Fortinet 400 manual Planning your FortiGate configuration, NAT/Route mode

Planning your FortiGate configuration

Before beginning to configure the FortiGate unit, you need to plan how to integrate the unit into your network. Among other things, you have to decide whether or not the unit will be visible to the network, which firewall functions it will provide, and how it will control the traffic flowing between its interfaces.

Your configuration plan is dependent upon the operating mode that you select. The FortiGate unit can be configured in either of two modes: NAT/Route mode (the default) or Transparent mode.

NAT/Route mode

In NAT/Route mode, the unit is visible to the network. Like a router, all of its interfaces are on different subnets. The following interfaces are available in NAT/Route mode:

•Interfaces 1, 2, 3, and 4/HA can be connected to any networks. By default, the FortiGate-400 interfaces have the following configuration

•Interface 1 is the default interface to the internal network (usually the Internet).

•Interface 2 is the default interface to the external network.

•Interface 3 can be connected to another network such as a DMZ network.

•Interface 4/HA can be connected to another network. Interface 4/HA can also be connected to other FortiGate-400s if you are installing an HA cluster.

You can add security policies to control whether communications through the FortiGate unit operate in NAT mode or in route mode. Security policies control the flow of traffic based on each packet’s source address, destination address and service. In NAT mode, the FortiGate performs network address translation before the packet is sent to the destination network. In route mode, no translation takes place.

By default, the FortiGate unit has a NAT mode security policy that allows users on the internal network to securely download content from the external network. No other traffic is possible until you have configured more security policies.

You would typically use NAT/Route mode when the FortiGate unit is used as a gateway between private and public networks. In this configuration, you would create NAT mode policies to control traffic flowing between the internal, private network and the external, public network (usually the Internet).

If you have multiple internal networks, such as a DMZ network in addition to the internal, private network, you could create route mode policies for traffic flowing between them.