Fortinet white logo
Fortinet white logo

Administration Guide

Summary

Summary

Here’s a summary table of FortiADC’s Layer 4 deployment modes with their features and differences.

Traffic Flow - Incoming
DNAT Client ⟶ FortiADC ⟶ Server
FULLNAT Client ⟶ FortiADC ⟶ Server
Direct Routing Client ⟶ FortiADC ⟶ Server
NAT46 IPv4 Client ⟶ FortiADC ⟶ IPv6 Server
Tunneling Client ⟶ FortiADC ⟶ Server
Traffic Flow - Outgoing
DNAT Server ⟶ FortiADC ⟶ Client
FULLNAT Server ⟶ FortiADC ⟶ Client
Direct Routing Server ⟶ Client
NAT46 IPv6 Server ⟶ FortiADC ⟶ IPv4 Client
Tunneling Server ⟶ Client
VIP Handling
DNAT VIP configured only on FortiADC
FULLNAT VIP configured only on FortiADC
Direct Routing VIP configured on both FortiADC and real servers (as loopback, no ARP)
NAT46 VIP configured only on FortiADC
Tunneling VIP configured on both FortiADC and real servers (as loopback, no ARP)
Client IP Preservation
DNAT Yes
FULLNAT No, but FortiADC supports client IP insertion via TCP Application Profile settings
Direct Routing Yes
NAT46 No
Tunneling Yes
Key Requirements
DNAT
  • Server’s default gateway is FortiADC

FULLNAT
  • Configure source NAT pool on FortiADC

  • Optional - client IP insertion via TCP Application Profile

Direct Routing
  • Servers must support asymmetric routing

  • VIP set as non-ARP loopback on real servers

NAT46
  • NAT46 source pool required

Tunneling
  • Servers must support asymmetric routing

  • Real server (Tunnel destination) usually is the public IP of perimeter device

Use Cases
DNAT Standard data center deployments
FULLNAT Environments needing full control over both directions
Direct Routing Performance-driven environments needing true client IP
NAT46 Bridging IPv4 clients to IPv6-only back-ends
Tunneling Multi-site, remote DC, or cloud deployments

Summary

Summary

Here’s a summary table of FortiADC’s Layer 4 deployment modes with their features and differences.

Traffic Flow - Incoming
DNAT Client ⟶ FortiADC ⟶ Server
FULLNAT Client ⟶ FortiADC ⟶ Server
Direct Routing Client ⟶ FortiADC ⟶ Server
NAT46 IPv4 Client ⟶ FortiADC ⟶ IPv6 Server
Tunneling Client ⟶ FortiADC ⟶ Server
Traffic Flow - Outgoing
DNAT Server ⟶ FortiADC ⟶ Client
FULLNAT Server ⟶ FortiADC ⟶ Client
Direct Routing Server ⟶ Client
NAT46 IPv6 Server ⟶ FortiADC ⟶ IPv4 Client
Tunneling Server ⟶ Client
VIP Handling
DNAT VIP configured only on FortiADC
FULLNAT VIP configured only on FortiADC
Direct Routing VIP configured on both FortiADC and real servers (as loopback, no ARP)
NAT46 VIP configured only on FortiADC
Tunneling VIP configured on both FortiADC and real servers (as loopback, no ARP)
Client IP Preservation
DNAT Yes
FULLNAT No, but FortiADC supports client IP insertion via TCP Application Profile settings
Direct Routing Yes
NAT46 No
Tunneling Yes
Key Requirements
DNAT
  • Server’s default gateway is FortiADC

FULLNAT
  • Configure source NAT pool on FortiADC

  • Optional - client IP insertion via TCP Application Profile

Direct Routing
  • Servers must support asymmetric routing

  • VIP set as non-ARP loopback on real servers

NAT46
  • NAT46 source pool required

Tunneling
  • Servers must support asymmetric routing

  • Real server (Tunnel destination) usually is the public IP of perimeter device

Use Cases
DNAT Standard data center deployments
FULLNAT Environments needing full control over both directions
Direct Routing Performance-driven environments needing true client IP
NAT46 Bridging IPv4 clients to IPv6-only back-ends
Tunneling Multi-site, remote DC, or cloud deployments