firewalls

What's the difference between "user traffic" and "local-out traffic" on a FortiGate?

A quick refresh on some more FortiGate terms.

17 Jun 2025 — 1 min read

💡

This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.

Today's article is a quick one. Let's chat about the concepts of "user traffic" and "local-out" terms as they pertain to FortiGates.

There's really just a couple essential points to keep in mind:

When a FortiGate is operating in Network Address Translation (NAT) mode, it functions as an IP router. It's directing traffic to various IP networks.
There are two types of traffic that could be leaving the firewall:
- Local-out traffic - This is traffic that is generated by the firewall itself. This could be things like requests for FortiGuard updates... or connectivity diagnostics run from the FortiGate itself.
- User traffic - Sometimes referred to generically as "firewall traffic" (I know, confusing right?). This is just a label for the data traffic going through the firewall (but originating elsewhere).

FortiGate performs routing for both types of traffic. Simple, right? I told ya, today's article is a quick one 😄.

Explaining the various user auth timeout choices that are available on FortiGate.

Describing two important routing tables and the difference between them.

Reviewing what policy ids are and how they compare to rule sequence.

Clarifying the difference between some popular FortiGate terms.

Read more