Installing a FortiGate in NAT/Route mode

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will learn how to connect and configure a new FortiGate unit in NAT/Route mode to securely connect a private network to the Internet.

In NAT/Route mode, a FortiGate unit is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the IP addresses of the private network using network address translation (NAT).

 

1. Connecting the network devices and logging onto the FortiGate

Connect the FortiGate’s Internet-facing interface (typically WAN1) to your ISP-supplied equipment and Connect a PC to the FortiGate using an internal port (typically port 1).

Power on the ISP’s equipment, the FortiGate unit, and the PC on the internal network.

From the PC on the internal network, connect to the FortiGate’s web-based manager using either FortiExplorer or an Internet browser (for information about connecting to the web-based manager, please see your models QuickStart Guide).

Login using an admin account (the default admin account has the username admin and no password).

2. Configuring the FortiGate’s interfaces

Go to System > Network > Interfaces and edit the Internet-facing interface.

If your FortiGate is directly connecting to your ISP, set Addressing Mode to Manual and set the IP/Netmask to the public IP address your ISP has provided you with.

If have some ISP equipment between your FortiGate and the Internet (for example, a router), then the wan1 IP will also use a private IP assigned by the ISP equipment. If this equipment uses DHCP, set Addressing Mode to DHCP to get an IP assigned to the interface. 

If the ISP equipment does not use DHCP, your ISP can provide you with the correct private IP to use for the interface.

Edit the internal interface (called lan on some FortiGate models).

Set Addressing Mode to Manual and set the IP/Netmask to the private IP address you wish to use for the FortiGate.

3. Adding a default route

Go to Router > Static > Static Routes (or System > Network > Routing, depending on your FortiGate model) and create a new route.

Set the Destination IP/Mask to 0.0.0.0/0.0.0.0, the Device to the Internet-facing interface, and the Gateway to the gateway (or default route) provided by your ISP or to the next hop router, depending on your network requirements.

4. (Optional) Setting the FortiGate’s DNS servers

The FortiGate unit’s DNS Settings are set to use FortiGuard DNS servers by default, which is sufficient for
most networks. However, if you need to change the DNS servers, go to System > Network > DNS and add Primary and Secondary DNS servers.

5. Creating a policy to allow traffic from the internal network to the Internet

Go to Policy & Objects > Policy > IPv4 and create a new policy (if your network uses IPv6 addresses, go to Policy & Objects > Policy > IPv6).

Set the Incoming Interface to the internal interface and the Outgoing Interface to the Internet-facing interface.

Make sure the Action is set to ACCEPT. Turn on NAT and make sure Use Destination Interface Address is selected (later versions of FortiOS 5.2 call this option Use Outgoing Interface Address).

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

5. Results

You can now browse the Internet using any computer that connects to the FortiGate’s internal interface.

You can view information about the traffic being processed by your FortiGate by going to System > FortiView > All Sessions and finding traffic that has the internal interface as the Src Interface and the Internet-facing interface as the Dst Interface.

If these two columns are not shown, right-click on the title row, select Src Interface and Dst Interface from the dropdown menu, and then select Apply.

For further reading, check out Installing a FortiGate in NAT/Route Mode in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
If you have not already done so, ensure that your FortiGate is using the correct internal switch mode. For more information, see Extra help: Switch mode vs Interface mode.
A default route always has a Destination IP/Mask of 0.0.0.0/0.0.0.0. Normally, you would have only one default route. If the static route list already contains a default route, you can
edit it or delete it and add a new one
Some FortiGate models include an IPv4 security policy in the default configuration. If you have one of these models, edit it to include the logging options shown below, then proceed to the results section.