Easy in hindsight, but may be counter-intuitive for those coming from a Cisco or Palo Alto background such as myself. There are two steps:
- Under Policy & Objects -> Virtual IPs, add a statement for each PAT rule with the “Port Forwarding” switch enabled at the bottom.
- Under Policy & Objects -> IPv4 Policy, add a rule from the public interface to the private interface with destination to be the object(s) created and service set to ALL. NAT switch should remain disabled.