Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Related Videos

Cookbook - Basic Firewall Policies

  • 61,990 views
  • 4 years ago

Cookbook

Download PDF
Copy Link

Installing a FortiGate in NAT/Route mode

In this example, you will learn how to connect and configure a new FortiGate unit in NAT/Route mode to securely connect a private network to the Internet.

In NAT/Route mode, a FortiGate unit is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the IP addresses of the private network using network address translation (NAT).

1. Connecting the network devices and logging onto the FortiGate

Connect the FortiGate's Internet-facing interface (typically WAN1) to your ISP-supplied equipment and Connect a PC to the FortiGate using an internal port (typically port 1).

Power on the ISP's equipment, the FortiGate unit, and the PC on the internal network.

From the PC on the internal network, connect to the FortiGate's web-based manager using either FortiExplorer or an Internet browser (for information about connecting to the web-based manager, please see your models QuickStart Guide).

Login using an admin account (the default admin account has the username admin and no password).

2. Configuring the FortiGate's interfaces

Go to Network > Interfaces and edit the Internet-facing interface (in the example, wan1).

If your FortiGate is directly connecting to your ISP, set Addressing Mode to Manual and set the IP/Netmaskto the public IP address your ISP has provided you with.

If you have ISP equipment between your FortiGate and the Internet (for example, a router), then the wan1 IP will also use a private IP assigned by the ISP equipment. If this equipment uses DHCP, set Addressing Mode to DHCP to get an IP assigned to the interface.

If the ISP equipment does not use DHCP, your ISP can provide you with the correct private IP to use for the interface.

Edit the laninterface (called internal on some FortiGate models).

Make sure the interface's Role is set to LAN.

Set Addressing Mode to Manual and set the IP/Netmask to the private IP address you wish to use for the FortiGate.

3. Adding a default route

Go to Network> Static Routes and create a new route.

Set Destination to Subnet (this destination type allows you to input a numeric IP address or subnet), Destination IP/Mask to 0.0.0.0/0.0.0.0, the Device to the Internet-facing interface, and the Gatewayto the gateway (or default route) provided by your ISP or to the next hop router, depending on your network requirements. A default route always has a Destination IP/Mask of 0.0.0.0/0.0.0.0. Normally, you would have only one default route. If the static route list already contains a default route, you can edit it or delete it and add a new one.

4. (Optional) Setting the FortiGate's DNS servers

The FortiGate unit's DNS Settings are set to use FortiGuard DNS servers by default, which is sufficient for most networks. However, if you need to change the DNS servers, go to Network > DNS, select Specify, and add Primary and Secondary servers.

5. Creating a policy to allow traffic from the internal network to the Internet

Some FortiGate models include an IPv4 security policy in the default configuration. If you have one of these models, edit it to include the logging options shown below, then proceed to the results section.

Go to Policy & Objects > IPv4 Policy and create a new policy. Give the policy a Name that indicates that the policy will be for traffic to the Internet (in the example, Internet).

Set the Incoming Interface to the lan interface and the Outgoing Interface to the Internet-facing interface. Set Source, Destination Address, Schedule, and Services as required.

Make sure the Action is set to ACCEPT. Turn on NAT and make sure Use Outgoing Interface Address is selected.

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

5. Results

You can now browse the Internet using any computer that connects to the FortiGate's internal interface.

You can view information about the traffic being processed by your FortiGate by going to FortiView > All Sessions and selecting the now view.

Select Add Filter and filter for Policy, selecting the name of your new policy. Only traffic flowing through the new policy is displayed.

Related Videos

Cookbook - Basic Firewall Policies

  • 61,990 views
  • 4 years ago

Installing a FortiGate in NAT/Route mode

In this example, you will learn how to connect and configure a new FortiGate unit in NAT/Route mode to securely connect a private network to the Internet.

In NAT/Route mode, a FortiGate unit is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the IP addresses of the private network using network address translation (NAT).

1. Connecting the network devices and logging onto the FortiGate

Connect the FortiGate's Internet-facing interface (typically WAN1) to your ISP-supplied equipment and Connect a PC to the FortiGate using an internal port (typically port 1).

Power on the ISP's equipment, the FortiGate unit, and the PC on the internal network.

From the PC on the internal network, connect to the FortiGate's web-based manager using either FortiExplorer or an Internet browser (for information about connecting to the web-based manager, please see your models QuickStart Guide).

Login using an admin account (the default admin account has the username admin and no password).

2. Configuring the FortiGate's interfaces

Go to Network > Interfaces and edit the Internet-facing interface (in the example, wan1).

If your FortiGate is directly connecting to your ISP, set Addressing Mode to Manual and set the IP/Netmaskto the public IP address your ISP has provided you with.

If you have ISP equipment between your FortiGate and the Internet (for example, a router), then the wan1 IP will also use a private IP assigned by the ISP equipment. If this equipment uses DHCP, set Addressing Mode to DHCP to get an IP assigned to the interface.

If the ISP equipment does not use DHCP, your ISP can provide you with the correct private IP to use for the interface.

Edit the laninterface (called internal on some FortiGate models).

Make sure the interface's Role is set to LAN.

Set Addressing Mode to Manual and set the IP/Netmask to the private IP address you wish to use for the FortiGate.

3. Adding a default route

Go to Network> Static Routes and create a new route.

Set Destination to Subnet (this destination type allows you to input a numeric IP address or subnet), Destination IP/Mask to 0.0.0.0/0.0.0.0, the Device to the Internet-facing interface, and the Gatewayto the gateway (or default route) provided by your ISP or to the next hop router, depending on your network requirements. A default route always has a Destination IP/Mask of 0.0.0.0/0.0.0.0. Normally, you would have only one default route. If the static route list already contains a default route, you can edit it or delete it and add a new one.

4. (Optional) Setting the FortiGate's DNS servers

The FortiGate unit's DNS Settings are set to use FortiGuard DNS servers by default, which is sufficient for most networks. However, if you need to change the DNS servers, go to Network > DNS, select Specify, and add Primary and Secondary servers.

5. Creating a policy to allow traffic from the internal network to the Internet

Some FortiGate models include an IPv4 security policy in the default configuration. If you have one of these models, edit it to include the logging options shown below, then proceed to the results section.

Go to Policy & Objects > IPv4 Policy and create a new policy. Give the policy a Name that indicates that the policy will be for traffic to the Internet (in the example, Internet).

Set the Incoming Interface to the lan interface and the Outgoing Interface to the Internet-facing interface. Set Source, Destination Address, Schedule, and Services as required.

Make sure the Action is set to ACCEPT. Turn on NAT and make sure Use Outgoing Interface Address is selected.

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

5. Results

You can now browse the Internet using any computer that connects to the FortiGate's internal interface.

You can view information about the traffic being processed by your FortiGate by going to FortiView > All Sessions and selecting the now view.

Select Add Filter and filter for Policy, selecting the name of your new policy. Only traffic flowing through the new policy is displayed.