What's the difference between Central SNAT mode and Policy NAT mode on FortiGates?

FortiGate administrators have a couple choices for how NAT is handled in the GUI admin console. By default, FortiGates operate in Policy NAT mode (which means NAT settings are configured directly within each firewall policy). As an alternative though, admins can enable Central SNAT which basically defines and manages NAT rules in a separate dedicated table, independent of regular firewall policies.

Why would someone want to consider using Central SNAT? Well, for a few reasons:

• Separation of concerns - This basically decouples the concept of NAT from security policies. As a result, policy management itself is simplified which might be useful depending on admin use cases.
• UI consistency to other vendors - This idea of separating NAT into a different area of the UI is common in other vendors (Palo Alto, Check Point, etc) which can help with migration for admins familiar with those other platforms.
• Easier troubleshooting (potentially) - This is a bit subjective, but by separating NAT from security policies, it can potentially make troubleshooting NAT issues more straightforward.
• Large scale - In environments with many subnets, multiple internet connections, and complex NAT requirements, the Central NAT feature can help streamline configurations.

For more information, check out the following resources:

What is Central SNAT? Why we use it? what is the configuration? What is the benefits of using it in FortiGate?

Central SNAT (Source Network Address Translation) is a feature in Fortinet’s FortiGate firewalls that allows administrators to manage and apply SNAT rules centrally rather than on a per-policy basis. This approach provides greater flexibility and simplifies the management of SNAT rules, especially i

LinkedInMoghees Malik

Central NAT Table in FortiOS – Historian Tech

Jonathan Torian

Central SNAT | Administration Guide

Fortinet docs logo