Installing a FortiGate in NAT mode


In this example, you connect and configure a new FortiGate in NAT mode, to securely connect a private network to the Internet.

This recipe is in the Basic FortiGate network collection and the Fortinet Security Fabric collection. You can also use it as a standalone recipe.

In NAT mode, you install a FortiGate as a gateway, or router, between two networks. Typically, you set the FortiGate up between a private network and the Internet, which allows the FortiGate to hide the IP addresses of the private network using NAT.

NAT mode is the most commonly used operating mode for a FortiGate.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6 | 6.0

1. Connecting the network devices and logging in to the FortiGate

Connect the FortiGate to your ISP-supplied equipment using the Internet-facing interface. This is typically WAN or WAN1, depending on your model.

Connect a PC to the FortiGate, using an internal port (in the example, port 3).


Power on the ISP equipment, the FortiGate, and the PC on the internal network.

Use the PC to connect to the FortiGate GUI using either FortiExplorer or an Internet browser. For more information about connecting to the GUI, see the QuickStart Guide for you FortiGate model.

Log in using an admin account. The default admin account has the username admin and no password.


2. Configuring the FortiGate interfaces

To edit the Internet-facing interface (in the example, wan1), go to Network > Interfaces.

Set the Estimated Bandwidth for the interface based on your Internet connection.

Set Role to WAN.


To determine which Addressing mode to use, check if your ISP provides an IP address for you to use or if the ISP equipment uses DHCP to assign IP addresses.

If your ISP provides an IP address, set Addressing mode to Manual and set the IP/Network Mask to that IP address.

If your ISP equipment uses DHCP, set Addressing mode to DHCP to allow the equipment to assign an IP address to WAN1.

Edit the lan interface, which is called internal on some FortiGate models. 

Set Role to LAN

Set Addressing mode to Manual and set the IP/Network Mask to the private IP address that you want to use for the FortiGate.

If you need to assign IP addresses to devices on your internal network, enable DHCP Server.


3. Adding a default route

To create a new default route, go to Network > Static Routes. Typically, you have only one default route. If the static route list already contains a default route, you can edit it, or delete the route and add a new one.

Set Destination to Subnet and leave the destination IP address set to

Set Gateway to the IP address provided by your ISP and Interface to the Internet-facing interface.


4. Setting the FortiGate DNS servers (optional)

The FortiGate DNS settings are configured to use FortiGuard DNS servers by default, which is sufficient for most networks.
If you need to change the DNS servers, go to Network > DNS, select Specify, and add Primary and Secondary servers.

5. Creating a policy to allow traffic from the internal network to the Internet

To create a new policy, go to Policy & Objects > IPv4 Policy. Give the policy a Name that indicates that the policy will be for traffic to the Internet (in the example, Internet).

Set the Incoming Interface to lan and the Outgoing Interface to wan1. Set Source, Destination Address, Schedule, and Services, as required.

Ensure the Action is set to ACCEPT.

Turn on NAT and select Use Outgoing Interface Address.

Scroll down to view the Logging Options. To view the results later, enable Log Allowed Traffic and select All Sessions.

6. Results

Browse the Internet using the PC on the internal network.

If you can’t connect to the Internet, see FortiGate installation troubleshooting.

To view information about FortiGate traffic, go to FortiView > Traffic from LAN/DMZ > Sources. The PC appears on the list of sources.

To view more detailed information about the traffic from the PC, right-click the entry for the PC and select Drill Down to Details.


If your FortiGate model has internal storage and disk logging enabled, a drop-down menu in the top corner allows you to view historical logging information for the previous 5 minutes, 1 hour, and 24 hours.

If you’re not sure whether your model supports disk logging, check the FortiGate Feature/Platform Matrix.

For further reading, check out Installing a FortiGate in NAT mode in the FortiOS 6.0 Online Help.

Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

If your FortiGate doesn’t have a default LAN interface, for this step, you can use either an individual interface or create a software switch to combine the separate interfaces into a single virtual interface.
This destination type allows you to input a numeric IP address or subnet.
A default route always has a destination IP address of
Some FortiGate models include an IPv4 security policy in the default configuration. If you have one of these models, edit it to include the logging options shown below, then proceed to the results section.