Fortigate 80C - If in NAT operating mode why have additional NAT option in a firewall policy?

Posted on 2010-11-18
Last Modified: 2012-05-10
Just setting up a Fortigate 80C.  It is running in NAT mode.
When creating firewall policies, I see that there is an option to select "NAT".

Bearing in mind that the router is already in NAT mode, so...
Why would this NAT option exist when creating a firewall policy?
What is the significance of this option in a firewall policy as opposed to the router's primary operating mode?
The NAT option is there for inbound policies as well, but why would I want to NAT inbound traffic?

Please enlighten me o great ones!
Question by:blokeman
  • 2

Accepted Solution

askitgetit earned 250 total points
Comment Utility

When Fortigate is in NAT/Route mode, it means you can configure the box for NATing and Routing

You can use the NAT option to do Source NAT. If you are not choosing NAT the internal or external source address would remain same.

When you send a traffic from inside from private range this can be NATed with public IP. Also if any traffic coming from external if needed you can change it with required IP

So this option is needed very much :)


Assisted Solution

iworks-uworks earned 250 total points
Comment Utility
The two modes that the Fortigate can operate in are NAT and Transparent. This is just how the unit will function. In Transparent mode you can place the fortigate between an existing firewall and your lan and still scan traffic without any reconfiguring. The other option of NAT is more likely what most people will be using it for. The interfaces are named to help people keep them straight, but you you can have your internet connection come in through the DMZ and make your LAN the WAN1 port. For this reason, the Fortigate does not restrict what policies can have NAT enabled, as it only sees the interface and doesn't care about what it's named. Hope that helps.

Author Comment

Comment Utility
I understand what NAT is, that is not the problem. I guess I am thinking from the perspective of configuring simple, two interface, SOHO adsl routers which have NAT enabled by default, and no option to turn it on in a firewall policy.  Applying this experience to the Fortigate 80C I thought that if it was running in NAT mode, then NAT was ON (like a SOHO router) and so it looked strange that I had the option to enable it in all my outbound firewall policies.

Eureka momnent!...
From your comments, it makes sense now that the option to NAT is there because, in a multi-interface router, as opposed to a dual interface SOHO ADSL router, NAT would not be required on all intefaces, for example routing between two internal LANs would likely not need NAT, but LAN --> internet traffic would.  Correct?

The predominant use of NAT is then for  LAN --> internet traffic, so in the case of Internet --> LAN firewall policies, besides a port forwarding scenario, does NAT ever need to be enabled?

Expert Comment

Comment Utility

Basically NAT is required when you need to proxy/hide your original IP.

NAT would use in port translation as well as IP translation


Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
cisco ubr7200 problem with  interface Wideband-Cable 1 11
Enterasys QoS setup 2 32
Routing VLANs 5 44
Failover VDSL Modems 3 21
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now