Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Weird behavior central SNAT / DNAT VIP

Since I come frome cisco, the way I have to configure NAT in Fortigate is new to me. I have a working configuration but some settings don't make sense to me...


public ip range:

Fortigate public ip:

dmz interface:



My goal is a bidirectional nat for a webserver using the public ip 

I found the following KB:


1. It doesn't matter which interface I use in vip config (extintf) the traffic works anyway no matter if it makes sense or not. Why is that and how should I do it the right way?


2. Configuring "set srcintf-filter dmz" as mentioned in the linked KB results in it not working anymore...

Even more confusing is the fact that this worked a few days ago and yes I did clear the nat cache multiple times in between (diagnose sys session clear).


For my understanding coming from cisco a destination nat should contain source interface (incoming traffic), source network, destination interface and destination network.


For testing purposes I deleted all other nat rules except the default SNAT for outgoing traffic. Currently the configuration looks like this. Incoming and outgoing traffic via the public ip works with this but I'm afraid that this changes somehow when I go live with the firewalls as it already did earlier.

fortigate # sh firewall vip webserver
config firewall vip
edit "webserver"
set extip
set mappedip ""
set extintf "port1"
set nat-source-vip enable

fortigate # sh firewall ippool SNAT_1.2.3.43
config firewall ippool
edit "SNAT_1.2.3.43"
set type one-to-one
set startip
set endip

fortigate # sh firewall central-snat-map
config firewall central-snat-map
edit 1
set srcintf "dmz_zone"
set dstintf "port1"
set orig-addr "SH_webserver-"
set dst-addr "all"
set nat-ippool "SNAT_1.2.3.43"



First quesiton: do you have a requirement to be using Central SNAT? Usually in FortiGate land it is easier to use policy NAT.


If you are using Central SNAT you have to treat your DNAT VIPs a bit differently. See here:


I'm not 100% sure but in Central NAT i don't believe the VIP ext-intf has any bearing on the NAT functionality. It is used for policy applicaiton only.

New Contributor III

Hi Graham,


Our network partner and some fortigate engineers recommended us to enable central snat so we can more easily migrate our current cisco configuration. For our migration scripts we use the api. The configuration includes about 660 vpns, 140 nat and 800 policy rules, so we do it with api scripts.


I'm not 100% sure but in Central NAT i don't believe the VIP ext-intf has any bearing on the NAT functionality. It is used for policy applicaiton only.

That would explain a lot but can we somehow verify the assumption?


Best Regards,



OK in that case yes Central NAT makes sense.


Per the documentation, "ext-intf" setting on VIP is defined as "The external interface that the firewall policy source interface must match." So in this case under Central NAT where VIPs are not assigned to a firewall policy I think it's fair to say the ext-intf setting has no bearing.


New Contributor III

Thanks Graham.

The support ticket is still open, I will post the update here as soon as I get an answer.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors