Fortinet Community

Hi georgeWong, Please refer the below order. You can see policy lookup is done twice. 1, init_ip_session2, iprope_dnat_check ->Trigger3, iprope_fwd_check -> routing 4, iprope_check_one_policy -> policy5, fw_pre_route_handler -> VIP DNAT6, iprope_fwd_...

Hi georgeWong, VIP is like a global parameter and associating VIP with exintf will not restrict it from triggering. Please refer this doc which explains about the VIP exintf on a scenario basis : https://community.fortinet.com/t5/FortiGate/Technical-...

Hi, In this scenario the traffic enters and leaves FortiGate via the same interface. This causes FortiOS to automatically perform SNAT, even if NAT is not configured in the firewall policy. Below KB will provide you details and steps to disable SNAT ...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-VIP-port-forwarding/ta-p/195542?externalID=FD45731

Hi, Please refer the below KB https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448?externalID=FD36202