Installing a FortiGate in NAT/Route mode

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will learn how to connect and configure a new FortiGate unit in NAT/Route mode to securely connect a private network to the Internet.

In NAT/Route mode, a FortiGate unit is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the IP addresses of the private network using network address translation (NAT).

 

1. Connecting the network devices and logging onto the FortiGate

Connect the FortiGate’s Internet-facing interface (typically WAN1) to your ISP-supplied equipment and Connect a PC to the FortiGate using an internal port (typically port 1).

Power on the ISP’s equipment, the FortiGate unit, and the PC on the internal network.

From the PC on the internal network, connect to the FortiGate’s web-based manager using either FortiExplorer or an Internet browser (for information about connecting to the web-based manager, please see your models QuickStart Guide).

Login using an admin account (the default admin account has the username admin and no password).

2. Configuring the FortiGate’s interfaces

Go to System > Network > Interfaces and edit the Internet-facing interface.

If your FortiGate is directly connecting to your ISP, set Addressing Mode to Manual and set the IP/Netmask to the public IP address your ISP has provided you with.

If have some ISP equipment between your FortiGate and the Internet (for example, a router), then the wan1 IP will also use a private IP assigned by the ISP equipment. If this equipment uses DHCP, set Addressing Mode to DHCP to get an IP assigned to the interface. 

If the ISP equipment does not use DHCP, your ISP can provide you with the correct private IP to use for the interface.

Edit the internal interface (called lan on some FortiGate models).

Set Addressing Mode to Manual and set the IP/Netmask to the private IP address you wish to use for the FortiGate.

3. Adding a default route

Go to Router > Static > Static Routes (or System > Network > Routing, depending on your FortiGate model) and create a new route.

Set the Destination IP/Mask to 0.0.0.0/0.0.0.0, the Device to the Internet-facing interface, and the Gateway to the gateway (or default route) provided by your ISP or to the next hop router, depending on your network requirements.

4. (Optional) Setting the FortiGate’s DNS servers

The FortiGate unit’s DNS Settings are set to use FortiGuard DNS servers by default, which is sufficient for
most networks. However, if you need to change the DNS servers, go to System > Network > DNS and add Primary and Secondary DNS servers.

5. Creating a policy to allow traffic from the internal network to the Internet

Go to Policy & Objects > Policy > IPv4 and create a new policy (if your network uses IPv6 addresses, go to Policy & Objects > Policy > IPv6).

Set the Incoming Interface to the internal interface and the Outgoing Interface to the Internet-facing interface.

Make sure the Action is set to ACCEPT. Turn on NAT and make sure Use Destination Interface Address is selected (later versions of FortiOS 5.2 call this option Use Outgoing Interface Address).

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

5. Results

You can now browse the Internet using any computer that connects to the FortiGate’s internal interface.

You can view information about the traffic being processed by your FortiGate by going to System > FortiView > All Sessions and finding traffic that has the internal interface as the Src Interface and the Internet-facing interface as the Dst Interface.

If these two columns are not shown, right-click on the title row, select Src Interface and Dst Interface from the dropdown menu, and then select Apply.

For further reading, check out Installing a FortiGate in NAT/Route Mode in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
If you have not already done so, ensure that your FortiGate is using the correct internal switch mode. For more information, see Extra help: Switch mode vs Interface mode.
A default route always has a Destination IP/Mask of 0.0.0.0/0.0.0.0. Normally, you would have only one default route. If the static route list already contains a default route, you can
edit it or delete it and add a new one
Some FortiGate models include an IPv4 security policy in the default configuration. If you have one of these models, edit it to include the logging options shown below, then proceed to the results section.
  • Victoria Martin

    Hello Almas,

    If the routers are applying NAT to traffic, then you won’t set WAN1 to use the public IP address, since that address is used by the router. Also, you will need to use NAT traversal if you want to set up a IPsec VPN between FortiGates behind NAT devices.

    • Almas Rafaqat

      Dear Victoria Martin,
      thanks for your reply.sorry i did not understand what you said.if i set the Public IP on wan 1 interface in main branch Fortigate. And then how to main branch’s users will access the internet?

      • Victoria Martin

        The main branch users will access the Internet through the FortiGate, using a policy similar to the one created in step 5 of this recipe.

  • shan

    i have fortigate 90d and try to establish pppoe with isp modem, but the connection show failed. Previously the fw working fine. Is there any other configuration i should do other then configure the mode in wan1 interface to ppoe and set the id and password ?

  • lensflair

    we have fortigate 60D and i want to troubleshoot if our fortigate is causing the intermittent connection of our internet. Buti I don’t see System tab in web-based manager. How can I enable or unhide it. I was not the one who set this up. how can i know the FortiOS version? https://uploads.disquscdn.com/images/0ea0562e639016a33f6fc0d7dafdaa532cbd755a1c3845e8abbf727894265966.png

  • Tarek Chaalan

    thank you Victoria

  • Harry Huynh

    Hi,
    I have 2 Fortigate 70D and 2 line internet connection PPPOE. I wanna config HA between 2 FW for more security. My solution is: each internet line connect to the switch L2. then i will full mesh between 2 sw and 2 fw. i config HA A-P mode between 2 FW. So my solution is running? is there any problem? waiting for your kindly helping.
    regards.

  • Sumant Kumar

    Hi Team,

    We have an Fortigate 100D at our office .

    We are 100 people, and I am the only one using the bandwidth.

    Every time/ some minutes the firewall experiences an issue where the web pages no longer load, and everything just drops for about an minute. This started happening as of an week ago without major changes.

    • lensflair

      hi. i think we have a similar situation. our internet connection slow down often and displays connection time out or website can’t be reached or website take too long to respond.
      have you managed to fix your problem? what are your troubleshooting procedure?
      i cant figure out how to fix this because i only have Security Profiles and User & Device shown in our web-based manager.

    • Maattoos Maattu

      config system interface
      edit port (wan)
      unset idle-timeout
      next
      end

  • srikanthane

    I have 5 public facing IP address provided by the ISP, we have assigned one of the IP for our WAN 1 link, please guide me on how to assign the second public facing IP on other interface on a fortiage D100 router

  • Rick

    Hi, we have FortiGate 200D, i have a pool of publics IPs. How can i configure the wan port to use all of this ips ? I need that to use VIPs.
    Thanxs

    • Bruce Davis

      If you have a pool of IP addresses assigned to you by your ISP, you can add them to your WAN interface by enabling the Secondary IP address section towards the bottom of the interface configuration window. Once they have been added to your interface you can assign those external IP addresses into the configuration for the VIP.

  • Khan Sufyanee

    hi,
    We have Fortigate 90D V5.2.1 help me to configure website filtering through Groups like some group of people can have full internet access and some people can have limited internet access.i also i want to integrate that groups to active directory domain.please help me.

  • Jozi

    Hi ,
    I would like to know how can i place Netgear WRN3500Lv2 as an AP that under the Fortigate 60D .
    Do i need to configure something inside Fortigate or what i need to do .?
    Please , advise me .

    • Victoria Martin

      Hi Jozi,
      The only APs that can be managed by a FortiGate are FortiAPs. However, you can set up your FortiGate to provide Internet access to the Netgear device, the same as if it were any other type of device on your network.

  • Syed Mujahed

    hi
    we are useing fortigate 100D

    I want to assign the public ip to wan1 for fortinet client. for accessing ssl vpn

    • Victoria Martin

      Hi Syed,

      If your FortiGate is directly on the Internet, you can go to System > Network > Interfaces and edit wan1 to have your public IP. This IP can then be used when configuring an SSL VPN for FortiClient (there is a recipe about that located at http://cookbook.fortinet.com/ssl-vpn-for-remote-users/)

      If your FortiGate connects to equipment from your ISP, you will need to contact them in order to make sure VPN users can access the FortiGate.

  • Sandhy

    Hi,
    i’m using fortigate 60D.
    Could you please help me on fortigate configuration. On existing router running tunnel VPN IPSec configuration to headquarter office. Many thanks.

  • Khan Sufyanee

    Hi,
    I m using fortigate 90D. we have two wan conn and configured load balance between the internet .how i can redirect specific user internet trafic to specific WAn

  • Jr81

    Hi,

    I’m about to inherit a couple of sites that have a pair of 1000c firewall installed. My question is what is best path for training on these devices? Would like to know as much as possible about these devices… I do have experience with ASA firewalls but not fortigate. Thx!

    • Victoria Martin

      Hi Jr81,

      Well, you’ve found one good FortiGate resource here, as the Cookbook can help you if there’s any additional configuration required for the sites. I would also recommend checking out the FortiOS Handbook, which goes into more detail about how a FortiGate works. You can find the Handbook for your version of FortiOS at http://docs.fortinet.com.

      Finally, we do have training available at http://www.fortinet.com/training/

  • Praba

    Hi all,

    I’m using Fortigate 40c V5.2.3 and i do same configuration as above but i can’t connect internet. Please help me and what detail do you need for further clarification?

    Regards,
    Praba

  • Mervin

    Hi all,

    Can you please help me out? Attached is our current network topology and we are having problems with our Fortigate 200D. In the diagram, all the users already have access to the internet (we have a PUBLIC IP pool) but our main problem is that the Firewall itself cannot connect to the internet. We tried NAT-ing all the interface of the firewall and also it’s management IP but it still won’t connect to the internet. Because of this, Firewall services says “Unreachable”. Anyone have an idea on what we should do? Thanks in advance.

    Regards,
    Mervin

    • Bruce Davis

      Without seeing the actual configuration I couldn’t say where the problem is but it your users can get to the Internet but the FortiGate cannot, the 2 places that I would look first are the DNS server that the FortiGate is using and the Default routes. Because you have 2 Internet connections even more care has to be take with the routing.
      If these look like they should be working I would then go into the CLI and use the execute ping command to see just how far I could get before I cannot make a connection. Because you have two potential routes to the Internet you will need to verify what path the traffic is taking.
      Another problem to worry about is whether or not sessions that are initiating on one path to the Internet are getting responses on the other path. This can also cause some issues.
      Finally, just because it’s always good to check your assumptions; Verify that the method you are using to verify whether or not you can reach the Internet is a good test. I remember one time that I was getting frustrated because I couldn’t connect to a server from my location. I kept pinging it but got now response. Then I found out someone had turned off its ability to respond to pings as a security measure.

      • Mervin

        Hi Bruce! Thanks for the response.

        The DNS Server that we use on the Fortigate is the default of the unit which is 208.91.112.53 and 208.91.112.52. At the moment, we are on the testing phase so we are just using the 14Mbps connection. Default route is pointed just to that interface. Routing to the inside network is also configured via a redundant port (ports 13 and 14).

        Firewall Configurations:
        Port WAN2: 172.20.31.6/30
        Port 13 and 14: 172.16.10.4/29

        Other firewall configs are posted below as snapshots.

        14Mbps Internet configurations (We do not have access to this, all we know is it’s interface IP address connected to the firewall and the public IP’s that it is accepting):

        Port 1: 172.20.31.5/30
        Public IP: 212.107.104.32/29

        We tried everything using pings on the firewall using source addresses. Every port that has an IP address assigned in the firewalls interface was used as a source IP address but still the firewall cannot connect to the internet. (We are pinging 8.8.8.8). We have done NAT-ing on all of the firewall’s interface using the Public IP Pool that was given to us. As I have said on my earlier post, all of the host under the redundant port have access to the internet with these configurations. For example, one of the core switches IP is 172.16.10.2/29 which is a directly connected port to the Fortigate’s redundant port (ports 13 and 14) which have an IP address of 172.16.10.4/29, from this switch I ping to 8.8.8.8 using source address 172.16.10.2, the ping is successful. While on the Fortigate, I use 172.16.10.4 as a source address and ping 8.8.8.8. Fortigate displays “unreachable”.

        I have a default route on the core/distribution switches pointing to 172.16.10.4/29.

        Below is the snapshots of the Firewall Configurations.

        Regards,
        Mervin

        • Mervin

          By the way, ping results to 172.20.31.5/30 (ISP Router’s interface) using the source addresses below have the following results:

          1. Fortigate WAN2 Interface (172.20.31.6/30) – successful.
          2. Fortigate Redundant Interface (172.16.10.4/29) – unreachable.
          3. Fortigate Management IP – (unreachable).
          4. Core Switch IP (172.16.10.2/29) – successful.
          5. End Host(192.168.10.100/24) – successfull.

          • Bruce Davis

            Mervin,

            As this is a documentation website rather than a support one it is not really the venue for a question on such a specific scenario, especially one in such complex environment. Those sort of questions should normally go to the Technical Assistance Center. To find out which number to call for support check out the page http://www.fortinet.com/support/contact_support.html.
            All that being said, I’ll give you my best guess at what is happening based on the information that you’ve provided.
            I think that the ISP router is set up expecting traffic arriving on the 172.20.31.5/30 interface to be from the range 212.107.104.33-38 range. Any traffic coming from the network behind the FortiGate is assigned a value from this pool of addresses as it goes through the policy. Traffic coming directly from the FortiGate does not go through a policy so it is not assigned a source address from the IP pool. I suspect that there is no policy on the router to pass through traffic from the 172.107.104.4/30 subnet range of addresses because there was never any expected need to do so.
            I would recommend talking with whoever set up the ISP router and explaining the situation to them to see if that is where the issue is. If that is the case just ask for an additional policy to allow the required traffic from the FortiGate to go through.

          • Mervin

            Thank you so much for your inputs Bruce.

            Regards,
            Mervin

  • dee

    Hi All,

    Sorry for this silly question 🙂

    How to get my public ip address? My fortigate connected to the internet modem and the modem connected to the internet thru ppoe. Do i need to enter the public ip as shown in the modem into wan1 port?

    • Victoria Martin

      Since you have a modem between your FortiGate and the Internet, your wan1 interface will not actually use the public IP, since it is not actually directly on the Internet.

      If you see my reply below to af84, there is more information about what address to use when you have a router between the FortiGate and the Internet. Since we’ve had two comments about it in the past week, the recipe will be revised in the near future to contain more information about this configuration.

      • dee

        Hi,

        Noted and how about if i need to access my fortigate outside from my network. How to configure it.

        • Victoria Martin

          The solution may depend on how the modem is configured. Modems can be setup 2 ways, or at least 2 ways that concern us at the moment.

          The first is in NAT mode in which the modem’s outside facing interface will have the public IP address assigned to it. In this mode it will act like a router and there will be a subnet between the modem and your FortiGate; the FortiGate’s wan interface likely getting it’s IP address from the modem’s DHCP server. If you want to know the IP address that is assigned to it you can log in to the modem or use one of the many IP address identifying websites such as ipchicken.com. (There are others, I just like the name of that one.) If traffic from your network is always initiated from inside your network there is no problems with this mode, but as you may have discovered, incoming traffic is a problem, because while you may be able to reach the modem via it’s IP address it is tricky to get that traffic to pass through to the FortiGate or the internal network. I can be done by setting up port forwarding on the modem, but most modems have limitations, such as how many ports can be configured; and then you would have to set up a matching port forwarding on the FortiGate. Administrative headache all around.

          The second mode is a bridge mode in which the modem passes the PPOE handshake from the ISP to the network device connected to its internal interface and sends any PPOE connection traffic from the Fortinet right through to the ISP. In this case, the ISP ends up assigning the public IP address to the wan interface on the FortiGate instead of the modem. Once you’ve got that working everything unicorns and rainbows. Well, maybe not that good, but it’s definitely easier to work with. You can now connect directly to you FortiGate from the Internet. For all intents and purposes the modem is transparent.

          I am assuming that since you are seeing the public IP address on the modems interface instead of the FortiGate that the chances are good that your modem is in NAT mode. Assigning the public IP address on the Internet side of the modem to the FortiGate’s wan interface will not work. The reason involves an explanation of how TCP/IP, routing and subnetting works there are entire books on the subject if you’re interested.

          One thing I cannot help you with though is the configuration of the modem. Vendors of modems have their own way of configuring these modes and while I’m sure that most current models have this capability I have no way of knowing if yours does. If you received your modem from your ISP, or better yet, rent it from them, ask for their assistance. If you’ve purchased it outright from some other source there should be some kind of documentation that should show you how to reconfigure it.

    • Bruce Davis

      Dee,
      The solution may depend on how the modem is configured. Modems can be setup 2 ways, or at least 2 ways that concern us at the moment.

      The first is in NAT mode in which the modem’s outside facing interface will have the public IP address assigned to it. In this mode it will act like a router and there will be a subnet between the modem and your FortiGate; the FortiGate’s wan interface likely getting it’s IP address from the modem’s DHCP server. If you want to know the IP address that is assigned to it you can log in to the modem or use one of the many IP address identifying websites such as ipchicken.com. (There are others, I just like the name of that one.) If traffic from your network is always initiated from inside your network there is no problems with this mode, but as you may have discovered, incoming traffic is a problem, because while you may be able to reach the modem via it’s IP address it is tricky to get that traffic to pass through to the FortiGate or the internal network. I can be done by setting up port forwarding on the modem, but most modems have limitations, such as how many ports can be configured; and then you would have to set up a matching port forwarding on the FortiGate. Administrative headache all around.

      The second mode is a bridge mode in which the modem passes the PPOE handshake from the ISP to the network device connected to its internal interface and sends any PPOE connection traffic from the Fortinet right through to the ISP. In this case, the ISP ends up assigning the public IP address to the wan interface on the FortiGate instead of the modem. Once you’ve got that working everything unicorns and rainbows. Well, maybe not that good, but it’s definitely easier to work with. You can now connect directly to you FortiGate from the Internet. For all intents and purposes the modem is transparent.

      I am assuming that since you are seeing the public IP address on the modems interface instead of the FortiGate that the chances are good that your modem is in NAT mode. Assigning the public IP address on the Internet side of the modem to the FortiGate’s wan interface will not work. The reason involves an explanation of how TCP/IP, routing and subnetting works there are entire books on the subject if you’re interested.

      One thing I cannot help you with though is the configuration of the modem. Vendors of modems have their own way of configuring these modes and while I’m sure that most current models have this capability I have no way of knowing if yours does. If you received your modem from your ISP, or better yet, rent it from them, ask for their assistance. If you’ve purchased it outright from some other source there should be some kind of documentation that should show you how to reconfigure it.

  • af84

    Hi All,

    Need your expertise on configuring the firewall. I’m a newbie.
    Which IP i need to enter in the wan1 and internal. Meaning is it an ip that i can create myself or tight to the ISP IP.

    Hope can help. TQ

    • Victoria Martin

      Hello,

      For your internal IP, you can use an IP that you create yourself. Typically internal IPs use one of the ranges that are reserved for private networks: 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, or 192.168.0.0 – 192.168.255.255.

      For the wan1 IP, if your FortiGate is directly connecting to your ISP, then you’ll need to use the public address that the ISP has provided for you.

      However, if you have some ISP equipment between your FortiGate and the Internet (for example, a router), then the wan1 IP will also use a private IP as assigned by the router. If you have a router, then try setting the Addressing Mode for the wan1 interface to DHCP, as shown in the screenshot below. If your router uses DHCP, it will assign the IP address to your wan1 interface.

      If you have a router that does not use DHCP, I would suggest calling your ISP to find out what IP you should be using.

      Hope that helps.

      • af84

        Hi Vic,

        Thanks. Btw, some said if i’m using the FGT than i can remove the existing cisco router. So can i directly connnect the FGT to isp without using the router or if i need to connect thru router which mode can i use? Is it NAT/Route or Transparent and which is better.

        Hope can help

        • Victoria Martin

          You can remove remove the existing Cisco router. If you do this, you must use NAT/Route mode, so that all outgoing traffic will use the public IP assigned to you by your ISP.

          You can use either mode if the Cisco router remains in place. Keeping the FortiGate in NAT/Route would be easier to set up, so I would recommend using it.

  • Joe

    Under my “System > FortiView > All Sessions” it only shows the IP addresses for the Destination.. your example shows domain names, google.com, blog.fortinet.com, etc.. how do you enable this?

    • Victoria Martin

      Hi Joe,

      If you go to Log & Report > Log Config > Log Settings, you’ll see an option under GUI Preferences to Resolve Hostnames (Using reverse DNS lookup). If you have this selected, you should see the domain names listed in your logs, including the FortiView dashboard.