In FortiOS 7.6, when a FortiGate is operating in NAT mode, physical interfaces that participate in traffic forwarding (such as LAN and DMZ) must meet certain fundamental requirements.
Correct statements
D. Both interfaces must have IP addresses assigned.
Correct
In NAT mode, FortiGate operates as a Layer-3 device.
Every interface that forwards traffic must have an IP address.
Without an IP address:
The interface cannot participate in routing
Firewall policies cannot be applied correctly
This is a mandatory requirement.
C. Both interfaces must have directly connected routes on the routing table.
Correct
When an IP address is assigned to an interface, FortiGate automatically installs a connected route for that subnet in the routing table.
These connected routes are required so FortiGate:
Knows how to reach the locally attached networks
Can forward traffic between LAN and DMZ
While administrators do not manually create these routes, their presence is required for correct operation.
Why the other options are incorrect
A. Both interfaces must have DHCP enabled and roles assigned.
Incorrect
DHCP is optional; interfaces can use static IPs.
Interface roles (LAN, DMZ, WAN) are administrative/GUI aids, not functional requirements.
B. Both interfaces must have the interface role assigned.
Incorrect
Interface roles affect GUI grouping and some default behavior.
They are not required for NAT mode operation or traffic forwarding.
