Fortigate 80C - If in NAT operating mode why have additional NAT option in a firewall policy?

Posted on 2010-11-18
Last Modified: 2012-05-10
Just setting up a Fortigate 80C.  It is running in NAT mode.
When creating firewall policies, I see that there is an option to select "NAT".

Bearing in mind that the router is already in NAT mode, so...
Why would this NAT option exist when creating a firewall policy?
What is the significance of this option in a firewall policy as opposed to the router's primary operating mode?
The NAT option is there for inbound policies as well, but why would I want to NAT inbound traffic?

Please enlighten me o great ones!
Question by:blokeman
  • 2

Accepted Solution

askitgetit earned 250 total points
ID: 34170696

When Fortigate is in NAT/Route mode, it means you can configure the box for NATing and Routing

You can use the NAT option to do Source NAT. If you are not choosing NAT the internal or external source address would remain same.

When you send a traffic from inside from private range this can be NATed with public IP. Also if any traffic coming from external if needed you can change it with required IP

So this option is needed very much :)


Assisted Solution

iworks-uworks earned 250 total points
ID: 34173231
The two modes that the Fortigate can operate in are NAT and Transparent. This is just how the unit will function. In Transparent mode you can place the fortigate between an existing firewall and your lan and still scan traffic without any reconfiguring. The other option of NAT is more likely what most people will be using it for. The interfaces are named to help people keep them straight, but you you can have your internet connection come in through the DMZ and make your LAN the WAN1 port. For this reason, the Fortigate does not restrict what policies can have NAT enabled, as it only sees the interface and doesn't care about what it's named. Hope that helps.

Author Comment

ID: 34178123
I understand what NAT is, that is not the problem. I guess I am thinking from the perspective of configuring simple, two interface, SOHO adsl routers which have NAT enabled by default, and no option to turn it on in a firewall policy.  Applying this experience to the Fortigate 80C I thought that if it was running in NAT mode, then NAT was ON (like a SOHO router) and so it looked strange that I had the option to enable it in all my outbound firewall policies.

Eureka momnent!...
From your comments, it makes sense now that the option to NAT is there because, in a multi-interface router, as opposed to a dual interface SOHO ADSL router, NAT would not be required on all intefaces, for example routing between two internal LANs would likely not need NAT, but LAN --> internet traffic would.  Correct?

The predominant use of NAT is then for  LAN --> internet traffic, so in the case of Internet --> LAN firewall policies, besides a port forwarding scenario, does NAT ever need to be enabled?

Expert Comment

ID: 34186260

Basically NAT is required when you need to proxy/hide your original IP.

NAT would use in port translation as well as IP translation


Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question