Easy in hindsight, but may be counter-intuitive for those coming from a Cisco or Palo Alto background such as myself.  There are two steps:

  1. Under Policy & Objects -> Virtual IPs, add a statement for each PAT rule with the “Port Forwarding” switch enabled at the bottom.  You may optionally group multiple port rules into groups to simplify the configuration later.
  2. Under Policy & Objects -> IPv4 Policy, add a rule from the public interface to the private interface with destination to be the object(s) created and service set to ALL.  Note that the NAT switch should remain disabled.

In the example below, the external IP is mapped to internal  IP for TCP.  I haven’t tried it in cases where the public IP is learned dynamically via DHCP.