[FortiGate] How to configure NAT

Firewall (UTM)

Work environment

  • FortiGate 60E
    • version 7.0.2

NAT settings in FortiGate

NAT settings in FortiGate are set as one of the settings in the Firewall policy settings.

You can use the following as the translated IP address:

  • Outgoing interface IP address (used for source NAT)
  • IP Pool (used for source NAT)
  • Virtual IP (used for destination NAT)

If the Central SNAT feature is enabled, the source NAT is configured differently. Central SNAT is disabled by default. We will discuss here on the assumption that Central SNAT is disabled.

Source NAT settings

Translation to the outbound interface IP address

When setting from the GUI, set in the Firewall / Network Options field of the Firewall policy setting screen.

Enable NAT and select Use Outgoing Interface Address as the IP Pool Configuration.

When you enable the Preserve Source Port, the source port is fixed untranslated. If you have multiple clients, you need to disable this.

If set in the CLI, set in the edit hierarchy of the target policy in the config firewall policy.

The correspondence between GUI and CLI setting items is as follows.

  • NAT —> NAT
  • IP Pool Configuration —> ippool
    • Set disable for Use Outgoing Interface Address.
  • Preserve Source Port —> fixedport
config firewall policy
    edit <n>
        set nat enable
        set ippool disable
        set fixedport disable

Translation using IP Pool

First, create an IP Pool.

If set in the GUI, click Create New on the Policy & Objects > IP Pools screen.

The following screen will be displayed.

IP Pool Type

  • Overload
    • In addition to the IP address translation, the port address translation (PAT) is also performed. With 60,416 available port numbers for each IP, the IP pool can handle 60,416 * internal IP addresses.
  • One-to-One
    • An IP Pool that does not perform port address translation (PAT).
  • Fixed Port Range
    • PAT is executed. Specifying the Internal IP Range also determines the range of translated port numbers used for each Internal IP.
  • Port Block Allocation
    • PAT is executed. You can manually set the block size (number of ports) and the number of blocks per user (IP).

IP Pool setting in CLI

Configure in configuration firewall ippool.

FortiGate-60E # show full-configuration firewall ippool
config firewall ippool
    edit "Pool_Overload"
        set type overload
        set startip
        set endip
        set arp-reply enable
        set arp-intf ''
        set associated-interface ''
        set comments ''
        set nat64 disable

NAT settings in Firewall Policy

In IP Pool Configuration, select Use Dynamic IP Pool and select the IP Pool to use from the list.

When setting with CLI, it is as follows.

config firewall policy
        set nat enable
        set ippool enable
        set poolname "Pool_Overload"

NAT session confirmation command

get system session list

FortiGate-60E # get system session list
tcp     25 -
tcp     0 -
udp     123 -
udp     125 -
udp     172       -
udp     113       -
udp     162      -
udp     172       -
udp     130       -


Policy with source NAT | Administration Guide


  1. Nguyen says:

    Hi, Thanks.

    You can write about VPN (site-to-site, client -to-site).

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.