FortiGate - Creating SNAT Rules

SNAT rules are required to translate traffic from your servers on their private network, to public IP addresses which are accessible on the internet.

To create or modify SNAT rules:

1. Navigate to the 'Central SNAT' page, under the 'Policy & Objects' heading.

2. Click the "+Create New" button.

On the 'New Policy' page, set the below values:

Type: IPv4 or IPv6 

Incoming Interface: Select your LAN interface.

Outgoing Interface: Select your WAN interface.

Source Address: The SNAT rule will only apply to traffic originating from the IP's you specify here. If you want a default SNAT rule which will apply to all your servers behind the firewall, you can choose 'all'. If you want specific IP's or subnets to SNAT to specific public IPs, you can set the source addresses here.

Destination Address: The SNAT rule will only apply to traffic destined to the IP's you specify here. If you want traffic destined for specific IP addresses to come from different source IP addresses, you can set this field. For most SNAT scenarios you'll likely want this set to 'all'. 

NAT Section

NAT: The options are NAT or NAT46. Leave this as NAT unless you're translating IPv4 source addresses to IPv6 IP Pools.

Ip Pool Configuration: To use the default routing IP for your VDOM, leave this as 'Use Outgoing Interface Address'. Otherwise you can choose a specific IP pool which can contain one or more IP's to NAT out from.

Protocol: You can choose to only NAT specific protocols if you wish. The default here is 'any'.

Explicit Port Mapping: Mapping based on source ports. This is rarely used as in most cases source ports are random.

The above screenshot is a good example of a 'default snat' rule which will catch all traffic destined for the internet and NAT it out of your default routing IP address. 

Once you're happy with the rule, click 'Ok' to apply.