Getting started Planning your FortiGate configuration
FortiGate-400 Installation and Configuration Guide 39
Planning your FortiGate configurationBefore beginning to configure the FortiGate unit, you need to plan how to integrate the
unit into your network. Among other things, you have to decide whether or not the unit
will be visible to the network, which firewall functions it will provide, and how it will
control the traffic flowing between its interfaces.
Your configuration plan is dependent upon the operating mode that you select. The
FortiGate unit can be configured in either of two modes: NAT/Route mode (the default)
or Transparent mode.
NAT/Route mode
In NAT/Route mode, the unit is visible to the network. Like a router, all of its interfaces
are on different subnets. The following interfaces are available in NAT/Route mode:
• Interfaces 1, 2, 3, and 4/HA can be connected to any networks. By default, the
FortiGate-400 interfaces have the following configuration
• Interface 1 is the default interface to the internal network (usually the Internet).
• Interface 2 is the default interface to the external network.
• Interface 3 can be connected to another network such as a DMZ network.
• Interface 4/HA can be connected to another network. Interface 4/HA can also
be connected to other FortiGate-400s if you are installing an HA cluster.
You can add security policies to control whether communications through the
FortiGate unit operate in NAT mode or in route mode. Security policies control the flow
of traffic based on each packet’s source address, destination address and service. In
NAT mode, the FortiGate performs network address translation before the packet is
sent to the destination network. In route mode, no translation takes place.
By default, the FortiGate unit has a NAT mode security policy that allows users on the
internal network to securely download content from the external network. No other
traffic is possible until you have configured more security policies.
You would typically use NAT/Route mode when the FortiGate unit is used as a
gateway between private and public networks. In this configuration, you would create
NAT mode policies to control traffic flowing between the internal, private network and
the external, public network (usually the Internet).
If you have multiple internal networks, such as a DMZ network in addition to the
internal, private network, you could create route mode policies for traffic flowing
between them.