Installing a FortiGate in NAT/Route mode


In this example, you will learn how to connect and configure a new FortiGate unit in NAT/Route mode to securely connect a private network to the Internet.

In NAT/Route mode, a FortiGate unit is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the IP addresses of the private network using network address translation (NAT).

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6


1. Connecting the network devices and logging onto the FortiGate

Connect the FortiGate’s Internet-facing interface (typically WAN or WAN1, depending on your model) to your ISP-supplied equipment and connect a PC to the FortiGate using an internal port (typically port 1).

Power on the ISP’s equipment, the FortiGate unit, and the PC on the internal network.

Using a PC on the internal network, connect to the FortiGate’s GUI using either FortiExplorer or an Internet browser (for information about connecting to the GUI, see your model’s QuickStart Guide).

Login using an admin account (the default admin account has the username admin and no password).

2. Configuring the FortiGate’s interfaces

Go to Network > Interfaces and edit the Internet-facing interface (in the example, wan1).

Set Role to WAN and set your Estimated Bandwidth (make sure to use Kbps, rather than Mbps).


If your FortiGate is directly connecting to your ISP, set Addressing Mode to Manual and set the IP/Netmask to the public IP address your ISP has provided you with.

If you have ISP equipment between your FortiGate and the Internet (for example, a router), then the wan1 IP will also use a private IP assigned by the ISP equipment. If this equipment uses DHCP, set Addressing Mode to DHCP to get an IP assigned to the interface.

If the ISP equipment does not use DHCP, your ISP can provide you with the correct private IP to use for the interface.

Edit the lan interface (called internal on some FortiGate models).

Set Role to LAN.

Set Addressing Mode to Manual and set the IP/Netmask to the private IP address you wish to use for the FortiGate.

If you need your FortiGate to provide IP addresses to devices that connect to it, enable DHCP Server.


3. Adding a default route

Go to Network > Static Routes and create a new default route.

Set Destination to Subnet, Destination IP/Mask to, the Device to the Internet-facing interface, and the Gateway to the gateway (or default route) provided by your ISP or to the next hop router, depending on your network requirements.


4. (Optional) Setting the FortiGate’s DNS servers

The FortiGate unit’s DNS Settings are set to use FortiGuard DNS servers by default, which is sufficient for most networks. However, they can be changed if necessary.
To change the DNS servers, go to Network > DNS, select Specify, and add Primary and Secondary servers.

5. Creating a policy to allow traffic from the internal network to the Internet

Go to Policy & Objects > IPv4 Policy and create a new policy. Give the policy a Name that indicates that the policy will be for traffic to the Internet (in the example, Internet).


Set the Incoming Interface to the lan interface and the Outgoing Interface to the Internet-facing interface. Set Source, Destination Address, Schedule, and Services as required.

Make sure the Action is set to ACCEPT. Turn on NAT and make sure Use Outgoing Interface Address is selected.

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.  

5. Results

Browse the Internet using the PC that connects to the FortiGate’s internal interface.

You can view information about the traffic being processed by your FortiGate by going to FortiView. Under Traffic from LAN/DMZ, select Sources. A listing is shown for the computer you are browsing with.

Right-click on the listing for your computer and select Drill Down to Details to view realtime information about traffic from this computer.

If your FortiGate model has a hard drive, a dropdown menu in the top corner will allow you to view historical logging information (5 minutes, 1 hour, and 24 hours).

For further reading, check out Installing a FortiGate in NAT/Route mode in the FortiOS 5.6 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
This destination type allows you to input a numeric IP address or subnet.
A default route always has a Destination IP/Mask of Normally, you would have only one default route. If the static route list already contains a default route, you can edit it or delete it and add a new one.
Some FortiGate models include an IPv4 security policy in the default configuration. If you have one of these models, edit it to include the logging options shown below, then proceed to the results section.