Configure Source NAT (Outbound)

Source NAT (SNAT) rewrites the source IP of outbound traffic — so private LAN clients (e.g. 10.0.0.0/24) appear on the internet as the FortiGate's public WAN IP. SNAT is what makes "the internet" work for private networks.

By default, when a firewall policy goes from LAN → WAN with NAT toggled on, FortiOS uses the outgoing interface's IP as the new source. This is the simplest and most common form.

Use this page to: - Confirm SNAT is happening (and understand when it isn't). - Use a different public IP (via an IP Pool). - Choose between policy-based NAT (default) and Central NAT (see Central NAT vs Policy NAT).

Default Behavior (Outgoing Interface Address)

In any LAN → WAN firewall policy:

1. Policy & Objects → Firewall Policy → open the policy.
2. NAT = Enabled.
3. IP Pool Configuration = Use Outgoing Interface Address.
4. OK.

That's it — outbound flows now SNAT to the WAN interface IP.

SNAT to a Specific IP (using an IP Pool)

When you need outbound to appear as an IP other than the WAN interface IP (e.g. you have multiple public IPs and want certain clients to source from one):

1. Create an IP Pool — see Create an IP Pool for SNAT.
2. Open the firewall policy.
3. NAT = Enabled.
4. IP Pool Configuration = Use Dynamic IP Pool.
5. Pick the pool.
6. OK.

Preserve Source Port (PAT) vs Random Port

By default FortiOS uses PAT (Port Address Translation) — multiple LAN clients share one public IP, distinguished by source port. The source port is randomly chosen.

To preserve source ports (rarely needed; some legacy protocols expect it):

config firewall ippool
edit "<pool-name>"
    set type fixed-port-range
next
end

CLI Equivalent (default SNAT)

config firewall policy
edit <policy-id>
    set nat enable
    set ippool disable
next
end

Verify

Test from a LAN client:

# What's your public IP?
curl https://ifconfig.me

The result should be your WAN IP (or the IP pool's IP if you configured one). If it's the LAN IP, SNAT isn't happening — check policy NAT toggle.

On FortiGate:

# Show active sessions and their NAT translations:
diagnose sys session filter dport 443
diagnose sys session list

# Each session shows "orig src ...", "src ...", and "natsrc ..." — natsrc is the SNAT IP.

Common Issues

• Outbound works, but appears as the wrong public IP. Multiple WANs and the route picked a different exit. Check routing table.
• Some apps work, others don't. ALG (Application Layer Gateway) interference. Common offender: SIP. Disable SIP ALG if it's mangling VoIP.
• Source port conflicts. Heavy NAT load exhausts ports (especially with fixed-port pools). Switch to overload (default) or add a larger IP pool.
• One LAN client uses too many sessions. Connection limit. config firewall policy → set per-ip-shaper or a quota.

Related Pages

• Create an IP Pool for SNAT
• Forward a Port to an Internal Server (VIP / DNAT)
• Central NAT vs Policy NAT
• Add a Firewall Policy