I'm currently doing the NSE4 training from Fortinet. I needed a better understanding of the concepts. Your video couldn't be better. Answered my questions on the why's of central nat. Thanks man.
there are definately situations where you need Central SNAT. We have multiple interfaces that require outbound NATing and are in a zone, in this case Central SNAT is required. Great video thanks
It's a long time since this video was posted, but for people interested there are also 2 different modes in which the firewall can be 'run' profile mode and policy based mode, the profile mode is enabled by default. If you enable policy based mode, you will also have central nat enabled by default. I'd recommend looking into it, not necessarily doing the switch depends on the needs of the environment ofcourse. In terms of central NAT, i see no reason as to why you wouldnt want it enabled, having the possibility of granularly doing NAT rules can be a lifesaver in a hosted environment. furthermore the visual segmentation by having a dedicated view for solely NAT is also way appreciated. When an environment is big enough and several thousand policies are in place central NAT is very convenient.
why did you stop posting new videos, i just found out your channel today and i am already in love with your way of teaching, couldnt find any better NSE4 videos ..
You just earned a sub, good explanation, i do have a question though (not just for you but anyone reading these comments), what if i have a /30 public address from my isp, that means 1 address is for the network, 1 for the wan, 1 for the gateway and 1 for broadcast, leaving me with 0 available addresses, so in this case i cannot use ip pools unless i get bigger subnet correct? thanks in advance
Regarding SNAT - you mention that you can't configure the ports on the policies but what about the One-to-one and Fixed Port Range options? (And Port block allocation)
The only SNAT option you can map port-to-port is using Central SNAT. Using either Static or Dynamic does not give you that capability. More info on this can be found here: docs.fortinet.com/document/fortigate/6.4.0/administration-guide/898655/static-snat docs.fortinet.com/document/fortigate/6.4.0/administration-guide/29961/dynamic-snat docs.fortinet.com/document/fortigate/6.4.0/administration-guide/421028/central-snat
If your coming from a vendor that only does central NAT than this gives you the option to stick with a familiar NATing setup. While CNAT gives more granular control, it can be viewed as a more complicated management scenario (IMO).
I'm currently doing the NSE4 training from Fortinet. I needed a better understanding of the concepts. Your video couldn't be better. Answered my questions on the why's of central nat. Thanks man.
Nicely explaing. Thank you. You made it easy for me to understand.
Best video i could find to explain this, thanks!
there are definately situations where you need Central SNAT. We have multiple interfaces that require outbound NATing and are in a zone, in this case Central SNAT is required. Great video thanks
It's a long time since this video was posted, but for people interested there are also 2 different modes in which the firewall can be 'run' profile mode and policy based mode, the profile mode is enabled by default.
If you enable policy based mode, you will also have central nat enabled by default. I'd recommend looking into it, not necessarily doing the switch depends on the needs of the environment ofcourse.
In terms of central NAT, i see no reason as to why you wouldnt want it enabled, having the possibility of granularly doing NAT rules can be a lifesaver in a hosted environment. furthermore the visual segmentation by having a dedicated view for solely NAT is also way appreciated. When an environment is big enough and several thousand policies are in place central NAT is very convenient.
why did you stop posting new videos, i just found out your channel today and i am already in love with your way of teaching, couldnt find any better NSE4 videos ..
Perfect. This cleared up things for me.
Pretty nice i like your explanation 😀
You just earned a sub, good explanation, i do have a question though (not just for you but anyone reading these comments), what if i have a /30 public address from my isp, that means 1 address is for the network, 1 for the wan, 1 for the gateway and 1 for broadcast, leaving me with 0 available addresses, so in this case i cannot use ip pools unless i get bigger subnet correct? thanks in advance
Regarding SNAT - you mention that you can't configure the ports on the policies but what about the One-to-one and Fixed Port Range options? (And Port block allocation)
The only SNAT option you can map port-to-port is using Central SNAT. Using either Static or Dynamic does not give you that capability. More info on this can be found here:
docs.fortinet.com/document/fortigate/6.4.0/administration-guide/898655/static-snat
docs.fortinet.com/document/fortigate/6.4.0/administration-guide/29961/dynamic-snat
docs.fortinet.com/document/fortigate/6.4.0/administration-guide/421028/central-snat
Thanks - I didn't realise it you were talking about port-to-port, I still have some figuring out to do but thanks for the links!
@@Carlandall I am still working on delivering a sharp message too :D Glad I could help!
Would it be worth it to do an update video/series, collaborating this NSE4 series to v7.2
Absolutely spot on! nice!!
good video!!
Good explanation. I like and subscribe
What will happend if I enable Central Snat while I already have Firewal Policys in place with Nat enabled? Is it save in production environment?
it is not safe in a production environment, it will discard previous NAT rules.
this concludes there is no point of using policy NAT when you have granular control and you are already familiar with central natting.
If your coming from a vendor that only does central NAT than this gives you the option to stick with a familiar NATing setup.
While CNAT gives more granular control, it can be viewed as a more complicated management scenario (IMO).
Good one.
THANKS
Tks.
Forti Cloud Demo
th-cam.com/video/i0-REYHRURw/w-d-xo.html