Fortigate – Changing outbound nat IP with IP Pools

Sometimes it is necessary to change IP address used to talk with the internet that the internal client is using. For instance it is always important to make sure your SMTP server is using the same outbound IP used for inbound traffic. I have seen this cause a good many mail servers to be blacklisted by ISPs. In the following entry we will change the IP the client is using for outbound nat.

This technique has many awesome benefits, you can nat into this IP (IP pool) only when going to a certain destination.. etc. For example, if you had to change your source IP when accessing a destination across a VPN tunnel. That example might be very important in a medical field where I have found you almost always have to nat your private traffic to a public address when accessing the VPN hosts.

The internal client address is, external IP is In this example I only want this one internal client to be natted out of

So we have to create a Virtual IP pool . We create the Virtual IP pool by going to Policy and objects – objects – IP Pools

IP pool-create

We then can setup the pool. Notice the options

– Overload allows PAT, so many ip addresses, to one public.
– One-to-One allows one IP to that public IP
– We also have the option to nat into a Public Range of addresses

We also want this device to answer VIA Arp for

Now lets create our IPv4 Policy to allow our private IP address to be allowed to the internet (WAN1) and to be natted VIA this IP pool. I created the address object for my private host already.


So after creating our IPV4 policy, we have one thing left to do – make sure this is one of our first policies hit when tries to access the internet. So lets make sure its at the top of our list, or at least above our default nat rule.


That’s it! if you now go to a site such as or you will see if you are coming from

3 responses to “Fortigate – Changing outbound nat IP with IP Pools

  1. raymondcidad April 12, 2018 at 8:09 pm

    Hey, good post.
    exactly what I need for the PBX,
    now, on what interface you configure that IP? on the same Interface as “secondary IP”?

    • cjcott01 April 13, 2018 at 3:52 am

      Thanks for the comment. You do not set that IP up as a secondary or assign to an interface. You create the IP Pool then use it in an outbound firewall policy. The destination interface (which you would be natting out of) is assigned in the firewall policy.

      • raymondcidad April 13, 2018 at 11:39 am

        um… well, but somehow you need to assign the IP on the WAN to be able to route in and do the virtual IP rules right?
        I mean, to be able to show that different IP, yes, is not needed, but if you then need to route in from that public IP, need to be setup some how… ?

Leave a Reply

%d bloggers like this: