Installing A FortiGate in NAT - Route Mode - Fortinet Cookbook

4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook
FortiOS 5.6 is now available: Release Notes | What's New | Upgrade Path
FORTIGATE / FORTIOS 5.2 / FORTIOS 5.2.0 / FORTIOS 5.2.1 / FORTIOS 5.2.2 / FORTIOS 5.2.3 / FORTIOS
5.2.4 / FORTIOS 5.2.5+ / GETTING STARTED
Installing a FortiGate in NAT/Route mode
Posted on July 15, 2014 by Victoria Martin
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 1/16
Share this post:
In this example, you will learn how to connect and conៜ�gure a new FortiGate unit in NAT/Route
mode to securely connect a private network to the Internet.
In NAT/Route mode, a FortiGate unit is installed as a gateway or router between two networks. In
most cases, it is used between a private network and the Internet. This allows the FortiGate to hide
the IP addresses of the private network using network address translation (NAT).*
Watch the video
Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6
1. Connecting the network devices and logging onto the
FortiGate
Connect the FortiGate’s Internet-facing interface (typically WAN1) to your

ISP-supplied equipment and Connect a PC to the FortiGate using an
internal port (typically port 1).
Power on the ISP’s equipment, the FortiGate unit, and the PC on the
internal network.
From the PC on the internal network, connect to the FortiGate’s web-based

manager using either FortiExplorer or an Internet browser (for information
about connecting to the web-based manager, please see your models
QuickStart Guide).
Login using an admin account (the default admin account has the username
admin and no password).
2. Configuring the FortiGate’s interfaces
Go to System > Network > Interfaces and edit the Internet-facing interface.
If your FortiGate is directly connecting to your ISP, set Addressing Mode to

Manual and set the IP/Netmask to the public IP address your ISP has
provided you with.
If have some ISP equipment between your FortiGate and the Internet (for
example, a router), then the wan1 IP will also use a private IP assigned by
the ISP equipment. If this equipment uses DHCP, set Addressing Mode
to DHCP to get an IP assigned to the interface.
If the ISP equipment does not use DHCP, your ISP can provide you with the
correct private IP to use for the interface.
Edit the internal interface (called lan on some FortiGate models).
Set Addressing Mode to Manual and set the IP/Netmask to the private IP
address you wish to use for the FortiGate.
3. Adding a default route
Go to Router > Static > Static Routes (or System > Network > Routing,
depending on your FortiGate model) and create a new route.
Set the Destination IP/Mask to 0.0.0.0/0.0.0.0, the Device to the Internet-

facing interface, and the Gateway to the gateway (or default route) provided
by your ISP or to the next hop router, depending on your network
requirements.*
4. (Optional) Setting the FortiGate’s DNS servers
The FortiGate unit’s DNS Settings are set to use FortiGuard DNS servers by
default, which is sufៜ�cient for
most networks. However, if you need to change the DNS servers, go to
System > Network > DNS and add Primary and Secondary DNS servers.
5. Creating a policy to allow traffic from the internal
network to the Internet*
Go to Policy & Objects > Policy > IPv4 and create a new policy (if your
network uses IPv6 addresses, go to Policy & Objects > Policy > IPv6).
Set the Incoming Interface to the internal interface and the Outgoing
Interface to the Internet-facing interface.
Make sure the Action is set to ACCEPT. Turn on NAT and make sure Use
Destination Interface Address is selected (later versions of FortiOS 5.2 call
this option Use Outgoing Interface Address).
Scroll down to view the Logging Options. In order to view the results later,
enable Log Allowed Trafៜ�c and select All Sessions.
5. Results
You can now browse the Internet using any computer that connects to the
FortiGate’s internal interface.
You can view information about the trafៜ�c being processed by your
FortiGate by going to System > FortiView > All Sessions and ៜ�nding trafៜ�c
that has the internal interface as the Src Interface and the Internet-facing
interface as the Dst Interface.
If these two columns are not shown, right-click on the title row, select Src
Interface and Dst Interface from the dropdown menu, and then select
Apply.
Download
Installing a FortiGate in NAT/Route mode (PDF)
For further reading, check out Installing a FortiGate in

NAT/Route Mode in the FortiOS 5.2 Handbook.
About Latest Posts
Victoria Martin
Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She
graduated with a Bachelor's degree from Mount Allison University, after which she
attended Humber College's book publishing program, followed by the more practical
technical writing program at Algonquin College. She does need glasses but also likes
wearing them, since glasses make you look smarter.
Was this helpful?  Yes  No
 installation, NAT
Leave a Reply
35 Comments on "Installing a FortiGate in NAT/Route mode"
Connect with:
Powered by OneAll Social Login
Notify of new follow-up comments Email ›
Join the discussion
srikanthane
I have 5 public facing IP address provided by the ISP, we have assigned one of the
IP for our WAN 1 link, please guide me on how to assign the second public facing IP
on other interface on a fortiage D100 router
 REPLY  January 6, 2017 7:24 am 
bdickie
There are a number of options depending on your network design. I would

recommend you contact Fortinet support for assistance in setting up the
ideal conៜ�guration for your network. http://cookbook.fortinet.com/how-
to-work-with-fortinet-support/
 REPLY  January 9, 2017 8:59 am
Rick
Hi, we have FortiGate 200D, i have a pool of publics IPs. How can i conៜ�gure the
wan port to use all of this ips ? I need that to use VIPs.
Thanxs
 REPLY  December 2, 2016 5:32 am 
Bruce Davis
If you have a pool of IP addresses assigned to you by your ISP, you can add
them to your WAN interface by enabling the Secondary IP address section
towards the bottom of the interface conៜ�guration window. Once they have
been added to your interface you can assign those external IP addresses
into the conៜ�guration for the VIP.
 REPLY  December 2, 2016 2:40 pm
Khan Sufyanee
hi,
We have Fortigate 90D V5.2.1 help me to conៜ�gure website ៜ�ltering through
Groups like some group of people can have full internet access and some people
can have limited internet access.i also i want to integrate that groups to active
directory domain.please help me.
 REPLY  October 29, 2016 10:55 am 
Victoria Martin
Hello Khan,
We have several authentication recipes written for FortiOS 5.4 which can
be found at http://cookbook.fortinet.com/authentication/.
If you do not ៜ�nd the information you need in these recipes, you can also
refer to the FortiOS Handbook about authentication, which you can ៜ�nd at
http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-
authentication-54/Intro.htm
I hope that helps!
 REPLY  November 4, 2016 11:01 am
Jozi
Hi ,
I would like to know how can i place Netgear WRN3500Lv2 as an AP that under the
Fortigate 60D .
Do i need to conៜ�gure something inside Fortigate or what i need to do .?
Please , advise me .
 REPLY  October 5, 2016 4:52 am 
Victoria Martin
Hi Jozi,
The only APs that can be managed by a FortiGate are FortiAPs. However,
you can set up your FortiGate to provide Internet access to the Netgear
device, the same as if it were any other type of device on your network.
 REPLY  October 5, 2016 10:26 am
Syed Mujahed
hi
we are useing fortigate 100D
I want to assign the public ip to wan1 for fortinet client. for accessing ssl vpn
 REPLY  August 15, 2016 5:50 am 
Victoria Martin
Hi Syed,
If your FortiGate is directly on the Internet, you can go to System >

Network > Interfaces and edit wan1 to have your public IP. This IP can then
be used when conៜ�guring an SSL VPN for FortiClient (there is a recipe
about that located at http://cookbook.fortinet.com/ssl-vpn-for-remote-
users/)
If your FortiGate connects to equipment from your ISP, you will need to
contact them in order to make sure VPN users can access the FortiGate.
 REPLY  August 16, 2016 12:11 pm
Sandhy
Hi,
i’m using fortigate 60D.
Could you please help me on fortigate conៜ�guration. On existing router running
tunnel VPN IPSec conៜ�guration to headquarter ofៜ�ce. Many thanks.
 REPLY  July 13, 2016 3:16 am 
bdickie
Hello, you can ៜ�nd all of our FortiGate recipes for various versions of
FortiOS here: http://cookbook.fortinet.com/fortios-versions/.
If you are running FortiOS 4.3 we have the following IPsec VPN recipe:
http://help.fortinet.com//cb/html/index.html#page/FOS_Cookbook/IPS
ec/cb_ipsecvpn_fgt_basic.html
If you are running FortiOS 5.0 try here:

http://docs.fortinet.com/uploaded/ៜ�les/1685/using-IPsec-VPN-to-
provide-communication-between-ofៜ�ces.pdf
If you are running FortiOS 5.2 try here: http://cookbook.fortinet.com/site-

to-site-ipsec-vpn-two-fortigates/
 REPLY  July 13, 2016 10:49 am
Khan Sufyanee
Hi,
I m using fortigate 90D. we have two wan conn and conៜ�gured load balance
between the internet .how i can redirect speciៜ�c user internet traៜ�c to speciៜ�c
WAn
 REPLY  April 19, 2016 8:19 am 
Victoria Martin
Hello Khan,
Your set-up sounds like the older method of setting up redundant Internet
connections. We don’t have a recipe for 5.2 that shows this method but
there is a 5.0 recipe that hopefully can help you. You can ៜ�nd it at
http://docs.fortinet.com/uploaded/ៜ�les/1646/using-two-ISPs-for-
redundant-Internet-connections.pdf.
I hope that helps!
 REPLY  April 19, 2016 10:24 am
Jr81
Hi,
I’m about to inherit a couple of sites that have a pair of 1000c ៜ�rewall installed. My
question is what is best path for training on these devices? Would like to know as
much as possible about these devices… I do have experience with ASA ៜ�rewalls but
not fortigate. Thx!
 REPLY  July 14, 2015 11:46 pm 
Victoria Martin
Hi Jr81,
Well, you’ve found one good FortiGate resource here, as the Cookbook can
help you if there’s any additional conៜ�guration required for the sites. I
would also recommend checking out the FortiOS Handbook, which goes
into more detail about how a FortiGate works. You can ៜ�nd the Handbook
for your version of FortiOS at http://docs.fortinet.com.
Finally, we do have training available at http://www.fortinet.com/training/
 REPLY  July 15, 2015 9:37 am
Praba
Hi all,
I’m using Fortigate 40c V5.2.3 and i do same conៜ�guration as above but i can’t
connect internet. Please help me and what detail do you need for further
clariៜ�cation?
Regards,
Praba
 REPLY  June 8, 2015 1:02 am 
Victoria Martin
Hi Praba,
Have you tried the troubleshooting steps listed at

http://cookbook.fortinet.com/troubleshooting-fortigate-installation/?
They could help determine where the problem is occurring, which would
make it easier to solve.
 REPLY  June 8, 2015 11:12 am
Mervin
Hi all,
Can you please help me out? Attached is our current network topology and we are
having problems with our Fortigate 200D. In the diagram, all the users already have
access to the internet (we have a PUBLIC IP pool) but our main problem is that the
Firewall itself cannot connect to the internet. We tried NAT-ing all the interface of
the ៜ�rewall and also it’s management IP but it still won’t connect to the internet.
Because of this, Firewall services says “Unreachable”. Anyone have an idea on what
we should do? Thanks in advance.
Regards,
Mervin
 REPLY  February 22, 2015 11:22 am 
Bruce Davis
Without seeing the actual conៜ�guration I couldn’t say where the problem is
but it your users can get to the Internet but the FortiGate cannot, the 2
places that I would look ៜ�rst are the DNS server that the FortiGate is using
and the Default routes. Because you have 2 Internet connections even
more care has to be take with the routing. If these look like they should be
working I would then go into the CLI and use the execute ping command to
see just how far I could get before I cannot make a connection. Because
you have… Read more »
Mervin
Hi Bruce! Thanks for the response. The DNS Server that we use on
the Fortigate is the default of the unit which is 208.91.112.53 and
208.91.112.52. At the moment, we are on the testing phase so we are
just using the 14Mbps connection. Default route is pointed just to that
interface. Routing to the inside network is also conៜ�gured via a
redundant port (ports 13 and 14). Firewall Conៜ�gurations: Port WAN2:
172.20.31.6/30 Port 13 and 14: 172.16.10.4/29 Other ៜ�rewall conៜ�gs are
posted below as snapshots. 14Mbps Internet conៜ�gurations (We do
not have access to this, all we know is it’s… Read more »
Mervin
By the way, ping results to 172.20.31.5/30 (ISP Router’s

interface) using the source addresses below have the following
results:
1. Fortigate WAN2 Interface (172.20.31.6/30) – successful.

2. Fortigate Redundant Interface (172.16.10.4/29) – unreachable.
3. Fortigate Management IP – (unreachable).
4. Core Switch IP (172.16.10.2/29) – successful.
5. End Host(192.168.10.100/24) – successfull.
Bruce Davis
Mervin, As this is a documentation website rather than a

support one it is not really the venue for a question on
such a speciៜ�c scenario, especially one in such complex
environment. Those sort of questions should normally go

to the Technical Assistance Center. To ៜ�nd out which
number to call for support check out the page
http://www.fortinet.com/support/contact_support.html.
All that being said, I’ll give you my best guess at what is
happening based on the information that you’ve provided.
I think that the ISP router is set up expecting trafៜ�c
arriving on the 172.20.31.5/30 interface to be from the
range… Read more »
 REPLY  February 24, 2015 12:22 pm
Mervin
Thank you so much for your inputs Bruce.
Regards,
Mervin
 REPLY  February 25, 2015 12:41 am
dee
Hi All,
Sorry for this silly question
How to get my public ip address? My fortigate connected to the internet modem

and the modem connected to the internet thru ppoe. Do i need to enter the public
ip as shown in the modem into wan1 port?
 REPLY  January 28, 2015 9:28 am 
Bruce Davis
Dee, The solution may depend on how the modem is conៜ�gured. Modems
can be setup 2 ways, or at least 2 ways that concern us at the moment. The
ៜ�rst is in NAT mode in which the modem’s outside facing interface will
have the public IP address assigned to it. In this mode it will act like a
router and there will be a subnet between the modem and your FortiGate;
the FortiGate’s wan interface likely getting it’s IP address from the
modem’s DHCP server. If you want to know the IP address that is assigned
to it you can… Read more »
 REPLY  January 30, 2015 5:31 pm
Victoria Martin
Since you have a modem between your FortiGate and the Internet, your
wan1 interface will not actually use the public IP, since it is not actually
directly on the Internet.
If you see my reply below to af84, there is more information about what
address to use when you have a router between the FortiGate and the
Internet. Since we’ve had two comments about it in the past week, the
recipe will be revised in the near future to contain more information about
this conៜ�guration.
 REPLY  January 28, 2015 9:38 am 
dee
Hi,
Noted and how about if i need to access my fortigate outside from my

network. How to conៜ�gure it.
 REPLY  January 28, 2015 10:23 am 
Victoria Martin
The solution may depend on how the modem is conៜ�gured.

Modems can be setup 2 ways, or at least 2 ways that concern us
at the moment. The ៜ�rst is in NAT mode in which the modem’s
outside facing interface will have the public IP address assigned
to it. In this mode it will act like a router and there will be a
subnet between the modem and your FortiGate; the FortiGate’s
wan interface likely getting it’s IP address from the modem’s
DHCP server. If you want to know the IP address that is
assigned to it you can log… Read more »
 REPLY  February 18, 2015 1:31 pm
af84
Hi All,
Need your expertise on conៜ�guring the ៜ�rewall. I’m a newbie.

Which IP i need to enter in the wan1 and internal. Meaning is it an ip that i can
create myself or tight to the ISP IP.
Hope can help. TQ
 REPLY  January 23, 2015 8:31 am 
Victoria Martin
Hello, For your internal IP, you can use an IP that you create yourself.
Typically internal IPs use one of the ranges that are reserved for private
networks: 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, or
192.168.0.0 – 192.168.255.255. For the wan1 IP, if your FortiGate is directly
connecting to your ISP, then you’ll need to use the public address that the
ISP has provided for you. However, if you have some ISP equipment
between your FortiGate and the Internet (for example, a router), then the
wan1 IP will also use a private IP as assigned by the router. If you… Read
more »
 REPLY  January 23, 2015 9:57 am 
af84
Hi Vic,
Thanks. Btw, some said if i’m using the FGT than i can remove the
existing cisco router. So can i directly connnect the FGT to isp
without using the router or if i need to connect thru router which
mode can i use? Is it NAT/Route or Transparent and which is better.
Hope can help
 REPLY  January 23, 2015 8:58 pm 
Victoria Martin
You can remove remove the existing Cisco router. If you do this,
you must use NAT/Route mode, so that all outgoing trafៜ�c will
use the public IP assigned to you by your ISP.
You can use either mode if the Cisco router remains in place.
Keeping the FortiGate in NAT/Route would be easier to set up,
so I would recommend using it.
 REPLY  January 26, 2015 10:43 am
Joe
Under my “System > FortiView > All Sessions” it only shows the IP addresses for
the Destination.. your example shows domain names, google.com,
blog.fortinet.com, etc.. how do you enable this?
 REPLY  January 7, 2015 1:11 pm 
Victoria Martin
Hi Joe,
If you go to Log & Report > Log Conៜ�g > Log Settings, you’ll see an option
under GUI Preferences to Resolve Hostnames (Using reverse DNS lookup).
If you have this selected, you should see the domain names listed in your
logs, including the FortiView dashboard.
 REPLY  January 7, 2015 3:44 pm
CONTACT | DOCUMENTATION LIBRARY | CLI PORTAL | FUSE | VIDEOS | SUPPORT | CORPORATE | LEGAL
© 2017 Fortinet

Installing A FortiGate in NAT - Route Mode - Fortinet Cookbook

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Installing A FortiGate in NAT - Route Mode - Fortinet Cookbook

Hochgeladen von

Copyright:

Verfügbare Formate

4/16/2017 Installing a FortiGate in NAT/Route mode ­ Fortinet Cookbook

Share this post:

Watch the video

Find this recipe for other FortiOS versions

5.2 | 5.4 | 5.6

Connect the FortiGate’s Internet-facing interface (typically WAN1) to your

From the PC on the internal network, connect to the FortiGate’s web-based

If your FortiGate is directly connecting to your ISP, set Addressing Mode to

Edit the internal interface (called lan on some FortiGate models).

Set the Destination IP/Mask to 0.0.0.0/0.0.0.0, the Device to the Internet-

Installing a FortiGate in NAT/Route mode (PDF)

For further reading, check out Installing a FortiGate in

Was this helpful?  Yes  No

35 Comments on "Installing a FortiGate in NAT/Route mode"

Notify of new follow-up comments Email ›

 REPLY  January 6, 2017 7:24 am 

There are a number of options depending on your network design. I would

 REPLY  January 9, 2017 8:59 am

 REPLY  December 2, 2016 5:32 am 

 REPLY  December 2, 2016 2:40 pm

 REPLY  October 29, 2016 10:55 am 

I hope that helps!

 REPLY  November 4, 2016 11:01 am

 REPLY  October 5, 2016 4:52 am 

 REPLY  October 5, 2016 10:26 am

 REPLY  August 15, 2016 5:50 am 

If your FortiGate is directly on the Internet, you can go to System >

 REPLY  August 16, 2016 12:11 pm

 REPLY  July 13, 2016 3:16 am 

If you are running FortiOS 5.0 try here:

If you are running FortiOS 5.2 try here: http://cookbook.fortinet.com/site-

 REPLY  July 13, 2016 10:49 am

 REPLY  April 19, 2016 8:19 am 

I hope that helps!

 REPLY  April 19, 2016 10:24 am

 REPLY  July 14, 2015 11:46 pm 

Finally, we do have training available at http://www.fortinet.com/training/

 REPLY  July 15, 2015 9:37 am

 REPLY  June 8, 2015 1:02 am 

Have you tried the troubleshooting steps listed at

 REPLY  June 8, 2015 11:12 am

 REPLY  February 22, 2015 11:22 am 

 REPLY  February 23, 2015 11:28 am 

 REPLY  February 24, 2015 2:38 am 

By the way, ping results to 172.20.31.5/30 (ISP Router’s

1. Fortigate WAN2 Interface (172.20.31.6/30) – successful.

 REPLY  February 24, 2015 2:48 am 

Mervin, As this is a documentation website rather than a

environment. Those sort of questions should normally go

 REPLY  February 24, 2015 12:22 pm

Thank you so much for your inputs Bruce.

 REPLY  February 25, 2015 12:41 am

Sorry for this silly question

How to get my public ip address? My fortigate connected to the internet modem

 REPLY  January 28, 2015 9:28 am 

 REPLY  January 30, 2015 5:31 pm

 REPLY  January 28, 2015 9:38 am 

Noted and how about if i need to access my fortigate outside from my

 REPLY  January 28, 2015 10:23 am 

The solution may depend on how the modem is conៜ�gured.

 REPLY  February 18, 2015 1:31 pm

Need your expertise on conៜ�guring the ៜ�rewall. I’m a newbie.

Hope can help. TQ

4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook