Beruflich Dokumente
Kultur Dokumente
FortiOS 5.6 is now available: Release Notes | What's New | Upgrade Path
FORTIGATE / FORTIOS 5.2 / FORTIOS 5.2.0 / FORTIOS 5.2.1 / FORTIOS 5.2.2 / FORTIOS 5.2.3 / FORTIOS
5.2.4 / FORTIOS 5.2.5+ / GETTING STARTED
Installing a FortiGate in NAT/Route mode
Posted on July 15, 2014 by Victoria Martin
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 1/16
4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook
In this example, you will learn how to connect and conៜ�gure a new FortiGate unit in NAT/Route
mode to securely connect a private network to the Internet.
In NAT/Route mode, a FortiGate unit is installed as a gateway or router between two networks. In
most cases, it is used between a private network and the Internet. This allows the FortiGate to hide
the IP addresses of the private network using network address translation (NAT).*
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 2/16
4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook
1. Connecting the network devices and logging onto the
FortiGate
Power on the ISP’s equipment, the FortiGate unit, and the PC on the
internal network.
Login using an admin account (the default admin account has the username
admin and no password).
2. Configuring the FortiGate’s interfaces
Go to System > Network > Interfaces and edit the Internet-facing interface.
If have some ISP equipment between your FortiGate and the Internet (for
example, a router), then the wan1 IP will also use a private IP assigned by
the ISP equipment. If this equipment uses DHCP, set Addressing Mode
to DHCP to get an IP assigned to the interface.
If the ISP equipment does not use DHCP, your ISP can provide you with the
correct private IP to use for the interface.
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 3/16
4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook
Set Addressing Mode to Manual and set the IP/Netmask to the private IP
address you wish to use for the FortiGate.
3. Adding a default route
Go to Router > Static > Static Routes (or System > Network > Routing,
depending on your FortiGate model) and create a new route.
4. (Optional) Setting the FortiGate’s DNS servers
The FortiGate unit’s DNS Settings are set to use FortiGuard DNS servers by
default, which is sufៜ�cient for
most networks. However, if you need to change the DNS servers, go to
System > Network > DNS and add Primary and Secondary DNS servers.
5. Creating a policy to allow traffic from the internal
network to the Internet*
Go to Policy & Objects > Policy > IPv4 and create a new policy (if your
network uses IPv6 addresses, go to Policy & Objects > Policy > IPv6).
Set the Incoming Interface to the internal interface and the Outgoing
Interface to the Internet-facing interface.
Make sure the Action is set to ACCEPT. Turn on NAT and make sure Use
Destination Interface Address is selected (later versions of FortiOS 5.2 call
this option Use Outgoing Interface Address).
Scroll down to view the Logging Options. In order to view the results later,
enable Log Allowed Trafៜ�c and select All Sessions.
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 4/16
4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook
5. Results
You can now browse the Internet using any computer that connects to the
FortiGate’s internal interface.
You can view information about the trafៜ�c being processed by your
FortiGate by going to System > FortiView > All Sessions and ៜ�nding trafៜ�c
that has the internal interface as the Src Interface and the Internet-facing
interface as the Dst Interface.
If these two columns are not shown, right-click on the title row, select Src
Interface and Dst Interface from the dropdown menu, and then select
Apply.
Download
About Latest Posts
Victoria Martin
Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She
graduated with a Bachelor's degree from Mount Allison University, after which she
attended Humber College's book publishing program, followed by the more practical
technical writing program at Algonquin College. She does need glasses but also likes
wearing them, since glasses make you look smarter.
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 5/16
4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook
installation, NAT
Leave a Reply
Connect with:
Powered by OneAll Social Login
Join the discussion
srikanthane
I have 5 public facing IP address provided by the ISP, we have assigned one of the
IP for our WAN 1 link, please guide me on how to assign the second public facing IP
on other interface on a fortiage D100 router
bdickie
Rick
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 6/16
4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook
Hi, we have FortiGate 200D, i have a pool of publics IPs. How can i conៜ�gure the
wan port to use all of this ips ? I need that to use VIPs.
Thanxs
Bruce Davis
If you have a pool of IP addresses assigned to you by your ISP, you can add
them to your WAN interface by enabling the Secondary IP address section
towards the bottom of the interface conៜ�guration window. Once they have
been added to your interface you can assign those external IP addresses
into the conៜ�guration for the VIP.
Khan Sufyanee
hi,
We have Fortigate 90D V5.2.1 help me to conៜ�gure website ៜ�ltering through
Groups like some group of people can have full internet access and some people
can have limited internet access.i also i want to integrate that groups to active
directory domain.please help me.
Victoria Martin
Hello Khan,
We have several authentication recipes written for FortiOS 5.4 which can
be found at http://cookbook.fortinet.com/authentication/.
If you do not ៜ�nd the information you need in these recipes, you can also
refer to the FortiOS Handbook about authentication, which you can ៜ�nd at
http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-
authentication-54/Intro.htm
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 7/16
4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook
Jozi
Hi ,
I would like to know how can i place Netgear WRN3500Lv2 as an AP that under the
Fortigate 60D .
Do i need to conៜ�gure something inside Fortigate or what i need to do .?
Please , advise me .
Victoria Martin
Hi Jozi,
The only APs that can be managed by a FortiGate are FortiAPs. However,
you can set up your FortiGate to provide Internet access to the Netgear
device, the same as if it were any other type of device on your network.
Syed Mujahed
hi
we are useing fortigate 100D
I want to assign the public ip to wan1 for fortinet client. for accessing ssl vpn
Victoria Martin
Hi Syed,
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 8/16
4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook
If your FortiGate connects to equipment from your ISP, you will need to
contact them in order to make sure VPN users can access the FortiGate.
Sandhy
Hi,
i’m using fortigate 60D.
Could you please help me on fortigate conៜ�guration. On existing router running
tunnel VPN IPSec conៜ�guration to headquarter ofៜ�ce. Many thanks.
bdickie
Hello, you can ៜ�nd all of our FortiGate recipes for various versions of
FortiOS here: http://cookbook.fortinet.com/fortios-versions/.
If you are running FortiOS 4.3 we have the following IPsec VPN recipe:
http://help.fortinet.com//cb/html/index.html#page/FOS_Cookbook/IPS
ec/cb_ipsecvpn_fgt_basic.html
Khan Sufyanee
Hi,
I m using fortigate 90D. we have two wan conn and conៜ�gured load balance
between the internet .how i can redirect speciៜ�c user internet traៜ�c to speciៜ�c
WAn
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 9/16
4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook
Victoria Martin
Hello Khan,
Your set-up sounds like the older method of setting up redundant Internet
connections. We don’t have a recipe for 5.2 that shows this method but
there is a 5.0 recipe that hopefully can help you. You can ៜ�nd it at
http://docs.fortinet.com/uploaded/ៜ�les/1646/using-two-ISPs-for-
redundant-Internet-connections.pdf.
Jr81
Hi,
I’m about to inherit a couple of sites that have a pair of 1000c ៜ�rewall installed. My
question is what is best path for training on these devices? Would like to know as
much as possible about these devices… I do have experience with ASA ៜ�rewalls but
not fortigate. Thx!
Victoria Martin
Hi Jr81,
Well, you’ve found one good FortiGate resource here, as the Cookbook can
help you if there’s any additional conៜ�guration required for the sites. I
would also recommend checking out the FortiOS Handbook, which goes
into more detail about how a FortiGate works. You can ៜ�nd the Handbook
for your version of FortiOS at http://docs.fortinet.com.
Praba
Hi all,
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 10/16
4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook
I’m using Fortigate 40c V5.2.3 and i do same conៜ�guration as above but i can’t
connect internet. Please help me and what detail do you need for further
clariៜ�cation?
Regards,
Praba
Victoria Martin
Hi Praba,
Mervin
Hi all,
Can you please help me out? Attached is our current network topology and we are
having problems with our Fortigate 200D. In the diagram, all the users already have
access to the internet (we have a PUBLIC IP pool) but our main problem is that the
Firewall itself cannot connect to the internet. We tried NAT-ing all the interface of
the ៜ�rewall and also it’s management IP but it still won’t connect to the internet.
Because of this, Firewall services says “Unreachable”. Anyone have an idea on what
we should do? Thanks in advance.
Regards,
Mervin
Bruce Davis
Without seeing the actual conៜ�guration I couldn’t say where the problem is
but it your users can get to the Internet but the FortiGate cannot, the 2
places that I would look ៜ�rst are the DNS server that the FortiGate is using
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 11/16
4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook
and the Default routes. Because you have 2 Internet connections even
more care has to be take with the routing. If these look like they should be
working I would then go into the CLI and use the execute ping command to
see just how far I could get before I cannot make a connection. Because
you have… Read more »
Mervin
Hi Bruce! Thanks for the response. The DNS Server that we use on
the Fortigate is the default of the unit which is 208.91.112.53 and
208.91.112.52. At the moment, we are on the testing phase so we are
just using the 14Mbps connection. Default route is pointed just to that
interface. Routing to the inside network is also conៜ�gured via a
redundant port (ports 13 and 14). Firewall Conៜ�gurations: Port WAN2:
172.20.31.6/30 Port 13 and 14: 172.16.10.4/29 Other ៜ�rewall conៜ�gs are
posted below as snapshots. 14Mbps Internet conៜ�gurations (We do
not have access to this, all we know is it’s… Read more »
Mervin
Bruce Davis
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 12/16
4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook
Mervin
Regards,
Mervin
dee
Hi All,
Bruce Davis
Dee, The solution may depend on how the modem is conៜ�gured. Modems
can be setup 2 ways, or at least 2 ways that concern us at the moment. The
ៜ�rst is in NAT mode in which the modem’s outside facing interface will
have the public IP address assigned to it. In this mode it will act like a
router and there will be a subnet between the modem and your FortiGate;
the FortiGate’s wan interface likely getting it’s IP address from the
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 13/16
4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook
modem’s DHCP server. If you want to know the IP address that is assigned
to it you can… Read more »
Victoria Martin
Since you have a modem between your FortiGate and the Internet, your
wan1 interface will not actually use the public IP, since it is not actually
directly on the Internet.
If you see my reply below to af84, there is more information about what
address to use when you have a router between the FortiGate and the
Internet. Since we’ve had two comments about it in the past week, the
recipe will be revised in the near future to contain more information about
this conៜ�guration.
dee
Hi,
Victoria Martin
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 14/16
4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook
af84
Hi All,
Victoria Martin
Hello, For your internal IP, you can use an IP that you create yourself.
Typically internal IPs use one of the ranges that are reserved for private
networks: 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, or
192.168.0.0 – 192.168.255.255. For the wan1 IP, if your FortiGate is directly
connecting to your ISP, then you’ll need to use the public address that the
ISP has provided for you. However, if you have some ISP equipment
between your FortiGate and the Internet (for example, a router), then the
wan1 IP will also use a private IP as assigned by the router. If you… Read
more »
af84
Hi Vic,
Thanks. Btw, some said if i’m using the FGT than i can remove the
existing cisco router. So can i directly connnect the FGT to isp
without using the router or if i need to connect thru router which
mode can i use? Is it NAT/Route or Transparent and which is better.
Victoria Martin
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 15/16
4/16/2017 Installing a FortiGate in NAT/Route mode Fortinet Cookbook
You can remove remove the existing Cisco router. If you do this,
you must use NAT/Route mode, so that all outgoing trafៜ�c will
use the public IP assigned to you by your ISP.
You can use either mode if the Cisco router remains in place.
Keeping the FortiGate in NAT/Route would be easier to set up,
so I would recommend using it.
Joe
Under my “System > FortiView > All Sessions” it only shows the IP addresses for
the Destination.. your example shows domain names, google.com,
blog.fortinet.com, etc.. how do you enable this?
Victoria Martin
Hi Joe,
If you go to Log & Report > Log Conៜ�g > Log Settings, you’ll see an option
under GUI Preferences to Resolve Hostnames (Using reverse DNS lookup).
If you have this selected, you should see the domain names listed in your
logs, including the FortiView dashboard.
CONTACT | DOCUMENTATION LIBRARY | CLI PORTAL | FUSE | VIDEOS | SUPPORT | CORPORATE | LEGAL
© 2017 Fortinet
http://cookbook.fortinet.com/installingfortigatenatroutemode/ 16/16