I have a Windows 10 laptop connecting in via IKEv2. Dial-in connection is working great. However, we discovered it is being NAT'd to the UT NGFW's internal LAN IP.

I can't find any rule that is causing this to happen. Is this normal behavior?

The only NAT configuration at all is when you edit the WAN interface. The box is checked to:
NAT traffic existing this interface (and bridged peers)

I am thinking the IPsec dial-in client is not *exiting* the WAN interface. That's where it originates from. But for these sessions it is exiting the LAN interface.

Can someone confirm whether this is normal behavior, and whether there's any way I can change it?