Fortinet fortigate-100a Betriebsanweisung

You can add, edit, and delete firewall addresses as required. You can also organize 
related addresses into address groups to simplify policy creation.

A firewall address can be configured with a name, an IP address, and a netmask, or a 
name and IP address range. 

You can enter an IP address and netmask using the following formats.

• x.x.x.x/x.x.x.x, for example 64.198.45.0/255.255.255.0
• x.x.x.x/x, for example 64.195.45.0/24

You can enter an IP address range using the following formats.

• x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120
• x.x.x.[x-x], for example 192.168.110.[100-120]
• x.x.x.*, for example 192.168.110.* to represent all addresses on the subnet

This section describes:

•

•

•

•

•

•

natip 
<address_ipv4mask>

Configure natip for a firewall policy 

with action set to encrypt and with 

outbound NAT enabled. Specify the IP 

address and subnet mask to translate 

the source address of outgoing 

packets.
Set natip for peer to peer VPNs to 

control outbound NAT IP address 

translation for outgoing VPN packets. 
If you do not use natip to translate IP 

addresses, the source addresses of 

outbound VPN packets are translated 

into the IP address of the FortiGate 

external interface. If you use natip, the 

FortiGate unit uses a static mapping 

scheme to translate the source 

addresses of VPN packets into 

corresponding IP addresses on the 

subnet that you specify. For example, if 

the source address in the encryption 

policy is 192.168.1.0/24 and the natip is 

172.16.2.0/24, a source address of 

192.168.1.7 will be translated to 

172.16.2.7

0.0.0.0 

0.0.0.0

All models.
Encrypt 

policy, with 

outbound 

NAT 

enabled.