Planning the FortiGate configuration

Getting started

 

 

Planning the FortiGate configuration

Before you configure the FortiGate unit, you need to plan how to integrate the unit into the network. Among other things, you must decide whether you want the unit to be visible to the network, which firewall functions you want it to provide, and how you want it to control the traffic flowing between its interfaces.

Your configuration plan depends on the operating mode that you select. The FortiGate unit can be configured in one of two modes: NAT/Route mode (the default) or Transparent mode.

NAT/Route mode

In NAT/Route mode, the unit is visible to the network. Like a router, all its interfaces are on different subnets. The following interfaces are available in NAT/Route mode:

External is the interface to the external network (usually the Internet).

Internal is the interface to the internal network.

DMZ is the interface to the DMZ network.

HA is the interface used to connect to other FortiGate-500s if you are installing an HA cluster

Interfaces 1 to 4 can be connected to other networks.

You can add security policies to control whether communications through the FortiGate unit operate in NAT or Route mode. Security policies control the flow of traffic based on the source address, destination address, and service of each packet. In NAT mode, the FortiGate unit performs network address translation before it sends the packet to the destination network. In Route mode, there is no translation.

By default, the FortiGate unit has a NAT mode security policy that allows users on the internal network to securely download content from the external network. No other traffic is possible until you have configured further security policies.

You typically use NAT/Route mode when the FortiGate unit is operating as a gateway between private and public networks. In this configuration, you would create NAT mode policies to control traffic flowing between the internal, private network and the external, public network (usually the Internet).

If you have multiple internal networks, such as a DMZ network in addition to the internal, private network, you could create route mode policies for traffic flowing between them.

Figure 4: Example NAT/Route mode network configuration

 

 

Internal network

 

 

 

192.168.1.3

 

FortiGate-800 Unit

Internal

 

 

in NAT/Route mode

192.168.1.99

 

 

External

 

 

 

204.23.1.5

 

Route mode policies

Internet

 

controlling traffic between

EscEnter

 

 

8

 

internal networks.

 

 

DMZ

DMZ network

 

 

10.10.10.1

 

NAT mode policies controlling

 

traffic between internal and

external networks.10.10.10.2

36

Fortinet Inc.

Page 36
Image 36
Fortinet FortiGate-800 manual Planning the FortiGate configuration, Example NAT/Route mode network configuration