Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acp
Staff
Staff

Created on ‎09-25-2020 01:29 AM Edited on ‎06-01-2025 11:17 PM By Community Manager

Article Id 190219

Technical Tip: How to disable central NAT

Description

 

This article describes how to disable central NAT.

 

Scope

 

FortiGate.

Solution

 

The Central NAT feature is not enabled by default. When 'central-nat' is enabled, the configured NAT under IPv4 policies is skipped, and SNAT is configured via the 'central-snat-map'.


If NGFW mode is profile-based: Go to System -> Settings -> toggle Central SNAT to disabled -> Select 'Apply'.

 

GUI_disable.PNG

 

If virtual domains are in use, Central SNAT can only be disabled from the CLI. 


Single VDOM CLI:
 
config system setting
set central-nat disable
end
 
Multi-VDOM CLI:

config vdom
edit <vdom_name>
config system settings
set central-nat disable
end
end
 
Note:
  • Central SNAT cannot be enabled if IP Pools or VIPs are used in any firewall policies.
  • In profile-based mode only, when central NAT is disabled, the firewall policies are not deleted, but NAT is disabled on all policies that were created while in Central NAT mode.
  • This means that after disabling Central NAT, any policies that existed before Central NAT was enabled will have the same NAT settings (enabled or disabled) as they did before.
 

If the NGFW mode is policy-based: Central NAT (specifically SNAT) is enabled implicitly when in policy-based NGFW mode and cannot be changed without changing to profile-based first.

Note:

Changing the NGFW mode must not be done while the network is in active use. It will remove existing firewall policies and require downtime to reconfigure the firewall. Making the NGFW mode changes below will cause a complete loss of data traffic until new firewall policies are configured. Take a configuration backup before beginning.

 

See 'Profile-based policies vs Policy-based policies' for differences between NGFW modes.


Go to System -> Settings, under 'NGFW Mode' select 'Profile-based'. This reveals the Central SNAT setting. Toggle this to disabled and select 'Apply'.

 

NGFW Mode.PNG

 

Single VDOM CLI:

 

config system setting

    set ngfw-mode profile-based

Changing to profile-based mode will remove all firewall policy/security-policy in this VDOM
Do you want to continue? (y/n)y

    set central-nat disable

end


Multi-VDOM CLI:


config vdom

edit <vdom_name>

config system settings

set ngfw-mode profile-based

Changing to profile-based mode will remove all firewall policy/security-policy in this VDOM
Do you want to continue? (y/n)y

set central-nat disable

end

end

 

Related article:
Labels:
14160
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.