TTechclick All lessons
Fortinet · FortiGate · Firewall Policies + NAT🔥 95% interview hit-rateInteractive · L1 / L2 / L3

FortiGate Firewall Policies + NAT — Policy Lookup, Implicit Deny, and Central NAT in 11 Minutes

Most candidates lose this round because they say "first-match wins" and stop. Recruiters at Indian enterprises, MSPs, and banking + fintech IT teams want the next four lines — policy ID vs sequence, implicit deny, Central NAT override, and the one diag command that settles every argument. This blog gets you there.

📅 2026-05-26 · ⏱ 11 min · 4 SVG infographics · 2 packet visualizers · 🏷 10-Q Bloom-tiered assessment + AI Tutor

Pick your path — jump to your weak spot

1

Policy match basics

Top-down lookup, policy ID vs sequence, the implicit deny at policy 0.

 2

Central vs per-policy NAT

Why they're mutually exclusive — and the silent override gotcha.

 3

VIPs and IP Pools

DNAT for inbound, overload vs fixed-port for outbound, real config.

 4

Debug like an L3

`diag firewall iprope lookup` + sniffer + session table — settle it in 60 seconds.

Why this matters — the dabbawala rule

Think of Mumbai's dabbawalas. Twelve lakh tiffins a day reach the right office through a strict, ordered handoff — the first matching code on the lid wins, even if a more specific code exists further down the route. FortiGate firewall policies work exactly the same. The firewall scans your policy list top-down and the first rule that matches every field (source interface, source IP, destination interface, destination IP, service, schedule, user) wins — no matter how specific a later rule is.

That single sentence is where most L1 candidates pass or fail. Get it right and the next 10 minutes of the interview belong to you.

Scenario · Sneha — L2 network engineer at a Bangalore fintech

Sneha (L1 SOC, 8 months in) gets a ticket: "Sales laptop 10.20.1.50 can hit Salesforce on Monday but not on Tuesday." She finds two policies — Policy ID 7 (src 10.20.1.0/24, dst any, action allow + per-policy NAT) and Policy ID 12 (src 10.20.1.50/32, dst salesforce.com ISDB, action deny, created last Friday by mistake).

Sneha's first instinct: "Policy 12 is more specific, so it must be winning." Wrong. FortiGate evaluates top-down by sequence number, not specificity. Policy 7 sits above Policy 12 → Policy 7 wins every time → traffic is allowed. The Tuesday block was a different cause (FortiGuard ISDB DB refresh briefly empty). She solves it in 90 seconds with one command. We'll see that command at the end.

FortiGate packet engine — layers from ingress to egress Vertical stack showing seven processing layers: ingress interface, routing lookup, policy lookup with top-down match, NAT (per-policy or central), UTM security profiles, session install, and egress. An NPU offload arrow shows fast-path bypass after the first packet. FortiGate Packet Engine — How a packet is actually processed 1. Ingress interface (DPDK / kernel) 2. Routing lookup — pick egress interface + zone 3. Policy lookup (TOP-DOWN, first-match wins) 4. NAT — per-policy NAT OR Central NAT engine 5. UTM / Security profiles (IPS, AV, WebFilter, AppCtrl) 6. Session install — kernel session table 7. Egress interface NPU OFFLOAD (after packet 1) L2/L3 frame FIB lookup policy IDs scanned in order Mutually exclusive Flow OR proxy Stateful Out the wire First packet walks all 7 layers. Subsequent packets of the same session skip to the NPU fast-path → wire-speed.
Figure 1. The FortiGate packet engine. Policy lookup (layer 3) is top-down — every packet of the first packet of a session walks this stack. After session install, the NPU (Network Processor) offloads the flow so packets 2+ bypass the CPU entirely.

Two terms every interviewer will test

Policy ID is the immutable handle the firewall uses to remember a policy (you see it in logs, CLI, references). Sequence number is the position in the evaluation list — and that is what determines match order. Don't conflate the two. Reorder policies via the GUI drag-handle (or move CLI), don't change policy IDs.

🔢
Policy ID
tap to flip

Immutable handle assigned at creation. Shows in logs as policyid=7. Doesn't change when you reorder. CLI reference, not match-order.

📏
Sequence
tap to flip

Position in the evaluation list — this is what controls first-match. Drag-and-drop in GUI or move in CLI to change order.

🚫
Implicit Deny
tap to flip

The invisible last rule: policy 0 — deny all, log violation. Anything not explicitly allowed dies here. Always-on, can't be deleted.

🛡
UTM Profile
tap to flip

IPS / AV / WebFilter / AppCtrl run after the policy allows. A "deny" policy never reaches UTM. So Web Filter blocks are still policy decisions.

The top-down match — see it as a flow

The Tuesday ticket Sneha got isn't unique. Every shift, an L1 confuses specificity with position. Here's the same scenario as a flow you can step through.

Two overlapping policies — first-match wins Horizontal flow showing a packet entering the firewall, encountering Policy ID 7 first (broad allow) and being permitted, while a more specific Policy ID 12 (deny) sits below and never gets evaluated. "More specific" doesn't win — position does Sneha's PC 10.20.1.50 → 8.8.8.8 FortiGate policy table (top-down) ① Policy ID 7 — src 10.20.1.0/24 → any · action: ACCEPT + NAT MATCH ✓ — first hit, evaluation stops here ② Policy ID 12 — src 10.20.1.50/32 → 8.8.8.8/32 · action: DENY never evaluated (Policy 7 matched first) Policy 0 — implicit deny all (catches anything that drops through) FORWARD Lesson: A "more specific" deny below an "allow" never fires. Move Policy 12 ABOVE Policy 7 to make it win.
Figure 2. Two overlapping policies. Even though Policy 12 is more specific (single host, single destination), Policy 7 wins because it sits above. Fix is one drag — move 12 above 7.
Pause & Predict #1

Before you scroll — if Sneha drags Policy 12 (the specific deny) above Policy 7 (the broad allow), what's the order of evaluation, and what gets allowed?

Evaluation now hits Policy 12 first. For source 10.20.1.50 hitting 8.8.8.8: Policy 12 matches → DENY. For source 10.20.1.51 (different host) hitting anything: Policy 12 does NOT match (wrong src), falls through to Policy 7 → ALLOW. The specific deny is now exception-shaped — exactly what most admins want.
Quick check · Q1 of 10

Aman at an Indian IT services firm Pune sees Policy ID 22 (deny tcp/22 to 172.16.5.10) NOT working — admins can still SSH. The policy LIST shows Policy 22 below an "allow internal-net to any" Policy ID 5. Why?

Correct: b. First-match wins by sequence, not by ID or specificity. Policy 5 sits above and is broader — it matches before Policy 22 is even considered. Fix: drag Policy 22 above Policy 5 in the GUI (or config firewall policy → move 22 before 5). Lower policy ID does NOT mean higher priority — it's just an auto-numbered handle.

Central NAT vs per-policy NAT — the silent override

FortiGate gives you two NAT modes. They're mutually exclusive at the VDOM level — the second you enable Central NAT, every per-policy NAT setting you carefully tuned is silently bypassed. This is one of the top three Fortinet interview traps.

Per-policy NAT is what every new FortiGate ships with. Each IP Pool binds inside a single policy via the nat toggle and the ippool reference. Visible, scoped, easy to audit.

Central NAT moves NAT into a separate dedicated policy table (Policy & Objects → Central SNAT). Per-policy nat toggles still appear in the GUI but are ignored — Central NAT decides everything. New admins miss this and lose hours.

Decision tree — when to use Central NAT vs per-policy NAT Branching tree starting from the question of whether you need many policies sharing one NAT mapping, leading to Central NAT, versus needing per-policy custom NAT logic, leading to per-policy NAT with sub-branches for IP Pool, fixed-IP, and overload. Should I enable Central NAT? Do many policies share the same NAT IP-pool / mapping? YES → Central NAT One NAT table, applied centrally config system settings set central-nat enable ⚠ Silent-override gotcha Per-policy NAT toggles still SHOW in the GUI but are IGNORED. Central NAT wins, silently. Audit your config after enabling. NO → Per-policy NAT (default) Each policy owns its NAT toggle IP Pool Overload (PAT) Fixed Port 1:1 src port VIP / DNAT Inbound only Rule of thumb: stay on per-policy NAT (default). Switch to Central NAT only when an MSP-style requirement says all 200+ policies share ONE consistent SNAT pool. Hard-to-undo decision.
Figure 3. Central NAT vs per-policy NAT decision tree. The red warning box is what burns most new admins — per-policy NAT settings remain visible after enabling Central NAT, but are silently ignored.
The #1 NAT-mode trap

You enable Central NAT for a one-off project. Three months later, a new admin opens a per-policy NAT toggle, sees it's ON, and assumes per-policy NAT is happening. It isn't. Central NAT silently owns the translation. The clue? config system settings → get | grep central-nat. Read it before every NAT debug.

Quick check · Q2 of 10

Pooja at an Indian enterprise Noida inherits a FortiGate. Policy 14 has NAT toggle ON and references IP-Pool pool-A. But traffic egresses with the firewall's interface IP, not pool-A's range. What's the most likely cause?

Correct: c. Central NAT (config system settings → set central-nat enable) silently overrides per-policy NAT. Per-policy toggles still show in the GUI but are ignored. Either disable Central NAT and use per-policy, or move the NAT entry into Central SNAT. Option d is wrong — exhausted IP Pool drops sessions, doesn't silently fail over.

VIPs and IP Pools — what each one actually does

Two NAT building blocks confuse interview candidates more than anything else:

Comparison matrix — SNAT vs DNAT vs VIP vs IP Pool vs Central NAT A 5-column comparison table comparing SNAT, DNAT/VIP, IP Pool, and Central NAT across five attributes: what it translates, where it is configured, when it triggers, default behavior, and a common use case. SNAT · DNAT/VIP · IP Pool · Central NAT — at a glance Attribute SNAT DNAT / VIP IP Pool Central NAT What it translates Source IP+port (outbound) Destination IP+port (inbound) Source IP from pool (SNAT helper) Source IP (SNAT) in separate table Where configured Per-policy `nat` toggle firewall vip object firewall ippool Central SNAT policy table When triggered Egress, after policy match Ingress, BEFORE policy lookup When policy references pool Any matching SNAT entry Default behavior Use egress intf IP (if no IP Pool) No port translation (unless `portforward`) Overload (PAT) — share IP w/ ports Overrides per-policy silently Common use case User → Internet (branch office) Publish DMZ web server / API Multi-public-IP egress MSP / large fleet shared SNAT Read each row across left-to-right. The defaults column is what new admins miss most often.
Figure 4. Comparison matrix. Notice DNAT/VIP triggers BEFORE policy lookup (so the policy sees the post-DNAT destination IP) — that's why VIPs need a security policy referencing the internal IP, not the public one.

Real config — publishing a DMZ web server

Karan at an Indian IT services firm Pune publishes 10.30.5.100 (Apache on the DMZ) on public IP 203.0.113.10. The full FortiOS config:

CLI — create VIP + policy 
config firewall vip
    edit "vip-webapp-public"
        set extip 203.0.113.10
        set mappedip "10.30.5.100"
        set extintf "wan1"
        set portforward enable
        set protocol tcp
        set extport 443
        set mappedport 443
    next
end

config firewall policy
    edit 0
        set name "Inbound-Webapp-DMZ"
        set srcintf "wan1"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "vip-webapp-public"
        set service "HTTPS"
        set action accept
        set schedule "always"
        set logtraffic all
    next
end
Expected output of `show firewall policy 0` 
config firewall policy
    edit 21
        set name "Inbound-Webapp-DMZ"
        set srcintf "wan1"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "vip-webapp-public"
        set service "HTTPS"
        set action accept
        set schedule "always"
        set logtraffic all
    next
end
The "use the VIP, not the IP" tip

In the security policy, dstaddr is the VIP object (vip-webapp-public) — NOT the internal IP 10.30.5.100, and NOT the public IP 203.0.113.10. FortiGate auto-resolves the VIP to the right side at policy match time. Mess this up and the rule never fires. This is THE classic VIP interview question.

▶ Watch a packet walk the policy engine — Outbound SNAT

Sneha's session — full 6-stage journey from her laptop at a Bangalore fintech to 8.8.8.8.

① INGRESS 10.20.1.50:512348.8.8.8:443
From Sneha's PC on interface port5 (zone: internal-lan)
② ROUTE FIB lookup → next-hop wan1 (default gateway), egress interface set
③ POLICY LOOKUP Top-down match — Policy ID 7 (src 10.20.1.0/24 → any, action accept) wins
④ NAT Policy 7 has nat enable + ippool overload-pool-wan1 → translate source
⑤ TRANSLATE 203.0.113.5:621178.8.8.8:443
Session installed in kernel table — packet 2+ skips lookup, uses NPU fast-path
⑥ EGRESS Packet leaves wan1. Internet sees only 203.0.113.5.
Press Play to step through the 6 stages of the FortiGate packet flow. Each Next advances one stage.
Scenario continued · Sneha solves a "VIP not working" call

Two hours later, Sneha gets another ticket — the webapp on 203.0.113.10 is "not reachable from the internet." She checks the VIP object — looks fine. She checks the policy — source all, dest is the VIP object, service HTTPS, action accept. Still nothing.

One thing she missed: the policy's dstintf was set to wan1 (the public-facing interface). For an inbound VIP, the destination interface is the internal zone where the real server lives (dmz). FortiGate resolved the VIP, but no policy from wan1 → dmz referenced it. She flips dstintf to dmz. Webapp loads. 4-hour ticket closed in 7 minutes.

Pause & Predict #2

If two VIP objects map the SAME public IP+port to two different internal servers and both are referenced by different policies — which one wins?

The first policy in top-down order that has a matching VIP wins. FortiGate does NOT match by "most-specific VIP" — it matches the policy first, then resolves whatever VIP that policy references. So if two VIPs overlap, the policy positioned higher decides. This is a real gotcha during VIP cleanup: a stale VIP under a high-position policy keeps stealing traffic.

▶ The "first-match wins" drama — two overlapping policies

Same packet, but Policy 12 (specific deny) is below Policy 7 (broad allow). Watch what happens.

① ARRIVE Packet from 10.20.1.50:512348.8.8.8:443 enters firewall
② CHECK POLICY 7 src 10.20.1.0/24 → any · MATCHES · action: accept + NAT
③ STOP First match wins → evaluation halts. Policy 12 (deny) is never evaluated.
④ NAT + FORWARD Per-policy NAT runs → source translated → packet exits wan1
⑤ ADMIN CONFUSED "But I HAVE a deny rule for this exact host!" — yes, but it sits below the allow
⑥ FIX Drag Policy 12 ABOVE Policy 7 in the GUI. Done. 30-second fix once you know the rule.
Same firewall, same packet, different rule order. The lesson: order is everything.
Quick check · Q3 of 10

Anil at an Indian MSP Mumbai wants to publish two internal apps (App-A on 10.30.5.10, App-B on 10.30.5.20) on a single public IP 203.0.113.10 using port-based DNAT. App-A on :443, App-B on :8443. Best FortiGate approach?

Correct: c. Two separate VIPs with portforward enable, each mapping a different external port to a different internal host. FortiGate matches the destination port to pick the right VIP. IP Pools are SNAT not DNAT — wrong tool. Single VIP without port-forwarding can only do 1:1 IP mapping, not port-based fan-out.

Debug like an L3 — settle every NAT argument in 60 seconds

Vikram, an L3 at an Indian security firm, doesn't argue about policies. He runs one command. You should too.

CLI — the policy lookup test (no live packet needed) 
diagnose firewall iprope lookup 10.20.1.50 8.8.8.8 80
Expected output (good case — matched Policy 7) 
vd: root/0
iprope_lookup_check_ctx flag(0,0,0,0) tablecnt=14
gnum 100004 flag 0x2 prio 0
iprope_lookup_pol_in_check, prio 0
gnum 100004 (firewall policy)
policy id 7 - matched
    src: 10.20.1.0/24
    dst: 0.0.0.0/0
    action: 1 (accept)
    nat: 1

One command tells you which policy ID matched, whether NAT applied, and the action taken. No tcpdump. No guessing. No "let me check with the network team."

FortiGate policy + NAT CLI cheat-sheet A 3-column grid of nine mini-tiles, each showing a FortiOS diagnostic CLI command and the one-line use case for debugging policy lookups, session tables, VIPs and IP Pools. CLI cheat-sheet — nine commands that settle every argument ① POLICY LOOKUP diag firewall iprope lookup <src> <dst> <port> Settle "which rule won?" ② SNIFF PACKET diag sniffer packet any 'host 10.20.1.50' 4 0 l See raw traffic on all intfs ③ SHOW POLICY show firewall policy <id> Confirm the running config ④ SESSION TABLE diag sys session list | grep policy_id Real sessions by policy ⑤ GET VIP get firewall vip <vip-name> DNAT mapping verification ⑥ GET IP POOL get firewall ippool SNAT pool definitions ⑦ HA CHECKSUM diag sys ha checksum show Detect HA config drift ⑧ DEBUG FLOW diag debug flow filter + diag debug enable Full per-packet decision trace ⑨ CENTRAL NAT? get system settings | grep central-nat Detect silent NAT override Bookmark this page. These 9 commands handle ~80% of policy/NAT incidents in the field. Tested on FortiOS 7.4 / 7.6. Output format identical on FortiGate VM, FortiGate 60F, 100F, 600F.
Figure 5. Cheat-sheet — 9 commands that handle ~80% of policy + NAT incidents. Print this page or screenshot it for your lab bench.
Verify the fix worked

After any policy change, run:

diagnose firewall iprope lookup 10.20.1.50 8.8.8.8 80

Expected: policy id 7 - matched with action: 1 (accept). If you get action: 0 (deny) or policy id 0, the implicit deny fired — your rule didn't match.

The implicit-deny trap that costs interviews

Most candidates know "there's a deny at the end." Few can explain that it logs. The implicit deny at policy 0 drops the packet, AND when you enable set logtraffic all on the implicit-deny entry (config firewall policy → edit 0 → set logtraffic all), every dropped session shows up in forward traffic logs as policyid=0 with action deny. That's how Vikram's L3 team spots reconnaissance — a flood of policyid=0 entries from one source IP means someone is sweeping.

Pro tip — sequence over policy ID

When you write a runbook, document policies by sequence position (or by name) NOT by policy ID. IDs are stable across reorders, but they're meaningless to readers. "Policy at sequence 3 — Allow-Internal-DNS" tells the reader where to look. "Policy ID 47" does not.

2024 incident every Fortinet candidate must know — CVE-2024-47575 "FortiJump"

In late 2024, Mandiant traced UAG UNC5820 exploiting a missing-authentication flaw in FortiManager's fgfmsd daemon (CVE-2024-47575, CVSS 9.8). Attackers compromised the FortiManager, then pushed rogue firewall policies to managed FortiGates — typically broad "any-any-allow" internal rules — as their lateral-movement pivot. ~50+ FMG devices found compromised globally.

Defensive lesson for this blog: "any-any-allow" internal policies aren't just bad hygiene — they're the literal IOC for this campaign. Audit every internal policy for srcaddr=all + dstaddr=all + action=accept on east-west zones. Replace with explicit zone-to-zone rules. Source: Tenable PSIRT advisory.

Pause & Predict #3

Riya runs diag firewall iprope lookup 10.20.1.50 1.1.1.1 53 and the output shows policy id 0 - matched · action: deny. The user reports DNS not working. What's the next single command Riya should run?

diagnose debug flow filter saddr 10.20.1.50 followed by diagnose debug flow trace start 5 + diagnose debug enable. That tells her WHY no allow policy matched — wrong src interface, missing service, wrong schedule, etc. The iprope lookup confirmed "no rule allowed it"; the debug flow tells her which field of which rule was the mismatch. Top L3 muscle memory.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer. Tuned on FortiOS 7.4 / 7.6 docs + community.

Pre-curated answers grounded in FortiOS 7.4 / 7.6 docs + LIVECommunity. For complex prod issues, paste your diag firewall iprope lookup + show firewall policy output into chat.techclick.in.

📝 Final round — seven more

You've already answered 3 inline. Seven more. 70% (7 of 10) total marks this lesson complete on your Techclick profile. Tap Submit all answers at the end.

Q4 · Remember

Neha at an Indian IT services firm Bangalore is asked: "What happens to traffic that does not match any explicit firewall policy on a FortiGate?"

Correct: a — implicit deny at policy 0. Default-deny is non-negotiable. Option b inverts the default. FortiManager doesn't get inline traffic. There's no quarantine queue. The only correct framing is "explicit allow OR drop". Memorize for interviews — this is a top-3 Fortinet L1 screening question.
Q5 · Apply

Aditya at an Indian IT services firm Bangalore needs to NAT outbound traffic from 10.20.0.0/16 to use a pool of 4 public IPs. The same firewall also publishes a webapp via VIP. The interviewer asks: "What single setting must NOT be enabled if you want the per-policy NAT toggles on each policy to work as configured?"

Correct: d. Central NAT is the silent override — once on, per-policy NAT toggles still appear in GUI but are ignored. HA, RPF and NPU offload don't change NAT mode. This is the highest-frequency NAT trap in Fortinet interviews.
Q6 · Apply

Karthik at an Indian security firm writes this VIP for an inbound webapp: extip 203.0.113.10, extport 443, mappedip 10.30.5.100, mappedport 8443, portforward enable. He then writes a security policy: srcintf wan1, dstintf dmz, srcaddr all, dstaddr 10.30.5.100 (the internal IP), service HTTPS, action accept. Inbound doesn't flow. Why?

Correct: b — reference the VIP object. FortiGate's VIP system needs the policy's dstaddr to be the VIP object name; the firewall then resolves the public→private mapping at lookup time. Using the bare internal IP makes the policy invisible to the inbound DNAT'd packet flow. Option c is false — port mapping is fine (443→8443). Option d is false — VIPs are protocol-agnostic when portforward is on.
Q7 · Analyze

Aman runs diagnose firewall iprope lookup 10.20.1.50 8.8.8.8 53 and gets policy id 7 - matched · action: 1 (accept) · nat: 1. But Sneha's laptop still can't resolve DNS. Forward-traffic logs show no entry for the user's IP. What's the most likely cause?

Correct: a. The iprope lookup is hypothetical — it tells you "if a packet with these tuples arrived, here is the rule that would match." It doesn't prove the packet arrived. No log entry = packet never hit the firewall. Run diag sniffer packet any 'host 10.20.1.50' 4 0 l to confirm arrival. If silent, fix is upstream (laptop default gateway, VLAN, ARP, switch port).
Q8 · Analyze

A FortiGate has been running Central NAT for 6 months. New admin disables Central NAT to "simplify". Within 10 minutes, half the internal subnets stop reaching the internet. Why?

Correct: d. The classic "silent dependency" trap. Because Central NAT was doing SNAT for everyone, nobody bothered to enable the per-policy NAT toggle. Disabling Central NAT removes the SNAT — and now policies that allowed but had nat disable let traffic out with private source IPs. Always migrate one direction at a time: enable per-policy NAT on each policy first, validate, THEN disable Central NAT.
Q9 · Evaluate

An auditor proposes: "To meet the new compliance rule that every internal flow must be explicitly allowed, just create one srcintf=any → dstintf=any · srcaddr=all · dstaddr=all · service=ALL · action=accept policy and add the logtraffic toggle so we audit everything." Is this proposal sound?

Correct: c. "Allow-all + log" is NOT compliance — it's the exact IOC pattern Mandiant flagged in the 2024 FortiJump campaign. Real least-privilege requires explicit zone-to-zone, service-scoped rules. Logging a wide-open allow tells you what got through; it doesn't stop anything. Reject the auditor's proposal politely and provide zone-mapped alternatives.
Q10 · Evaluate

A small office has 50 users behind 1 public IP on a FortiGate 60F. The team plans VoIP rollout. SIP softphones rely on consistent source-port mapping. Their current SNAT is per-policy NAT with default IP Pool overload. Pick the right move.

Correct: b. SIP needs port stability; overload PAT remaps the source port and breaks SIP NAT-traversal. The clean fix is a separate IP Pool in fixed-port mode, applied only to the VoIP policy (positioned above the general egress policy), keeping the rest on overload to conserve ports. Option a kills connectivity; option c is over-correction; option d is expensive and unnecessary.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".

Self-explanation prompt

In 2-3 sentences, explain to a hypothetical batchmate: "Why doesn't a more specific deny policy win against a broader allow above it in FortiGate?" Writing it out cements the concept faster than re-reading.

📤 Teach a friend on WhatsApp: Share

📖 Mini-glossary — terms used in this blog

FortiGate
Fortinet's flagship NGFW running FortiOS.
Policy lookup
Top-down scan of the policy list to find the first matching rule.
Implicit deny
The invisible policy 0 that drops anything not explicitly allowed.
VIP (Virtual IP)
FortiOS DNAT object — maps external IP:port → internal IP:port.
IP Pool
Set of public IPs used for outbound SNAT. Modes: overload, fixed-port, etc.
SNAT
Source NAT — translates source IP/port (outbound, sharing public IPs).
DNAT
Destination NAT — translates destination IP/port (publishing internal servers).
Central NAT
Alternative NAT model — one global SNAT table, overrides per-policy NAT.
FGCP
FortiGate Clustering Protocol — the HA protocol covered in Blog 3.
NPU
Network Processor Unit — ASIC that offloads established sessions for wire-speed.
VDOM
Virtual Domain — FortiGate's logical multi-tenancy split.
Where this gets asked: This is the first technical filter at Indian enterprises, MSPs, and banking + fintech IT teams's L1 SOC interviews — get policy-match, implicit deny, and Central NAT right and you're past the screen. L2 and L3 rounds add the diag firewall iprope lookup command and the CVE-2024-47575 awareness check.

What's next?

Blog 2 opens up FortiGate VPNs — IPsec Phase 1 / Phase 2, SSL VPN, and how to harden them against the CVE-2024-21762 + CVE-2024-55591 exploitation wave still active across 2025.

Blog 2 · FortiGate VPNs (CVE-hardened) → ← All Fortinet lessons

📚 Sources

  1. Fortinet Docs — Firewall Policy (FortiOS 7.4 / 7.6 Administration Guide). docs.fortinet.com
  2. Fortinet Docs — Central SNAT and Central NAT. docs.fortinet.com (FortiOS 7.6)
  3. Fortinet Docs — VIPs and IP Pools — Configuration and Use Cases. docs.fortinet.com
  4. NWKings — Top 20 Fortinet Firewall Interview Questions and Answers (2025). nwkings.com/fortinet-firewall-interview-questions-and-answers
  5. UniNets — Top Fortinet Firewall Interview Q&A 2025. uninets.com/blog/fortinet-firewall-interview-questions-answers
  6. MindMajix — Top Fortinet Interview Q&A 2025. mindmajix.com/fortinet-interview-questions
  7. Tenable Blog — CVE-2024-47575 FAQ: FortiJump Zero-Day in FortiManager. tenable.com/blog/cve-2024-47575-faq-about-fortijump-zero-day-in-fortimanager
  8. GitHub yuriskinfo — FortiGate debug-diagnose complete cheat sheet. github.com/yuriskinfo/cheat-sheets
  9. Fortinet Community — Troubleshooting Tip: Using the FortiOS built-in packet sniffer. community.fortinet.com