3.2 Network Address Translation
Key Takeaways
- Source NAT (SNAT) rewrites the source address of outbound traffic; destination NAT (DNAT) rewrites the destination address of inbound traffic.
- Firewall-policy NAT configures translation inside each ACCEPT policy, while central NAT manages SNAT and DNAT in separate, independent rule tables.
- IP pools provide the translated source addresses for SNAT and come in overload, one-to-one, fixed-port-range, and port-block-allocation types.
- A virtual IP (VIP) is the standard DNAT object on FortiGate, mapping an external address (and optional port) to an internal server for port forwarding.
- With central NAT, a DNAT/VIP entry can influence which firewall policy a session matches because the destination is translated before policy lookup.
Why NAT Matters
Network Address Translation (NAT) rewrites IP address information in packet headers as they pass through FortiGate. NAT allows many private hosts to share a few public addresses, hides internal addressing, and lets external users reach internal servers. NSE 4 expects you to identify the right NAT type for a scenario and to understand how NAT and firewall policies interact.
Source NAT vs. Destination NAT
There are two directions of translation:
| Source NAT (SNAT) | Destination NAT (DNAT) | |
|---|---|---|
| What it rewrites | The source address | The destination address |
| Typical direction | Outbound (internal to internet) | Inbound (internet to internal) |
| Common use | Many internal hosts share a public IP | Publish an internal server to the internet |
| FortiGate object | NAT enabled in policy, or central SNAT rule; uses an IP pool | Virtual IP (VIP) |
A classic example: internal users on 192.168.1.0/24 browsing the internet have their source addresses SNATed to the FortiGate WAN IP. A web server at 10.0.0.10 is published with a VIP so that traffic to the public address is DNATed to the internal server.
Two NAT Modes: Firewall-Policy NAT vs. Central NAT
FortiOS 7.6 supports two mutually exclusive NAT modes per VDOM. You choose the mode and it changes where NAT is configured.
Firewall-Policy NAT (per-policy NAT)
This is the default mode. NAT is configured inside each firewall policy:
- Each ACCEPT policy has a NAT toggle for SNAT.
- SNAT uses the outgoing interface address or a selected IP pool.
- DNAT is handled separately by adding a VIP as the policy destination.
- NAT behavior is therefore tied to the policy that accepts the traffic.
Central NAT
Central NAT moves translation into two dedicated rule tables, independent of firewall policies:
- Central SNAT — an ordered table of source NAT rules.
- DNAT & Virtual IPs — VIP objects that are applied centrally.
With central NAT, firewall policies decide whether traffic is allowed, and the central NAT tables decide how it is translated. This separation is the key benefit: NAT rules are managed in one place and not duplicated across many policies.
Central NAT vs. Policy NAT — Comparison
| Aspect | Firewall-Policy NAT | Central NAT |
|---|---|---|
| Default mode | Yes | No (must be enabled) |
| Where SNAT is configured | NAT toggle inside each firewall policy | Central SNAT rule table |
| Where DNAT is configured | VIP used as the policy destination | Central DNAT & Virtual IPs table |
| Rule management | Per policy — can be repetitive | Centralized, ordered tables |
| Best suited for | Smaller or simple deployments | Large deployments with many policies |
| Match order for SNAT | Follows the firewall policy that accepts traffic | Top-down through the central SNAT table |
Switching modes is disruptive: when you change NAT mode, existing NAT configuration does not automatically migrate, so plan the change during a maintenance window.
IP Pools
An IP pool is a set of addresses FortiGate uses as the translated source address for SNAT. Instead of always translating to the egress interface IP, an IP pool lets you choose which public addresses outbound traffic uses. FortiOS 7.6 supports four IP pool types:
- Overload — the default; many internal hosts share pool addresses, with source ports rewritten (PAT). This is the most scalable type.
- One-to-One — each internal address maps to a single pool address, with no port translation. Useful when an application cannot tolerate port rewriting.
- Fixed Port Range — maps an internal IP range to an external IP range and preserves a fixed source-port range, useful for applications sensitive to ports.
- Port Block Allocation (PBA) — assigns each internal client a fixed block of ports, which simplifies carrier-grade logging and traceability.
Virtual IPs and Port Forwarding
A virtual IP (VIP) is the FortiGate object that performs destination NAT. A VIP maps an external IP address (typically a public address reachable on the WAN) to an internal (mapped) IP address.
VIPs work in two ways:
- Static NAT VIP — translates the full external address to the internal address for all ports.
- Port forwarding VIP — enable Port Forwarding so only a specific external port maps to an internal port. For example, external
TCP/8080can be forwarded to an internal web server onTCP/80. This lets several internal services share one public IP on different ports.
To publish a server you need two things: the VIP object and a firewall policy that uses the VIP as its destination with action ACCEPT. The VIP alone does not allow traffic; the policy still has to permit it.
How NAT Interacts with Policy Matching
The interaction between DNAT and policy matching is a frequent exam trap. The rule to remember: destination NAT is evaluated before the firewall policy lookup for the destination match.
- For a VIP, FortiGate matches the firewall policy using the VIP object as the destination (you reference the VIP, not the internal address, in the policy).
- The route lookup that selects the outgoing interface uses the translated (internal) destination address, because that is where the packet is actually going.
- Source NAT does not affect which policy is matched — SNAT is applied after the policy is selected, as part of the accept action.
So DNAT can change which policy and route apply, while SNAT only changes the packet after the policy decision is made.
What is the primary difference between source NAT (SNAT) and destination NAT (DNAT) on a FortiGate?
In FortiOS 7.6, what is a key benefit of central NAT over firewall-policy (per-policy) NAT?
An administrator publishes an internal web server using a virtual IP (VIP). Which statement about policy matching is correct?