Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Priority between policy and virtual IP translation


I have come across a specific situation that made me realize I need to ask something:

The setup description:
I have a couple of source PCs let's say PC1, PC2 and PC3 and needs to connect to PC4, PC5 and PC6 inside a private network behind a fortigate (so NAT needs to be used to translate a public ip address to a private one).
PC1's ip address, let's say, is IP1, PC2 has IP2 and so on.

Now I need to connect from PC1 to a service running on PC4 on port let's say PORT1, from PC2 on a service on PC5 on PORT 2 and so on. Now, the traffic needs to go over the internet so the target IP will be the gateway public address on the fortigate, IP10. The implemented solution is to target the fortigate's public ip address and one unused port, then translate it to the destination private ip address and the corresponding port. So it is something like this:

PC1: IP1:pc1_portS -> Fortigate: IP10:PORT1-1 -> (dNAT) -> PC4:IP4:PORT1
PC2:IP2:pc2_portS -> Fortigate: IP10:PORT2-1 -> (dNAT) -> PC5:IP5:PORT2

The question that I need the answer for:
Now looking at this, and thinking about the firewall policies I realized something. If I make a policy allowing traffic to PC1 to PC4, will I need to specific PORT1-1 then PORT1 or can I simply specify PC1:IP1:pc1_portS -> PC4:IP4:PORT1? 

What has priorirty? The NAT (Virtual IP) or the policy? Will the traffic be allowed then translated or will it be translated then allowed? I'm asking this for my own understanding.
Also if something doesn't make sense there is a slight chance I didn't fully understand the entire situation as I am still a beginner.

Thank you.


Hi @Secretcodrin,


I believe you are trying to configure port forwarding. Please refer to this article:


To understand the packet flow, please refer to



New Contributor II

Thank you for the response, the second link was very useful and more or less exactly what I needed. I just have one question that I did not understand from the topic. When exactly is the Port Forwarding happening in the flow? And by flow, I'm referencing this picture from the second link:







Portforwarding is Destination NAT - DNAT in your case. Mapping an external IP address to an internal resource. 
When running the debug flow you should be able to see the DNAT lookup, so trying to match the traffic to a VIP if there is any VIP config, then after performing DNAT the FGT will check for a policy with said VIP object as destination and try to match it to that. After it matches the policy then if NAT enabled on the policy, it will SNAT depending on the configuration in the policy and forward the packet. 

Hope this helps.


I think you're particularly looking for a "hairpin NAT/VIP" solution like below:



Not quite, but the article was nice to read nevertheless. I learned a new technique today. Thank you!

Top Kudoed Authors