Skip to content

Central NAT vs Policy NAT

FortiGate supports two NAT models. They're mutually exclusive — pick one for the device.

Policy NAT (Default)

NAT settings are part of each firewall policy (the NAT toggle and IP Pool field you see when creating a policy). One policy = one NAT decision.

Pros: - Simple — NAT is right next to the rule that needs it. - Granular per-policy.

Cons: - Hard to audit at scale ("which policies use which pool?"). - Redundant — same NAT config repeated across many policies.

Central NAT

NAT rules are defined separately, in a central table, and matched independently from firewall policies. Firewall policies don't have a NAT toggle when Central NAT is on.

Pros: - Single audit point for all NAT. - Easier to manage in large deployments. - Maps closer to Cisco/ASA NAT philosophy.

Cons: - Two tables to think about (policies + NAT). - Migration from Policy NAT requires conversion.

When to Use Which

  • Default Policy NAT for small/medium deployments. Most installs are fine here.
  • Central NAT for large or audit-heavy deployments where you need a single NAT manifest.

Don't switch mid-life unless you're consolidating — the migration is annoying.

Enable Central NAT

config system settings
    set central-nat enable
end

The GUI now shows Policy & Objects → Central SNAT and Central DNAT as separate menus. Firewall policies lose the NAT toggle.

Define a Central SNAT Rule

  1. Policy & Objects → Central SNAT → + Create New.
  2. Fill in:
    • Incoming Interface — source interface.
    • Outgoing Interface — destination interface.
    • Source Address / Destination Address — the flow.
    • NAT IPUse Outgoing Interface Address or an IP Pool.
  3. OK.

Define a Central DNAT Rule

Done via VIPs (same as Policy NAT) — VIPs are independent of the NAT mode.

Verify

get system settings | grep central-nat
# Confirm enabled or disabled.

diagnose firewall iprope show 100004
# Shows policy table — NAT entries appear/don't appear based on mode.

Common Issues

  • Switched to Central NAT and traffic broke. Existing policy NAT settings don't carry over. Re-create as Central SNAT rules.
  • Both VIPs and Central DNAT — confusion. VIPs are still the DNAT mechanism. Don't try to use Central DNAT separately; it's a wrapper for VIPs in some FortiOS versions.
  • Can't switch back to Policy NAT cleanly. Same problem in reverse — Central rules don't auto-convert.