Creating a security policy
To allow Internet users to reach the server, go to Policy & Objects > IPv4 Policy and create a new policy.
Set Incoming Interface to your Internet-facing interface, Outgoing Interface to the interface connected to the server, and Destination Address to the VIP group.
NAT is disabled for this policy so that the server sees the original source addresses of the packets it receives. This is the preferred setting for a number of reasons. For example, the server logs are more meaningful if they record the actual source addresses of your users.
If the FortiGate has Central NAT enabled, the VIP objects won't be available for selection in the policy editing window.