Central NAT: In this mode, NAT configuration is completely separated from firewall policies. All SNAT (Source NAT) and DNAT (Destination NAT) rules are centrally managed in dedicated NAT rule sets, while firewall policies only handle traffic matching and security inspection, without directly managing address translation. SNAT and DNAT can be configured in the NAT rule page or via CLI using config firewall central-snat-map / config firewall central-dnat-map, and there is no need to configure NAT within the policies themselves. This makes policy configuration cleaner and ensures that changes to policy order do not affect NAT behavior. The advantages of Central NAT include centralized management, clarity, and ease of maintenance, especially suitable for large networks, multi-WAN environments, or scenarios where multiple policies share the same NAT address. Central NAT also supports unified auditing and bulk modifications, facilitating operations and policy optimization, though it may be slightly more complex for small deployments.

Policy-based / Regular NAT: Also known as traditional NAT mode, in this approach NAT is tightly coupled with firewall policies. SNAT is configured directly in the firewall policy to control source address translation for outbound traffic, while DNAT is typically configured via VIP (Virtual IP) objects and referenced in policies to handle destination address translation for inbound traffic. Each policy manages both traffic matching and NAT application, allowing flexible per-policy configuration of source NAT, destination NAT, or bidirectional NAT. This method is straightforward and suitable for small networks or scenarios where NAT rules correspond one-to-one with policies. However, in environments with many policies, complex links, or where centralized NAT management is needed, maintenance can become more challenging. Care must be taken to manage policy order and ensure correct VIP references.