nextend

NAT64 Configuration

IPv6 network interface

Dest. IPv4 interface


• NAT66 desired for:• Privacy reasons to obfuscate src IPv6 address• Address independency (Move to another ISP)

• Can define NAT pool to specify address(es) instead of out-going interface’s address

• RFC 6296 for NAT66 –still EXPERIMENTAL status

IPv6 NAT for IPv6 Connectivity


• CLI only for now• New commandsconfig firewall policy6 edit <policy id> set nat [enable|disable*] set ippool [enable|disable*] set poolname <ippool6-name> nextend

config firewall ippool6 edit <ippool6 name> set name <ip pool's name> set endip <ip6 addr> set startip <ip6 addr> nextend

NAT66 Configuration

Optional

Optional


Thank YouObrigadoGracias

John León – SE Andean Region

[email protected]

Marcelo Mayorga – Mgr., System Engineering CALA

[email protected]

201204 xtreme team 2012 fortigate advanced nat mmayorga jleon en v3 - copia

Documents