Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Incoming NAT


We migrated from another brand to Fortigate but facing a problem creating Nat Policies. The old firewall had separate places for Firewall Rules and Nat Policies but Fortigate has both at the same place.


We need to source nat the incoming traffic coming from the DMZ Interface and reach a server behind the LAN Interface. How to do it in Fortigate?


Incoming Interface: DMZ

Outgoing Interface: LAN


Source Network: All (must be translated to another IP which is allowed for our network)


Destination: A Server behind LAN Zone


Do we need to enable the NAT option? If yes then which IP should be used as IP Pool Configuration?




Hi There,


Since you are migrating from different product, you may refer to this link below which may help you to understand about SNAT on the Fortigate


I also want to let you know that we do have features to separate NAT from firewall policy which called Central SNAT






In FortiGate, NAT (Network Address Translation) and firewall policies are combined into a single configuration. To achieve source NAT for incoming traffic from the DMZ interface to a server behind the LAN interface, you'll need to create a firewall policy with the appropriate NAT settings. Here's a step-by-step guide:

  1. Log in to the FortiGate Web Interface:

    • Open a web browser and enter the IP address of your FortiGate unit.
  2. Navigate to Policy & Objects > Policy > IPv4:

    • In the left navigation pane, go to "Policy & Objects" and then select "Policy."
  3. Create a New Policy:

    • Click on the "+ Create New" button to create a new policy.
  4. Configure General Settings:

    • Set the following parameters:
      • Incoming Interface: DMZ
      • Outgoing Interface: LAN
      • Source: All
      • Destination: Select the server behind the LAN zone.
  5. Enable NAT:

    • Under the "NAT" section, check the box to enable NAT.
    • Choose "Use Destination Interface Address" or "Use Central NAT Table" based on your requirements.
  6. Configure NAT Settings:

    • If you choose "Use Destination Interface Address," the source IP will be translated to the IP address of the outgoing interface (LAN).
    • If you choose "Use Central NAT Table," you may need to configure a NAT rule in Policy & Objects > NAT.
  7. Enable Security Profiles (if needed):


this will expose your complete lan to the wan side without any way to find the original source due to snat.

I would more recommend to use some vip as destination in your policy to expose only the ports of your server you need to access from wan side and not the hole lan subnet!


"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams


Can I ask why do you need to NAT traffic from DMZ to LAN?

In normal situation we don't do that, unless you have a routing issue, and in this case it is much better design to fix you routing than to enable NAT.


The DMZ Interface is connected to another private network which needs access to our server on LAN.




Seems you are moving to the new product, we do have the feature you mentioned.

The difference is we call it as central NAT , it is up to you how you want to utilize it.


If you operate in central NAT mode you can have all your NAT rules in one place.

However other option is you can have it directly in the firewall policy.

Lan-->WAN you can use SNAT in the policy or in the central table.

From outside or from a different zone it would be better to use D-NAT ( referred as VIP) if you want to protect server access.


Thank you.




Hi @create_share,


If you need to source nat the incoming traffic coming from the DMZ Interface to a server behind the LAN Interface, you need to enable NAT on the firewall policy and 'Use Outgoing Interface Address' will be enough. Source IP address will be NATed to the IP address of the LAN interface. 



New Contributor


Thanks for the replies. It worked after I configured a virtual IP.


New Contributor II

Head to "Policy & Objects," hit "IPv4 Policy," and craft a new policy with DMZ as the incoming interface, LAN as outgoing. Set source to "All" and destination to your LAN server. Don't forget to tick the NAT box. Opt for "Source NAT," choose "Use Static IP," and toss in the IP allowed for your network.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors