Chapter 2 – Getting Started

Installing a FortiGate in NAT/Route mode

There are two main types of FortiGate installations using NAT/Route mode: Standard Installation in NAT/Route Mode, where Internet access is provided by a single ISP, and Redundant Internet Installation, where two ISPs are used.

 

 

Standard Installation in NAT/Route Mode

In this configuration, a FortiGate is installed as a gateway or router between a private network and the Internet. By using network address translation (NAT), the FortiGate is able to hide the IP addresses of the private network.

 

Installing a FortiGate in NAT/Route Mode

1. Connect the FortiGate’s Internet-facing interface (typically WAN1) to your ISP-supplied equipment.

2. Connect a PC to the FortiGate using an internal port (typically port 1).

3. Power on the ISP’s equipment, the FortiGate, and the PC on the internal network.

4. From the PC on the internal network, connect to the FortiGate’s GUI using either FortiExplorer or an Internet browser (for information about connecting to the GUI, please see your models QuickStart Guide). Login using an admin account (the default admin account has the username admin and no password).

5. Go to Network > Interfaces and edit the Internet-facing interface. Set Addressing Mode to Manual and the

IP/Netmask to your public IP address. Select OK.

 

If you have some ISP equipment between your FortiGate and the Internet (for example, a router), then the wan1 IP will also use a private IP assigned by the ISP equipment. If this equipment uses DHCP, set Addressing Mode to DHCP to get an IP assigned to the interface.

 

If the ISP equipment does not use DHCP, your ISP can provide you with the correct private IP to use for the interface.

6. Edit the lan interface (called internal on some FortiGate models). Make sure the interface’s Role is set to LAN.

Set Addressing Mode to Manual and set the IP/Netmask to the private IP address you wish to use for the

FortiGate. Select OK.

7. Go to Network > Static Routes and select Create New to add a default route. Set Destination to Subnet (which allows you to input a numeric IP address or subnet), Destination IP/Mask to 0.0.0.0/0.0.0.0, Device to the Internet-facing interface, and Gateway to the gateway (or default route) provided by your ISP or to the next hop router, depending on your network requirements. Select OK.

A default route always has a Destination IP/Mask of 0.0.0.0/0.0.0.0. Normally, you would have only one default route. If the static route list already contains a default route, you can either edit it or delete it and add a new one.

8. (Optional) The FortiGate’s DNS Settings are set to use FortiGuard DNS servers by default, which is sufficient for most networks. However, if you need to change the DNS servers, go to Network > DNS, select Specify, and add

Primary and Secondary DNS servers. Select Apply.

Some FortiGate models include an IPv4 security policy allowing access from LAN/Internal to WAN/WAN1 in the default configuration. This policy can be found at Policy & Objects > IPv4 Policy.

If you have one of these models, users are now able to access the Internet.

9. Go to Policy & Objects > IPv4 Policy and select Create New to add a security policy that allows users on the private network to access the Internet.

If your network uses IPv6 addresses, go to Policy & Objects > IPv6 Policyand select Create New to add a security policy that allows users on the private network to access the Internet. If the IPv6 menu option is not available, go to System > Feature Select, turn on IPv6, and select Apply. For more information on IPv6 networks, see the IPv6 Handbook.

10. In the policy, set the Incoming Interface to lan and the Outgoing Interface to the Internet-facing interface.

You will also need to set Source, Destination Address, Schedule, and Service according to your network requirements. You can set these fields to the default all/ANY settings for now but should create the appropriate objects later after the policies have been verified. Make sure the Action is set to ACCEPT. Turn on NAT and make sure Use Outgoing Interface Address is selected. Select OK.

It is recommended to avoid using any security profiles, such as AntiVirus or Web Filter, until after you have successfully installed the FortiGate. After the installation is veri- fied, you can apply any required security profiles.

For more information about using security profiles, see the Security Profiles handbook.

Results

Users on the internal network are now able to access the Internet. They should also be able to connect to the

Internet using any other protocol or connection method that you defined in the security policy.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.