FortiGate 200B - Central NAT Table causes potential performance issues

I just had the pleasure of dealing with a strange issue on a FortiGate 200B 4.0 MR3.  The client was reporting slow internet browsing from their hosted offsite Citrix server (which is behind the FortiGate).  They were able to connect to their Citrix server without any problems, run all of their applications at normal speeds, print, etc. just fine, but when you launched Internet Explorer from within the Citrix session, it would give sporadic results.  Most pages were just very slow to come up, others would load only half of the page, and some would just load the title bar.  I checked to make sure that it was not just the Citrix server but it was also happening from their Small Business Server, their Microsoft SQL server, and other line of business application servers in their environment, although the Citrix server seemed to be the worst.

I went over to SpeedTest.net to run a quick speed check and it failed.  Yes, failed.  I have seen some strange results from that site but I had never seen it actually say fail.  I was able to get it to fail repeatedly from their environment but it worked everywhere else I tested from outside of their environment.

After looking over the rules on the firewall and looking at performance counters, my co-worker wanted me to try and change the outbound NAT policies on the FortiGate from "Use Central NAT Table" to "Use Dynamic IP Pool".  Since then, the problem seems to have gone away and internet browsing speed has returned to normal.  SpeedTest.com also now completes successfully from their environment.

I did a quick search on Fortinet’s website and on Google and have not found any similar issues being reported.  I am going to have my "FortiExpert" (the co-worker that had me change to IP pools) review this and give me his analysis and submit it as a “FortiGlitch”.  Luckily the client was just trying to use the Central NAT Table as a convenience so they did not have to enter each address that they wanted to translate in the policies. 

Maybe this is why the Central NAT Table is disabled by default?  Or maybe it was just a misconfiguration that half-way sort of worked.  Either way, more research is required on this one.