Connecting a private network to the Internet

using NAT/Route mode

In this example, you will learn how to connect and configure a new FortiGate unit
to securely connect a private network to the Internet. Typically, a FortiGate unit is
installed as a gateway or router between a private network and the Internet, where
the FortiGate operates in NAT/Route mode in order to hide the addresses of the
private network from prying eyes, while still allowing anyone on the private network
to freely connect to the Internet.

1. Connecting the network

2. Configuring the FortiGate units interfaces
3. Creating a policy to enable NAT/Route mode
4. Results

Internet

WAN 1

NAT/Route
mode
FortiGate
port 1

Internal Network
Connecting the network
Connect the FortiGate WAN1 interface to
your ISP-supplied equipment.
ISP
Connect the internal network to the FortiGate
internal interface (typically port 1).

Power on the ISPs equipment, the FortiGate

unit, and the PCs on the Internal network.

FortiGate
Internal Network
Configuring the FortiGate
units interfaces
From a PC on the Internal network, connect
to the FortiGate webbased manager using
either FortiExplorer or an Internet browser.

You can configure the PC to get its IP

address using DHCP and then browse
to https://192.168.1.99. You could also
give the PC a static IP address on the
192.168.1.0/255.255.255.0 subnet.

Login using admin and no password.

Go to System > Network > Interface and.

Edit the wan1 interface.

Set the Addressing Mode to Manual and

the IP/Netmask to your public IP.
Edit the internal interface.

Set the Addressing Mode to Manual and

set the IP/Netmask the private IP of the
FortiGate unit.

Go to Router > Static > Static Routes and

select Create New to add a default route.

Set the Destination IP/Mask to

0.0.0.0/0.0.0.0, set the Device to wan1,
and set the Gateway to the gateway (or
default route) provided by your ISP or to the
next hop router, depending on your network
requirements.

A default route always has a Destination

IP/Mask of 0.0.0.0/0.0.0.0. Normally, you
would have only one default route. If the
static route list already contains a default
route, you can edit it or delete it and add a
new one.

The FortiGate units DNS Settings are set to

Use FortiGuard Services by default, which
is sufficient for most networks. However, if
you require the DNS servers to be changed,
go to System > Network > DNS and add
Primary and Secondary DNS servers.
Creating a policy to enable
NAT/Route mode
Go to Policy > Policy > Policy and select
Create New to add a security policy that
allows users on the private network to
access the Internet.

Select Enable NAT and Use Destination

Interface Address and click OK.

Some FortiGate models include this

security policy in the default configuration.
If you have one of these models, this step
has already been done for you and as
soon as your FortiGate unit is connected
and the computers on your internal
network are configured, they should be
able to access the Internet.

Results
On the PC that you used to connect to the
FortiGate internal interface, open a web
browser and browse to any Internet website.
You should also be able to connect to the
Internet using FTP or any other protocol or
connection method.

Go to Policy > Monitor > Policy Monitor

to view information about the sessions being
processed by the FortiGate unit.