- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Setting CNAT in the Global ADOM
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Setting CNAT in the Global ADOM
Hello,
I tried to set a new Global policy package (or even edit the default one) and I noticed that FMG did not give me any option to set the CNAT policy (the Admin Guide says that it should). Then I created a policy package inside a certain ADOM, but when I changed that CNAT settings, I got the error "Global adom package CNAT is not consistent with local adom package CNAT"
I got a similar error when tried to change the inspection mode from flow to proxy.
Do you know how can I set the NAT or the inspection mode, so that there is no conflict between the Global ADOM and a certain ADOM? Furthermore, when I have multiple ADOMs, others with CNAT, others without CNAT, others in proxy mode, others in flow mode, how can I coordinate each ADOM settings with the Global ADOM settings?
Finally, it seems that in FMG 5.6 the Global ADOM refers to 5.6 also. Can we have multiple Global ADOMs, each one for every f/w version? Does this functionality make any sense at all?
Thanks
Andreas
Solved! Go to Solution.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> I got the error "Global adom package CNAT is not consistent with local adom package CNAT"
Currently, central NAT cannot be used with global policy packages (at the global level) as you discovered. Consequently, central NAT should not be enabled in any ADOMs to which global policy packages will be assigned.
> Finally, it seems that in FMG 5.6 the Global ADOM refers to 5.6 also. Can we have multiple Global ADOMs, each one for every f/w version? Does this functionality make any sense at all?
In FMG 5.6.1, global version 5.4 can support ADOMs with versions 5.4 & 5.6. There is only ever 1 global "ADOM". Global version 5.6 will ONLY support ADOMs with version 5.6
Chris Hall
Fortinet Technical Support
Fortinet Technical Support
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Team,
I would like to bring this point to your attention:
In FMG, using execute fmpolicy print-adom-package Global <package ID> 1103
Will show us ,for example,something like below:
+++++++++++++++++++++++++++++++++++++++++++++++++++++ config policy package settings set fwpolicy-implicit-log disable set fwpolicy6-implicit-log disable set checksum "1519420176-1929618009" set central-nat disable
set inspection-mode flow<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
set ngfw-mode profile-based set ssl-ssh-profile ""
end
+++++++++++++++++++++++++++++++++++++++++++++++++++++
In this example, I just created global policy rule and then I assigned it to the target ADOM .
It is complaining "Assigning global policy package default to adom TEST failed"
In order to modify the mode of global PP, I just created below scripts and ran it against the Global PP. Global ADOM--->Object Configuration--->Tools---> Display Options--->Advanced--->Scripts ((need to be selected))--->Create--->run(right Click)
++++++++++++++++++++++++++++++++++++++++++++++++ config policy package settings set inspection-mode proxy end ++++++++++++++++++++++++++++++++++++++++++++++++
Please see the results after running the scrips:
FMG-VM64 # execute fmpolicy print-adom-package Global 1166 1103 Dump all objects for category [policy package settings] in adom [Global] package [1166]: --------------- config policy package settings set fwpolicy-implicit-log disable set fwpolicy6-implicit-log disable set checksum "1519423955-254522136" set central-nat disable set inspection-mode proxy<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< set ngfw-mode profile-based set ssl-ssh-profile ""
end
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Let me know if you found this one useful.
Cheers
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> I got the error "Global adom package CNAT is not consistent with local adom package CNAT"
Currently, central NAT cannot be used with global policy packages (at the global level) as you discovered. Consequently, central NAT should not be enabled in any ADOMs to which global policy packages will be assigned.
> Finally, it seems that in FMG 5.6 the Global ADOM refers to 5.6 also. Can we have multiple Global ADOMs, each one for every f/w version? Does this functionality make any sense at all?
In FMG 5.6.1, global version 5.4 can support ADOMs with versions 5.4 & 5.6. There is only ever 1 global "ADOM". Global version 5.6 will ONLY support ADOMs with version 5.6
Chris Hall
Fortinet Technical Support
Fortinet Technical Support
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> I noticed that FMG did not give me any option to set the CNAT policy (the Admin Guide says that it should).
Thanks for alerting us to this documentation error. We will correct it since global policy packages do not have this option.
Chris Hall
Fortinet Technical Support
Fortinet Technical Support
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot for your reply.
There is still one thing in your answer that needs to be confirmed: I understand that CNAT is not supported when global policy packages are used. Consequently, if we don't use global policy packages, then we can do CNAT, right? Otherwise this would mean that we cannot do policy mode and NAT with the FMG.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I noticed the same problem when trying to create a policy package in proxy inspection mode (Global adom package inspection mode is not consistent with local adom package inspection mode).
I'm totally confused about what is the inspection mode in the global ADOM and the rest ADOMs.I noticed the following inside the ADOM:
1. The policy package I imported from a device, appears to be in proxy inspection (and works fine, seems there is no conflict with the global database).
2. The default package for this ADOM appears to be in flow inspection.
3. All policy packages I create inside this ADOM cannot be in proxy mode.
4. When I unassign the ADOM from the global database, I can create proxy inspection policy packages inside the ADOM (it looks like the global database is in flow inspection mode and cannot be changed to proxy).
Can somebody explain me how the global database thing works in terms of inspection mode? What I have seen so far discourage me in using the global database...
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Team,
I would like to bring this point to your attention:
In FMG, using execute fmpolicy print-adom-package Global <package ID> 1103
Will show us ,for example,something like below:
+++++++++++++++++++++++++++++++++++++++++++++++++++++ config policy package settings set fwpolicy-implicit-log disable set fwpolicy6-implicit-log disable set checksum "1519420176-1929618009" set central-nat disable
set inspection-mode flow<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
set ngfw-mode profile-based set ssl-ssh-profile ""
end
+++++++++++++++++++++++++++++++++++++++++++++++++++++
In this example, I just created global policy rule and then I assigned it to the target ADOM .
It is complaining "Assigning global policy package default to adom TEST failed"
In order to modify the mode of global PP, I just created below scripts and ran it against the Global PP. Global ADOM--->Object Configuration--->Tools---> Display Options--->Advanced--->Scripts ((need to be selected))--->Create--->run(right Click)
++++++++++++++++++++++++++++++++++++++++++++++++ config policy package settings set inspection-mode proxy end ++++++++++++++++++++++++++++++++++++++++++++++++
Please see the results after running the scrips:
FMG-VM64 # execute fmpolicy print-adom-package Global 1166 1103 Dump all objects for category [policy package settings] in adom [Global] package [1166]: --------------- config policy package settings set fwpolicy-implicit-log disable set fwpolicy6-implicit-log disable set checksum "1519423955-254522136" set central-nat disable set inspection-mode proxy<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< set ngfw-mode profile-based set ssl-ssh-profile ""
end
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Let me know if you found this one useful.
Cheers
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome, many thanks.
The script above helped 
cheers
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Helped me too! Thanks brazz.
Related Posts
- SSLVPN login fails before 7AM EDT 104 Views
- FortiManager ADOM GlobalDatabase How to Normalized... 297 Views
- Local account lockout policy - FortiGateRugged... 155 Views
- JASON API interact issue with FGM 186 Views
- What Can/Should Be Configured Outside of... 266 Views
Labels
-
FortiGate
6,496 -
FortiClient
1,297 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
331 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
FortiAuthenticator
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.