FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 193423
Virtual IPs can affect outbound NAT, even though there are not selected in an outbound firewall policy.

If no virtual IPs are configured, FortiGates apply traditional outbound NAT to connections outbound from private network IP addresses to public network IP addresses.

However, if virtual IP configurations exist, the FortiGate uses the virtual IPs’ inbound NAT mappings in reverse to apply outbound NAT, causing IP address mappings for both inbound and outbound traffic to be symmetric.

For example, if a network interface’s IP address is, and its bound virtual IP’s external IP address is, mapping inbound traffic to the private network IP address, traffic outbound from will be translated to, not

Reverse SNAT and nat-source-vip option.

- When nat-source-vip enabled is configured, the FortiGate will perform SNAT according to the VIP.

- When nat-source-vip disabled is configured, the FortiGate will perform SNAT based on the following order:
1) IPpool specified in the policy.
2) Reverse SNAT according to the VIP (with nat-source-vip disable).
3) IP of the outgoing interface.