FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the case when policy lookup matches the implicit deny policy and no explicit policy exists from the source interface 'src-interface' to the destination interface 'dst-interface' as determined by a route lookup to 'x.x.x.x'.
Traffic that is coming from Source IP 172.x.x.x should reach IP 10.x.x.x will NAT to 192.x.x.x.
Take a debug to see if it is hitting the policy (in this scenario traffic did not hit the correct firewall policy).
Check if there are multiple VIPs configured with the same destination IP.
Solution: Remove duplicate VIP.
Note: If a Virtual IP (VIP) is configured and the destination IP matches the VIP, FortiGate will apply the VIP policy (if one is configured for the VIP).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.