Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

NAT internal to external not working every time


I'm using an fortigate on AWS to secure my EC2's traffic outgoing to internet.

I'm facing an little issue I don't understand.


I've got an LAN interface and an WAN.

I created a policy (NAT) to forward traffic from LAN to WAN for internet access.


This is going well for almost all EC2, except some ones for those the firewall is blocking traffic.


When I do a packet filter, we wan see that the traffic arriving from the LAN interface as source, and the firewall look for forwarding to the same interface (LAN) instead of the WAN as required by the NAT.


Why ?


An other machine in the same subnet of my first EC2 can reach internet, but not all.


The firewall drop the packets because the LAN to LAN (to reach internet) is not permit; this is normal.

It should NAT traffic to the WAN


Hi Team,


Can you execute these commands in the non working scenario, we will understand the flow:

diag debug reset

diag debug flow filter clear

diag debug flow filter addr <dst-ip>

diag debug flow filter proto 1

diag debug flow show function-name enable

diag debug flow trace start 10000

diag debug enable


once you get the debug you can disable the debug using this command:

diag debug disable



Please share debug with us