Traffic shaping a static NAT'd policy.

Hello, 

Running into an issue with traffic shaping. It works fine on typical policies using outbound NAT etc. However we have a unique situation where shaper policies don't seem to apply at all to an inbound policy on our WAN2 with a static 1:1 NAT to a server host.

VIP setup - 

Interface: WAN2

Type: Static NAT

External IP: x.x.x.x (Single IP in our external IP block)

Mapped IP: y.y.y.y (Internal LAN IP of the server receiving the static NAT. )

(No port forwarding or filters in place, 1:1 here only).

Policy setup using the above VIP -

Incoming interface - WAN2

Outgoing: Internal

Destination: <The VIP above>

Service: <single custom port>

NAT: Disabled (Static nat done on the VIP only).

What I see in Fortiview is:

Source: <1 of 20,000 external IP's connecting to us>, Destination: <x.x.x.x> (Our Nat'd external). (Repeat by 20K basically).

Fortiview sees little to no traffic to y.y.y.y which is the internal IP of the server pumping the TB's of upload through reverse inbound sessions (Think reverse SSH tunnel here), which makes sense due to the static 1:1 NAT. Per the above Fortiview observation it's basically seeing all this bandwidth consumed in 20,000 individual sessions which reads Source: WAN2 to Destination: WAN2....

Does shaping just not work with 1:1 NAT?

Should we try PNAT instead?

I suspect something simple, or with the given configuration shaping is not possible. I've tried various combinations of shaping policies from shared (preferred in this scenario) to per IP using the single Nat'd IP x.x.x.x, to getting desperate and just doing shaping policy reading "all to all, WAN2, <custom service port>" still does not seem to limit this.

We have shaping on other outbound items which workfine.

No SDWAN in this scenario.