Installing a FortiGate in NAT/Route mode

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will connect and configure a new FortiGate in NAT/Route mode to securely connect a private network to the Internet.

In NAT/Route mode, a FortiGate is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the IP addresses of the private network using NAT.

NAT/Route mode is the most commonly used operating mode for a FortiGate.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

 

1. Connecting the network devices and logging in to the FortiGate

Connect the FortiGate’s Internet-facing interface (typically WAN or WAN1, depending on your model) to your ISP-supplied equipment and connect a PC to the FortiGate using an internal port (typically port 1).

Power on the ISP’s equipment, the FortiGate, and the PC on the internal network.

Use the PC to connect to the FortiGate GUI using either FortiExplorer or an Internet browser (for information about connecting to the GUI, see your model’s QuickStart Guide).

Log in using an admin account (the default admin account has the username admin and no password).

2. Configuring the FortiGate interfaces

Go to Network > Interfaces and edit the Internet-facing interface (in the example, wan1).

Set Role to WAN and set the Estimated Bandwidth for the interface based on your Internet connection (make sure to use Kbps, rather than Mbps).

 

If your FortiGate directly connects to your ISP, set Addressing Mode to Manual and set the IP/Netmask to the public IP address provided by your ISP.

If you have ISP equipment between your FortiGate and the Internet (for example, a router), WAN1 will use a private IP address assigned by the ISP equipment. If the ISP equipment uses DHCP, set Addressing Mode to DHCP to allow the equipment to assign an IP address to WAN1.

If the ISP equipment does not use DHCP, your ISP can provide you with the correct private IP address to use for WAN1. Once you have this address, set Addressing Mode to Manual and set the IP/Netmask to your assigned address.

Edit the lan interface (called internal on some FortiGate models).

Set Role to LAN.

Set Addressing Mode to Manual and set the IP/Netmask to the private IP address you wish to use for the FortiGate.

If you need your FortiGate to provide IP addresses to devices that connect to it, enable DHCP Server.

 

3. Adding a default route

Go to Network > Static Routes and create a new default route.

Set Destination to Subnet and leave the destination IP address set to 0.0.0.0/0.0.0.0.

Set Device to the Internet-facing interface, and the Gateway to the gateway (or default route) provided by your ISP or to the next hop router, depending on your network requirements.

 

4. (Optional) Setting the FortiGate DNS servers

The FortiGate DNS settings are set to use FortiGuard DNS servers by default, which is sufficient for most networks. However, they can be changed, if necessary.
To change the DNS servers, go to Network > DNS, select Specify, and add Primary and Secondary servers.

5. Creating a policy to allow traffic from the internal network to the Internet

Go to Policy & Objects > IPv4 Policy and create a new policy. Give the policy a Name that indicates that the policy will be for traffic to the Internet (in the example, Internet).

 

Set the Incoming Interface to the lan interface and the Outgoing Interface to the Internet-facing interface. Set Source, Destination Address, Schedule, and Services, as required.

Make sure the Action is set to ACCEPT. Turn on NAT and make sure Use Outgoing Interface Address is selected.

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.  

6. Results

Browse the Internet using the PC on the internal network.

You can view information about the traffic being processed by your FortiGate by going to FortiView.

Under Traffic from LAN/DMZ, select Sources. The PC appears on the list of sources.

Right-click on the entry for the PC and select Drill Down to Details to view realtime information about traffic from this computer.

If your FortiGate model has internal storage and disk logging enabled, a drop-down menu in the top corner allows you to view historical logging information (5 minutes, 1 hour, and 24 hours). If you are not sure whether your model supports disk logging, check the FortiGate Feature/Platform Matrix.

For further reading, check out Installing a FortiGate in NAT/Route mode in the FortiOS 5.6 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
This destination type allows you to input a numeric IP address or subnet.
A default route always has a destination IP address of 0.0.0.0/0.0.0.0. Normally, you only have one default route. If the static route list already contains a default route, you can edit it, or delete the route and add a new one.
Some FortiGate models include an IPv4 security policy in the default configuration. If you have one of these models, edit it to include the logging options shown below, then proceed to the results section.
  • Thomas Correge

    Hi, I’m a newbie, but I need to see the same in command line…