Fortinet white logo
Fortinet white logo

Handbook

6.0.0

NAT mode installation

NAT mode installation

There are two main ways to install a FortiGate using network address translation (NAT) mode: Standard installation in NAT mode, where Internet access is provided by a single Internet service provider (ISP), and Redundant Internet installation, where two ISPs are used.

NAT mode vs. transparent mode

A FortiGate can operate in one of two modes: NAT or transparent.

The most common of the two operating modes is NAT mode, where a FortiGate is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the IP addresses of the private network using NAT. NAT mode is also used when two or more ISPs provide the FortiGate with redundant Internet connections.

A FortiGate in transparent mode is installed between the internal network and the router. In this mode, the FortiGate does not make any changes to IP addresses and only applies security scanning to traffic. When a FortiGate is added to a network in transparent mode, no network changes are required, except to provide the FortiGate with a management IP address. Transparent mode is used primarily when there is a need to increase network protection but changing the configuration of the network itself is impractical.

Standard installation in NAT mode

In this configuration, a FortiGate is installed as a gateway or router between a private network and the Internet. By using NAT mode, the FortiGate is able to hide the IP addresses of the private network.

Redundant Internet installation

In this configuration, a WAN link interface is created that provides the FortiGate with redundant Internet connections from two ISPs. The WAN link interface combines these two connections, allowing the FortiGate to treat them as a single interface.

Installing a FortiGate with redundant Internet

note icon

If you have previously configured your FortiGate using the standard installation, you will have to delete all routes and policies referring to an interface that will be used to provide redundant Internet. This includes the default Internet access policy that is included on many FortiGate models.

  1. Connect your ISP devices to your FortiGate’s Internet-facing interfaces (typically WAN1 and WAN2).
  2. Go to Network > Interfaces to create a WAN link interface, which is used to group multiple Internet connections together so that the FortiGate can treat them as a single interface.
  3. Set the interface Status to Enable.
  4. Under SD-WAN Interface Members, click on the plus sign and then on the down arrow to open the dropdown menu. Select WAN1 as the Interface and enter the Gateway IP provided by your primary ISP. Do the same for WAN2, but use the Gateway IP provided by your secondary ISP.
  5. Select an appropriate method for the SD-WAN Usage from the following options, and Apply your changes when finished:

    • Bandwidth - A bandwidth cap is defined for active members of the SD WAN link.

    • Volume - A volume ratio is set for each active member.

    • Sessions - A sessions ratio is set for each active member.

  6. Go to Network > Static Routes and create a new default route. Set Interface to the SD-WAN link.
  7. Go to Policy & Objects > IPv4 Policy and select Create New to add a security policy that allows users on the private network to access the Internet.

NAT mode installation

NAT mode installation

There are two main ways to install a FortiGate using network address translation (NAT) mode: Standard installation in NAT mode, where Internet access is provided by a single Internet service provider (ISP), and Redundant Internet installation, where two ISPs are used.

NAT mode vs. transparent mode

A FortiGate can operate in one of two modes: NAT or transparent.

The most common of the two operating modes is NAT mode, where a FortiGate is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the IP addresses of the private network using NAT. NAT mode is also used when two or more ISPs provide the FortiGate with redundant Internet connections.

A FortiGate in transparent mode is installed between the internal network and the router. In this mode, the FortiGate does not make any changes to IP addresses and only applies security scanning to traffic. When a FortiGate is added to a network in transparent mode, no network changes are required, except to provide the FortiGate with a management IP address. Transparent mode is used primarily when there is a need to increase network protection but changing the configuration of the network itself is impractical.

Standard installation in NAT mode

In this configuration, a FortiGate is installed as a gateway or router between a private network and the Internet. By using NAT mode, the FortiGate is able to hide the IP addresses of the private network.

Redundant Internet installation

In this configuration, a WAN link interface is created that provides the FortiGate with redundant Internet connections from two ISPs. The WAN link interface combines these two connections, allowing the FortiGate to treat them as a single interface.

Installing a FortiGate with redundant Internet

note icon

If you have previously configured your FortiGate using the standard installation, you will have to delete all routes and policies referring to an interface that will be used to provide redundant Internet. This includes the default Internet access policy that is included on many FortiGate models.

  1. Connect your ISP devices to your FortiGate’s Internet-facing interfaces (typically WAN1 and WAN2).
  2. Go to Network > Interfaces to create a WAN link interface, which is used to group multiple Internet connections together so that the FortiGate can treat them as a single interface.
  3. Set the interface Status to Enable.
  4. Under SD-WAN Interface Members, click on the plus sign and then on the down arrow to open the dropdown menu. Select WAN1 as the Interface and enter the Gateway IP provided by your primary ISP. Do the same for WAN2, but use the Gateway IP provided by your secondary ISP.
  5. Select an appropriate method for the SD-WAN Usage from the following options, and Apply your changes when finished:

    • Bandwidth - A bandwidth cap is defined for active members of the SD WAN link.

    • Volume - A volume ratio is set for each active member.

    • Sessions - A sessions ratio is set for each active member.

  6. Go to Network > Static Routes and create a new default route. Set Interface to the SD-WAN link.
  7. Go to Policy & Objects > IPv4 Policy and select Create New to add a security policy that allows users on the private network to access the Internet.