Helpful ReplyHot!Setting CNAT in the Global ADOM

Author
aagrafi
Gold Member
  • Total Posts : 141
  • Scores: 4
  • Reward points: 0
  • Joined: 2016/03/09 01:47:25
  • Status: offline
2018/01/18 06:36:43 (permalink)
0

Setting CNAT in the Global ADOM

Hello,
I tried to set a new Global policy package (or even edit the default one) and I noticed that FMG did not give me any option to set the CNAT policy (the Admin Guide says that it should). Then I created a policy package inside a certain ADOM, but when I changed that CNAT settings, I got the error "Global adom package CNAT is not consistent with local adom package CNAT"
 
I got a similar error when tried to change the inspection mode from flow to proxy.
 
Do you know how can I set the NAT or the inspection mode, so that there is no conflict between the Global ADOM and a certain ADOM? Furthermore, when I have multiple ADOMs, others with CNAT, others without CNAT, others in proxy mode, others in flow mode, how can I coordinate each ADOM settings with the Global ADOM settings?
 
Finally, it seems that in FMG 5.6 the Global ADOM refers to 5.6 also. Can we have multiple Global ADOMs, each one for every f/w version? Does this functionality make any sense at all?
 
Thanks
Andreas
#1
chall_FTNT
skyhigh
  • Total Posts : 248
  • Scores: 22
  • Reward points: 0
  • Joined: 2003/11/28 16:19:30
  • Status: offline
Re: Setting CNAT in the Global ADOM 2018/01/18 10:06:55 (permalink) ☄ Helpfulby aagrafi 2018/01/22 01:21:01
0
> I got the error "Global adom package CNAT is not consistent with local adom package CNAT"
 
Currently, central NAT cannot be used with global policy packages (at the global level) as you discovered.  Consequently, central NAT should not be enabled in any ADOMs to which global policy packages will be assigned.
 
> Finally, it seems that in FMG 5.6 the Global ADOM refers to 5.6 also. Can we have multiple Global ADOMs, each one for every f/w version? Does this functionality make any sense at all?

In FMG 5.6.1, global version 5.4 can support ADOMs with versions 5.4 & 5.6.  There is only ever 1 global "ADOM".  Global version 5.6 will ONLY support ADOMs with version 5.6
#2
chall_FTNT
skyhigh
  • Total Posts : 248
  • Scores: 22
  • Reward points: 0
  • Joined: 2003/11/28 16:19:30
  • Status: offline
Re: Setting CNAT in the Global ADOM 2018/01/18 10:25:01 (permalink)
0
> I noticed that FMG did not give me any option to set the CNAT policy (the Admin Guide says that it should).
 
Thanks for alerting us to this documentation error.  We will correct it since global policy packages do not have this option.
#3
aagrafi
Gold Member
  • Total Posts : 141
  • Scores: 4
  • Reward points: 0
  • Joined: 2016/03/09 01:47:25
  • Status: offline
Re: Setting CNAT in the Global ADOM 2018/01/22 01:32:21 (permalink)
0
Thanks a lot for your reply.
 
There is still one thing in your answer that needs to be confirmed: I understand that CNAT is not supported when global policy packages are used. Consequently, if we don't use global policy packages, then we can do CNAT, right? Otherwise this would mean  that we cannot do policy mode and NAT with the FMG.
#4
aagrafi
Gold Member
  • Total Posts : 141
  • Scores: 4
  • Reward points: 0
  • Joined: 2016/03/09 01:47:25
  • Status: offline
Re: Setting CNAT in the Global ADOM 2018/01/26 05:46:41 (permalink)
0
I noticed the same problem when trying to create a policy package in proxy inspection mode (Global adom package inspection mode is not consistent with local adom package inspection mode).
 
I'm totally confused about what is the inspection mode in the global ADOM and the rest ADOMs.I noticed the following inside the ADOM:
1. The policy package I imported from a device, appears to be in proxy inspection (and works fine, seems there is no conflict with the global database).
2. The default package for this ADOM appears to be in flow inspection.
3. All policy packages I create inside this ADOM cannot be in proxy mode.
4. When I unassign the ADOM from the global database, I can create proxy inspection policy packages inside the ADOM (it looks like the global database is in flow inspection mode and cannot be changed to proxy).
 
Can somebody explain me how the global database thing works  in terms of inspection mode? What I have seen so far discourage me in using the global database...
 
Thanks
#5
brazz_FTNT
Bronze Member
  • Total Posts : 17
  • Scores: 8
  • Reward points: 0
  • Joined: 2018/02/20 15:09:34
  • Status: offline
Re: Setting CNAT in the Global ADOM 2018/02/23 14:22:39 (permalink) ☄ Helpfulby chall_FTNT 2018/02/26 09:09:28
5 (2)
Hey Team,

I would like to bring this point to your attention:
In FMG, using
execute fmpolicy print-adom-package Global <package ID> 1103
Will show us ,for example,something like below:

+++++++++++++++++++++++++++++++++++++++++++++++++++++
config policy package settings
set fwpolicy-implicit-log disable
set fwpolicy6-implicit-log disable
set checksum "1519420176-1929618009"
set central-nat disable

set inspection-mode flow<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

set ngfw-mode profile-based
set ssl-ssh-profile ""
end
+++++++++++++++++++++++++++++++++++++++++++++++++++++

In this example, I just created global policy rule and then I assigned it to the target ADOM .
It is complaining "Assigning global policy package default to adom TEST failed"
In order to modify the mode of global PP, I just created below scripts and ran it against the Global PP.
Global ADOM--->Object Configuration--->Tools---> Display Options--->Advanced--->Scripts ((need to be selected))--->Create--->run(right Click)
++++++++++++++++++++++++++++++++++++++++++++++++
config policy package settings
set inspection-mode proxy
end
++++++++++++++++++++++++++++++++++++++++++++++++

Please see the results after running the scrips:
FMG-VM64 # execute fmpolicy print-adom-package Global 1166 1103
Dump all objects for category [policy package settings] in adom [Global] package [1166]:
---------------
config policy package settings
set fwpolicy-implicit-log disable
set fwpolicy6-implicit-log disable
set checksum "1519423955-254522136"
set central-nat disable
set inspection-mode proxy<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
set ngfw-mode profile-based
set ssl-ssh-profile ""
end

++++++++++++++++++++++++++++++++++++++++++++++++++++++

Let me know if you found this one useful.
Cheers
 
 
 
 
post edited by brazz@fortinet.com - 2018/02/23 14:33:28

Attached Image(s)

#6
apex
Bronze Member
  • Total Posts : 31
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/08/24 06:33:11
  • Status: offline
Re: Setting CNAT in the Global ADOM 2018/03/01 13:57:53 (permalink)
0
Awesome, many thanks.
The script above helped 
 
cheers
#7
neonbit
Expert Member
  • Total Posts : 468
  • Scores: 51
  • Reward points: 0
  • Joined: 2013/07/02 21:39:52
  • Location: Dark side of the moon
  • Status: offline
Re: Setting CNAT in the Global ADOM 2018/03/08 03:01:04 (permalink)
0
Helped me too! Thanks brazz.
#8
Jump to:
© 2018 APG vNext Commercial Version 5.5