Create an IP Pool for SNAT

An IP Pool is a range of public IPs the FortiGate uses for source NAT — instead of (or in addition to) the WAN interface's own IP. Use cases:

• You have a public IP block from your ISP and want certain LAN clients to appear as specific public IPs.
• You're behind a carrier-grade NAT and need to maximize available source ports.
• You need to bind specific outbound flows to specific public IPs (compliance, partner whitelisting).

Pool Types

• Overload (default) — multiple LAN clients share one or more public IPs using port translation (PAT). Most common.
• One-to-One — each LAN client gets its own dedicated public IP. Requires as many public IPs as clients. Used when carriers need persistent 1:1 mapping.
• Fixed Port Range — preserves source port ranges (legacy apps that expect specific ports).
• Port Block Allocation — gives each LAN client a block of source ports for better logging granularity.

Before You Start

• A range of public IPs that are routed to your FortiGate (your ISP confirms reachability).
• The public IPs are NOT also bound to other VIPs (conflict).
• You've decided which clients/policies will use the pool.

Steps

1. Policy & Objects → IP Pools → + Create New.
2. Fill in:
   • Name — e.g. IPPool-PublicBlock-Outbound.
   • Comments — optional.
   • Color — optional.
   • Type:
     • Overload (most cases) — PAT across the pool.
     • One-to-One.
     • Fixed Port Range.
     • Port Block Allocation.
   • External IP Range — the public range, e.g. 203.0.113.100 to 203.0.113.120.
   • ARP Reply — Enabled (lets FortiGate respond to ARP for these IPs on the WAN).
   • Source Address Filter — Disable (allow any LAN client) or Enable and restrict.
3. OK.

Use in a firewall policy

1. Policy & Objects → Firewall Policy → open the LAN-to-WAN policy.
2. NAT = Enabled.
3. IP Pool Configuration = Use Dynamic IP Pool.
4. Pick your pool.
5. OK.

CLI Equivalent

config firewall ippool
edit "IPPool-PublicBlock-Outbound"
    set type overload
    set startip 203.0.113.100
    set endip 203.0.113.120
    set arp-reply enable
next
end

config firewall policy
edit <id>
    set nat enable
    set ippool enable
    set poolname "IPPool-PublicBlock-Outbound"
next
end

Verify

# Show active sessions and their NAT IPs:
diagnose sys session filter src <lan-client-ip>
diagnose sys session list

# The "natsrc" should be one of the IPs in your pool.

From the LAN client: curl https://ifconfig.me — should show a pool IP, not the WAN interface IP.

Common Issues

• Pool not used; outbound still uses WAN IP. Forgot to switch the policy from "Use Outgoing Interface Address" to "Use Dynamic IP Pool."
• ARP issues — pool IPs not responding. ARP Reply not enabled on the pool, or upstream router doesn't have the right route for the block.
• Pool exhausted (with One-to-One). Not enough public IPs for the number of clients. Switch to Overload or expand the range.
• Per-policy pool, but global counters off. Pools used across multiple policies count globally.
• Pool overlaps with VIP. Same public IP can't be both a VIP destination and a pool source. Pick one purpose per IP.

Related Pages

• Configure Source NAT (Outbound)
• Forward a Port to an Internal Server (VIP / DNAT)
• Add a Firewall Policy