So I have been really frustrated trying to be clear about this from the Fortinet documentation. I finally called support today and they got stuck as well. They are supposed to call me back tomorrow.

I want to use central nat with the dnat table for services that we make available on the Internet. For most of our servers the address and port based filters in the DNAT table itself are fine. But in others we want to apply more complex rules including layer 7 NGFW rules. In some we may want to use both if it's possible. None of the documentation is clear about how any of this fits together though.

What I got from them for order of operations so far is:

1.Packet comes in from Internet and goes through NAT applying any filters in the NAT table.

2. Packet goes to routing.

3. Packet goes to filters.

But here several things become unclear.

1.When writing security rules does one base the destination address from external or internal addresses? In previous versions apparently you referenced the VIP/DNAT policy in rules but it does not seem to be in 6.2.x versions.

2. Are packets that didn't match any filters in the DNAT table dropped before routing or do they go through and only drop at the implicit deny?

3. Does the default here default depend on whether there are filters in DNAT?

4. Am I just not finding the right spots in the documentation for this or is it really this unclear?

Right now I am running 6.2.5 but I'm happy to go to a different version of that makes anything clearer.