Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 6.4.3 Administration Guide
    6.4.3
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    NAT and transparent mode

    NAT and transparent mode

    In this example, VDOM-A uses NAT mode and VDOM-B uses transparent mode.

    This configuration requires the following steps:

    1. Configure VDOM-A
    2. Configure VDOM-B

    Configure VDOM-A

    VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

    The per-VDOM configuration for VDOM-A includes the following:

    • A firewall address for the internal network
    • A static route to the ISP gateway
    • A security policy allowing the internal network to access the Internet

    All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

    To add the firewall addresses in the GUI:
    1. Go to Policy & Objects > Addresses and create a new address.
    2. Enter the following information:

      Name

      internal-network

      Type

      Subnet

      Subnet / IP Range

      192.168.10.0/24

      Interface

      port1

      Show in Address List

      enabled

    To add the firewall addresses with the CLI:

    config vdom

    edit VDOM-A

    config firewall address

    edit internal-network

    set associated-interface port1

    set subnet 192.168.10.0 255.255.255.0

    next

    end

    next

    end

    To add a default route in the GUI:
    1. Go to Network > Static Routes and create a new route.
    2. Enter the following information:

      Destination

      Subnet

      IP address

      0.0.0.0/0.0.0.0

      Gateway

      172.20.201.7

      Interface

      wan1

      Distance

      10

    To add a default route with the CLI:

    config vdom

    edit VDOM-A

    config router static

    edit 0

    set gateway 172.20.201.7

    set device wan1

    next

    end

    next

    end

    To add the security policy in the GUI:
    1. Connect to VDOM-A.
    2. Go to Policy & Objects > Firewall Policy and create a new policy.
    3. Enter the following information:

      Name

      VDOM-A-Internet

      Incoming Interface

      port1

      Outgoing Interface

      wan1

      Source

      internal-network

      Destination

      all

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      enabled

    To add the security policy with the CLI:

    config vdom

    edit VDOM-A

    config firewall policy

    edit 0

    set name VDOM-A-Internet

    set srcintf port1

    set dstintf wan1

    set srcaddr internal-network

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    set nat enable

    next

    end

    next

    end

    Configure VDOM-B

    VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

    The per-VDOM configuration for VDOM-B includes the following:

    • A firewall address for the FTP server
    • A static route to the ISP gateway
    • A security policy allowing external traffic to reach the FTP server

    All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

    To add the firewall addresses in the GUI:
    1. Go to Policy & Objects > Addresses and create a new address.
    2. Enter the following information:

      Address Name

      FTP-server

      Type

      Subnet

      Subnet / IP Range

      172.25.177.42/32

      Interface

      port2

      Show in Address List

      enabled

    To add the firewall addresses with the CLI:

    config vdom

    edit VDOM-B

    config firewall address

    edit FTP-server

    set associated-interface port2

    set subnet 172.25.177.42 255.255.255.255

    next

    end

    next

    end

    To add a default route in the GUI:
    1. Go to Network > Routing Table and create a new route.
    2. Enter the following information:

      Destination

      Subnet

      IP address

      0.0.0.0/0.0.0.0

      Gateway

      172.20.10.10

    To add a default route with the CLI:

    config vdom

    edit VDOM-B

    config router static

    edit 0

    set gateway 172.20.10.10

    next

    end

    next

    end

    To add the security policy in the GUI:
    1. Connect to VDOM-B.
    2. Go to Policy & Objects > Firewall Policy and create a new policy.
    3. Enter the following information:

      Name

      Access-server

      Incoming Interface

      wan2

      Outgoing Interface

      port2

      Source

      all

      Destination

      FTP-server

      Schedule

      always

      Service

      FTP

      Action

      ACCEPT

    To add the security policy with the CLI:

    config vdom

    edit VDOM-B

    config firewall policy

    edit 0

    set name Access-server

    set srcintf wan2

    set dstintf port2

    set srcaddr all

    set dstaddr FTP-server-VIP

    set action accept

    set schedule always

    set service FTP

    next

    end

    next

    end

    Previous
    Next

    NAT and transparent mode

    NAT and transparent mode

    In this example, VDOM-A uses NAT mode and VDOM-B uses transparent mode.

    This configuration requires the following steps:

    1. Configure VDOM-A
    2. Configure VDOM-B

    Configure VDOM-A

    VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

    The per-VDOM configuration for VDOM-A includes the following:

    • A firewall address for the internal network
    • A static route to the ISP gateway
    • A security policy allowing the internal network to access the Internet

    All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

    To add the firewall addresses in the GUI:
    1. Go to Policy & Objects > Addresses and create a new address.
    2. Enter the following information:

      Name

      internal-network

      Type

      Subnet

      Subnet / IP Range

      192.168.10.0/24

      Interface

      port1

      Show in Address List

      enabled

    To add the firewall addresses with the CLI:

    config vdom

    edit VDOM-A

    config firewall address

    edit internal-network

    set associated-interface port1

    set subnet 192.168.10.0 255.255.255.0

    next

    end

    next

    end

    To add a default route in the GUI:
    1. Go to Network > Static Routes and create a new route.
    2. Enter the following information:

      Destination

      Subnet

      IP address

      0.0.0.0/0.0.0.0

      Gateway

      172.20.201.7

      Interface

      wan1

      Distance

      10

    To add a default route with the CLI:

    config vdom

    edit VDOM-A

    config router static

    edit 0

    set gateway 172.20.201.7

    set device wan1

    next

    end

    next

    end

    To add the security policy in the GUI:
    1. Connect to VDOM-A.
    2. Go to Policy & Objects > Firewall Policy and create a new policy.
    3. Enter the following information:

      Name

      VDOM-A-Internet

      Incoming Interface

      port1

      Outgoing Interface

      wan1

      Source

      internal-network

      Destination

      all

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      enabled

    To add the security policy with the CLI:

    config vdom

    edit VDOM-A

    config firewall policy

    edit 0

    set name VDOM-A-Internet

    set srcintf port1

    set dstintf wan1

    set srcaddr internal-network

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    set nat enable

    next

    end

    next

    end

    Configure VDOM-B

    VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

    The per-VDOM configuration for VDOM-B includes the following:

    • A firewall address for the FTP server
    • A static route to the ISP gateway
    • A security policy allowing external traffic to reach the FTP server

    All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

    To add the firewall addresses in the GUI:
    1. Go to Policy & Objects > Addresses and create a new address.
    2. Enter the following information:

      Address Name

      FTP-server

      Type

      Subnet

      Subnet / IP Range

      172.25.177.42/32

      Interface

      port2

      Show in Address List

      enabled

    To add the firewall addresses with the CLI:

    config vdom

    edit VDOM-B

    config firewall address

    edit FTP-server

    set associated-interface port2

    set subnet 172.25.177.42 255.255.255.255

    next

    end

    next

    end

    To add a default route in the GUI:
    1. Go to Network > Routing Table and create a new route.
    2. Enter the following information:

      Destination

      Subnet

      IP address

      0.0.0.0/0.0.0.0

      Gateway

      172.20.10.10

    To add a default route with the CLI:

    config vdom

    edit VDOM-B

    config router static

    edit 0

    set gateway 172.20.10.10

    next

    end

    next

    end

    To add the security policy in the GUI:
    1. Connect to VDOM-B.
    2. Go to Policy & Objects > Firewall Policy and create a new policy.
    3. Enter the following information:

      Name

      Access-server

      Incoming Interface

      wan2

      Outgoing Interface

      port2

      Source

      all

      Destination

      FTP-server

      Schedule

      always

      Service

      FTP

      Action

      ACCEPT

    To add the security policy with the CLI:

    config vdom

    edit VDOM-B

    config firewall policy

    edit 0

    set name Access-server

    set srcintf wan2

    set dstintf port2

    set srcaddr all

    set dstaddr FTP-server-VIP

    set action accept

    set schedule always

    set service FTP

    next

    end

    next

    end

    Previous
    Next