Network Address Translation (NAT)
- Beware of misconfiguring the IP Pool range. Double-check the start and end IPs of each IP pool. The IP pool should not overlap with addresses assigned to FortiGate interfaces or to any hosts on directly connected networks.
- If you have internal and external users accessing the same servers, use split DNS to offer an internal IP to internal users so that they don’t have to use the external-facing VIP.
Do not enable NAT for inbound traffic unless it is required by an application. If, for example, NAT is enabled for inbound SMTP traffic, the SMTP server might act as an open relay.