Skip to main content
PacketMentor logo
Open menu
Home
Training
Learn
CCNA Library (74)
Browse all CCNA topics →
Network (13)
Device Operations (5)
Network Access (12)
Wireless (6)
IP Connectivity (10)
IP Services (11)
Security (10)
Automation (7)
Network+ Library (77)
Browse all Network+ topics →
1.0Networking Concepts (22)
2.0Network Implementation (17)
3.0Network Operations (16)
4.0Network Security (15)
5.0Network Troubleshooting (7)
NSE 4 Library (45)
CCNP Library (26)
Practice
All practice →
Troubleshooting Labs
Packet Tracer Labs
Interactive Simulators
Mock ExamPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All topics
Fortinet NSE 4 Security Fundamentals Intermediate

FortiGate Firewall Policies — Structure, Order of Operations, NAT Inline

How firewall policies work on FortiOS: the 6 core fields, top-down first-match evaluation, how NAT lives inside the policy, and the diagnostic that tells you which policy matched.

Quick summary
  • A firewall policy on FortiGate has six required parts: **source interface, source, destination interface, destination, service, action**. Everything else (NAT, profiles, logging) is optional.
  • Policies are evaluated **top-down, first match wins.** Order = policy_id — but you can drag-reorder in GUI or use `move` in CLI.
  • **NAT is a field on the policy, not a separate table.** Turn on 'NAT' + pick outbound interface IP or an IP pool. This is FortiGate's fundamental difference from Cisco ASA / IOS NAT.

The one-sentence mental model

A FortiGate firewall policy is a row in a spreadsheet. Each row asks: “For this source coming from this interface going to this destination on this port — allow or deny? Apply NAT? Apply security profiles?” The engine reads rows top-down and stops at the first match.

The six required fields

FieldWhat it means
Incoming InterfaceWhere the packet enters (physical port, VLAN, SD-WAN member, VPN tunnel).
SourceAddress / group / user / device the packet is from.
Outgoing InterfaceWhere the packet must exit — after routing decides.
DestinationAddress / group / FQDN / geography the packet is going to.
ServiceTCP/UDP ports (HTTP, HTTPS, custom-app, service groups).
ActionACCEPT · DENY · IPSEC (put in a specific tunnel).

Optional extras on the same policy:

  • NAT — Enable + choose outbound IP (interface / IP pool).
  • Security Profiles — AV, web filter, application control, IPS, SSL inspection, DLP.
  • Logging — no log / log security events / log all sessions.
  • Traffic Shaping — bandwidth limit / guarantee.
  • Schedule — always / business hours / custom.

Policy order matters — a lot

FortiGate reads policies top-down. First policy whose (interface + source + destination + service) matches the packet wins. Every subsequent policy is skipped for this flow.

Practical rule: put specific rules on top, general rules at the bottom.

policy id 1  — DENY  guest-VLAN → HR-server            (specific)
policy id 2  — ALLOW guest-VLAN → internet             (broad)
policy id 3  — ALLOW LAN        → internet             (broadest)
policy id 4  — DENY  any        → any                  (catch-all — often implicit)

CLI to reorder: config firewall policymove <src-id> before <dst-id>.

NAT lives inside the policy

This is the biggest conceptual shift for engineers coming from Cisco ASA or IOS:

On FortiGate, you don’t write a NAT rule separate from a firewall rule. You write ONE firewall policy that says both “allow this traffic” AND “NAT it”.

policy id 5:
  incoming  = internal
  source    = 10.0.0.0/24
  outgoing  = wan1
  dest      = all
  service   = ALL
  action    = ACCEPT
  NAT       = enable (use outgoing interface IP = SNAT to wan1's IP)

That single policy replaces both a Cisco ACL permit + a ip nat inside source command.

For destination NAT (port forwarding), use a Virtual IP (VIP) object as the destination — the VIP defines the external-IP:port → internal-IP:port mapping and the policy just references it.

Central NAT — the other mode

FortiOS has a global toggle: central-nat enable.

  • Off (default): NAT lives on each policy (as above).
  • On: NAT policies live in a separate central NAT table. Firewall policies just permit/deny; central-NAT rules translate. Closer to the Cisco / Palo Alto model.

Central NAT is preferred when you have many policies sharing the same NAT pool — it deduplicates the NAT config. NSE 4 tests you on knowing the difference and when to switch modes.

Verifying which policy matched

The single most useful diagnostic in FortiOS:

diagnose sys session list
# shows every current session with policy_id + NAT direction

Or a live packet-flow trace:

diagnose debug flow filter addr 10.10.1.5
diagnose debug flow show console enable
diagnose debug enable
diagnose debug flow trace start 10

The flow trace output shows: which policy matched (policy-id=17), what NAT was applied, which security profile ran, and whether the packet was allowed or denied.

Common exam / real-world mistakes

  1. Not enabling NAT on the outbound policy. Traffic goes through, then can’t return because the source IP is still the private LAN IP. Symptom: outbound TCP handshake fails. Fix: check the NAT checkbox on the policy.
  2. Wrong interface pair. Forgetting to change “outgoing interface” from any when the wrong exit was picked by routing.
  3. Address object leaks. Editing a shared address object silently changes every policy using it.
  4. Assuming policy changes affect existing sessions. They don’t — existing sessions keep matching the old policy until they age out or you clear them.
  5. Overlooking implicit deny. The last policy is always an implicit deny — but it doesn’t log by default. Turn on logging for the implicit-deny rule during troubleshooting to see what’s actually being blocked.

Cheat strip

6 fields   src-if  src  dst-if  dst  service  action
Extras     NAT  |  profiles  |  logging  |  shaping  |  schedule
Order      top-down, first match wins.  Move: move X before Y.
NAT        on the policy (default).  Or global central-NAT table.
DNAT       use a VIP object as the destination.
Trace      diagnose sys session list           (which policy matched)
           diagnose debug flow ...             (live packet path)
Implicit   last rule = deny any. Turn on log to see drops.
Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the NSE 4® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

Get the free CCNA 12-week roadmap

You're already reading up on FortiGate Firewall Policies — Structure, Order of Operations, NAT Inline. The roadmap is the order I recommend studying every CCNA topic in — with what to lab each week and where FortiGate Firewall Policies — Structure, Order of Operations, NAT Inline fits. A written personal reply, not an autoresponder. Expect it within one business day.

Personal reply from a senior network engineer. No third-party tracking. Unsubscribe any time.