Fortigate Limitation

I discovered a real annoying limitation to the Fortigate firewalls today.  And although this limitation wont be encountered on a daily basis, I know this is not a unusual setup, and above that I know that Cisco Pix Firewall support this, as I have done this before.

Suppose the the following scenario:


Suppose traffic from the Big Bad Internet is destined to company  BOB’s application server at

On the Fortigate you create a port-nat to the  server’s internal address of

Assume BOB.COM has their DMZ-Internal VRF behind the firewall. And assume for financial/latency reasons, that BOB.COM has a third-party VRF used by clients from the same ISP to route their traffic via MPLS, destined to This makes sense right, and provides these client with optimal routing to and optionally a back-up via their Internet connection, in the event that something goes wrong in the MPLS network.

But this is where you will get stuck. You won’t be able to create a nat on the Fortigate MPLS interface for, because a Fortigate ties each NAT to ONLY ONE interface. Really silly considering there are a coule scenarios where this would be needed. Obviously there are some work arounds, like doing a double nat or using a different IP via MPLS, but this is non-optimal.

This was reported to Fortigate as a bug, but their reply implied it is a feature,  and something they will not be correcting.


6 thoughts on “Fortigate Limitation

  1. Dear sir
    i’m stuck in the same problem did you found and solution
    in my scenario i have to work in NAT mode with that MPLS Internet Line,
    can’t be in transparent mode.
    thank you.

    1. When you create your Nat instance – You’d Specify the Interface as “Any” that way the Nat can be used from Multiple interfaces; if the Nat was originally created and bound to an Interface and rules applied; the Nat Instance Interface cannot then be changed to “Any” Interface – Unless removes for that Nat temporarily removed – Nat Changed and then Rules re-applied and new Rules added (on Live Device) – with a Fortimanager – the Nat can just be changed to “Any” interface

      1. True – was remedially fixed in a patch – just listing current limitations too – live device vs fortimanager and process :-)

Please leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.