FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 312247
Description This article describes the behavior of SNAT when VIP is configured (no port forwarding).
Scope FortiGate.

There are two options for FortiGate to perform SNAT configurable in the firewall policy.

  • Use Outgoing Interface Address.
  • Use Dynamic IP Pool.

When VIP is configured as one-to-one mapping (no port-forwarding), FortiGate will use this VIP IP address as it SNAT IP address.


Below is a firewall policy configuration example with 'Use Outgoing Interface Address' as its SNAT IP:


Firewall Policy Outbound.png


Below is the SNAT IP used for outbound traffic from


Outbound Interface IP as SNAT.png


Below is the Virtual IP configuration:


VIP object.png


When the above VIP is used or referenced in a firewall policy, outbound traffic from host will use (VIP IP) as its SNAT IP:


VIP as SNAT.png