Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.0.13 Administration Guide
    7.0.13
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    NAT and transparent mode

    NAT and transparent mode

    In this example, VDOM-A uses NAT mode and VDOM-B uses transparent mode.

    This configuration requires the following steps:

    1. Configure VDOM-A
    2. Configure VDOM-B

    Configure VDOM-A

    VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

    The per-VDOM configuration for VDOM-A includes the following:

    • A firewall address for the internal network
    • A static route to the ISP gateway
    • A security policy allowing the internal network to access the Internet

    All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

    To add the firewall addresses in the GUI:
    1. Go to Policy & Objects > Addresses and create a new address.
    2. Enter the following information:

      Name

      internal-network

      Type

      Subnet

      Subnet / IP Range

      192.168.10.0/24

      Interface

      port1

      Show in Address List

      enabled

    3. Click OK.
    To add the firewall addresses with the CLI:
    config vdom
    edit VDOM-A
        config firewall address
            edit internal-network
                set associated-interface port1
                set subnet 192.168.10.0 255.255.255.0
            next
        end
    next
end
    To add a default route in the GUI:
    1. Go to Network > Static Routes and create a new route.
    2. Enter the following information:

      Destination

      Subnet

      IP address

      0.0.0.0/0.0.0.0

      Gateway

      172.20.201.7

      Interface

      wan1

      Distance

      10

    3. Click OK.
    To add a default route with the CLI:
    config vdom
    edit VDOM-A
        config firewall address
            edit 0
                set gateway 172.20.201.7
                set device wan1
            next
        end
    next
end
    To add the security policy in the GUI:
    1. Go to Policy & Objects > Firewall Policy and create a new policy.
    2. Enter the following information:

      Name

      VDOM-A-Internet

      Incoming Interface

      port1

      Outgoing Interface

      wan1

      Source

      internal-network

      Destination

      all

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      enabled

    3. Click OK.
    To add the security policy with the CLI:
    config vdom
    edit VDOM-A
        config firewall policy
            edit 0
                set name VDOM-A-Internet
                set srcintf port1
                set dstintf wan1
                set srcaddr internal-network
                set dstaddr all
                set action accept
                set schedule always
                set service ALL
                set nat enable
            next
        end
    next
end

    Configure VDOM-B

    VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

    The per-VDOM configuration for VDOM-B includes the following:

    • A firewall address for the FTP server
    • A static route to the ISP gateway
    • A security policy allowing external traffic to reach the FTP server

    All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

    To add the firewall addresses in the GUI:
    1. Go to Policy & Objects > Addresses and create a new address.
    2. Enter the following information:

      Address Name

      FTP-server

      Type

      Subnet

      Subnet / IP Range

      172.25.177.42/32

      Interface

      port2

      Show in Address List

      enabled

    3. Click OK.
    To add the firewall addresses with the CLI:
    config vdom
    edit VDOM-B
        config firewall address
            edit FTP-server
                set associated-interface port2
                set subnet 172.25.177.42 255.255.255.255
            next
        end
    next
end
    To add a default route in the GUI:
    1. Go to Network > Routing Table and create a new route.
    2. Enter the following information:

      Destination

      Subnet

      IP address

      0.0.0.0/0.0.0.0

      Gateway

      172.20.10.10

    3. Click OK.
    To add a default route with the CLI:
    config vdom
    edit VDOM-B
        config router static
            edit 0
                set gateway 172.20.10.10
            next
        end
    next
end
    To add the security policy in the GUI:
    1. Go to Policy & Objects > Firewall Policy and create a new policy.
    2. Enter the following information:

      Name

      Access-server

      Incoming Interface

      wan2

      Outgoing Interface

      port2

      Source

      all

      Destination

      FTP-server

      Schedule

      always

      Service

      FTP

      Action

      ACCEPT

    3. Click OK.
    To add the security policy with the CLI:
    config vdom
    edit VDOM-B
        config firewall policy
            edit 0
                set name Access-server
                set srcintf wan2
                set dstintf port2
                set srcaddr all
                set dstaddr FTP-server-VIP
                set action accept
                set schedule always
                set service FTP
            next
        end
    next
end
    Previous
    Next

    NAT and transparent mode

    NAT and transparent mode

    In this example, VDOM-A uses NAT mode and VDOM-B uses transparent mode.

    This configuration requires the following steps:

    1. Configure VDOM-A
    2. Configure VDOM-B

    Configure VDOM-A

    VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

    The per-VDOM configuration for VDOM-A includes the following:

    • A firewall address for the internal network
    • A static route to the ISP gateway
    • A security policy allowing the internal network to access the Internet

    All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

    To add the firewall addresses in the GUI:
    1. Go to Policy & Objects > Addresses and create a new address.
    2. Enter the following information:

      Name

      internal-network

      Type

      Subnet

      Subnet / IP Range

      192.168.10.0/24

      Interface

      port1

      Show in Address List

      enabled

    3. Click OK.
    To add the firewall addresses with the CLI:
    config vdom
    edit VDOM-A
        config firewall address
            edit internal-network
                set associated-interface port1
                set subnet 192.168.10.0 255.255.255.0
            next
        end
    next
end
    To add a default route in the GUI:
    1. Go to Network > Static Routes and create a new route.
    2. Enter the following information:

      Destination

      Subnet

      IP address

      0.0.0.0/0.0.0.0

      Gateway

      172.20.201.7

      Interface

      wan1

      Distance

      10

    3. Click OK.
    To add a default route with the CLI:
    config vdom
    edit VDOM-A
        config firewall address
            edit 0
                set gateway 172.20.201.7
                set device wan1
            next
        end
    next
end
    To add the security policy in the GUI:
    1. Go to Policy & Objects > Firewall Policy and create a new policy.
    2. Enter the following information:

      Name

      VDOM-A-Internet

      Incoming Interface

      port1

      Outgoing Interface

      wan1

      Source

      internal-network

      Destination

      all

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      enabled

    3. Click OK.
    To add the security policy with the CLI:
    config vdom
    edit VDOM-A
        config firewall policy
            edit 0
                set name VDOM-A-Internet
                set srcintf port1
                set dstintf wan1
                set srcaddr internal-network
                set dstaddr all
                set action accept
                set schedule always
                set service ALL
                set nat enable
            next
        end
    next
end

    Configure VDOM-B

    VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

    The per-VDOM configuration for VDOM-B includes the following:

    • A firewall address for the FTP server
    • A static route to the ISP gateway
    • A security policy allowing external traffic to reach the FTP server

    All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

    To add the firewall addresses in the GUI:
    1. Go to Policy & Objects > Addresses and create a new address.
    2. Enter the following information:

      Address Name

      FTP-server

      Type

      Subnet

      Subnet / IP Range

      172.25.177.42/32

      Interface

      port2

      Show in Address List

      enabled

    3. Click OK.
    To add the firewall addresses with the CLI:
    config vdom
    edit VDOM-B
        config firewall address
            edit FTP-server
                set associated-interface port2
                set subnet 172.25.177.42 255.255.255.255
            next
        end
    next
end
    To add a default route in the GUI:
    1. Go to Network > Routing Table and create a new route.
    2. Enter the following information:

      Destination

      Subnet

      IP address

      0.0.0.0/0.0.0.0

      Gateway

      172.20.10.10

    3. Click OK.
    To add a default route with the CLI:
    config vdom
    edit VDOM-B
        config router static
            edit 0
                set gateway 172.20.10.10
            next
        end
    next
end
    To add the security policy in the GUI:
    1. Go to Policy & Objects > Firewall Policy and create a new policy.
    2. Enter the following information:

      Name

      Access-server

      Incoming Interface

      wan2

      Outgoing Interface

      port2

      Source

      all

      Destination

      FTP-server

      Schedule

      always

      Service

      FTP

      Action

      ACCEPT

    3. Click OK.
    To add the security policy with the CLI:
    config vdom
    edit VDOM-B
        config firewall policy
            edit 0
                set name Access-server
                set srcintf wan2
                set dstintf port2
                set srcaddr all
                set dstaddr FTP-server-VIP
                set action accept
                set schedule always
                set service FTP
            next
        end
    next
end
    Previous
    Next