NAT configuration is one of the most common sources of connectivity problems on FortiGate firewalls. Even when firewall policies appear correct, traffic may still fail due to NAT misconfiguration. This often leads administrators to troubleshoot routing or policies, while the real issue lies in how NAT is applied.
This article explains the most common FortiGate NAT mistakes and how to fix them using a clear and structured troubleshooting approach.
Users may not be able to access the internet, external users cannot reach internal servers, or port forwarding does not work as expected. Firewall policies look correct, but traffic either fails silently or behaves inconsistently.
These problems usually appear after enabling NAT, switching to Central NAT, creating VIP objects, or modifying firewall policies.
Internet access does not work behind the FortiGate firewall.
Port forwarding is not accessible from outside.
NAT works intermittently.
Firewall policy counters increase but traffic still fails.
Sessions are created but no return traffic is received.
First, verify whether NAT is enabled in the firewall policy.
Check if Central NAT is enabled on the device.
Confirm the correct outgoing interface is selected.
Review VIP configuration if port forwarding is involved.
These quick checks often reveal the problem immediately.
FortiGate supports both policy-based NAT and Central NAT. A very common mistake is configuring NAT rules in one mode while the firewall is operating in the other.
Always confirm which NAT mode is enabled in system settings and make sure all NAT rules are created in the correct section.
For internet access, NAT must be enabled in the firewall policy. If the policy allows traffic but NAT is disabled, outgoing traffic may leave the firewall but reply packets will never return to internal users.
NAT behavior depends on the outgoing interface. If the wrong WAN interface is selected, NAT will not function correctly. This often happens after ISP changes or interface renaming.
VIP objects are used for destination NAT and port forwarding. Common mistakes include using the wrong external IP address, mapping traffic to the wrong internal IP, or forgetting to reference the VIP in the firewall policy.
A VIP alone does not allow traffic. A matching firewall policy is always required.
For inbound traffic, a firewall policy from WAN to LAN is required. Creating a VIP without the correct firewall policy will cause port forwarding to fail silently.
Overlapping internal networks or incorrect subnet masks can prevent NAT rules from matching traffic correctly. Always double-check address objects used in policies and NAT rules.
NAT does not fix routing problems. If the default route is missing or incorrect, traffic may be translated properly but still sent to the wrong gateway.
Start by identifying the active NAT mode and ensure all rules match that mode.
Review the firewall policy and confirm NAT is enabled with the correct interfaces.
If port forwarding is used, verify that VIPs are correct and referenced in policies.
Check the routing table to ensure a valid default route exists.
Use firewall logs and session monitoring to confirm NAT is being applied.
After applying fixes, internet access should work reliably. Port forwarding should be reachable from external networks. Firewall logs should show NAT being applied, and sessions should display translated addresses correctly.
Use a single NAT mode consistently.
Comment all NAT-related policies and VIPs.
Keep NAT configuration as simple as possible.
Enable logging during troubleshooting and disable it afterward.
Test changes step by step.
Mixing Central NAT with Policy NAT.
Forgetting to enable NAT in firewall policies.
Creating VIPs without corresponding firewall policies.
Assuming NAT can solve routing problems.
Most FortiGate NAT issues are caused by simple configuration mistakes rather than complex bugs. Understanding how NAT interacts with firewall policies and routing is essential for fast and reliable troubleshooting. A structured approach saves time and prevents unnecessary changes.
Ahmed Ezz
Dec 25, 2025
WiFi Eg
Dec 23, 2025
WiFi Eg
Dec 23, 2025
Ahmed Ezz
Dec 25, 2025
Ahmed Ezz
Dec 25, 2025
By clicking the button, you are agreeing with our Term & Conditions