Planning the FortiGate configuration | Getting started |
|
|
Planning the FortiGate configuration
Before you configure the FortiGate unit, you need to plan how to integrate the unit into the network. Among other things, you must decide whether you want the unit to be visible to the network, which firewall functions you want it to provide, and how you want it to control the traffic flowing between its interfaces.
Your configuration plan depends on the operating mode that you select. The FortiGate unit can be configured in one of two modes: NAT/Route mode (the default) or Transparent mode.
NAT/Route mode
In NAT/Route mode, the unit is visible to the network. Like a router, all its interfaces are on different subnets. The following interfaces are available in NAT/Route mode:
•External is the interface to the external network (usually the Internet).
•Internal is the interface to the internal network.
•DMZ is the interface to the DMZ network.
•HA is the interface used to connect to other
•Interfaces 1 to 4 can be connected to other networks.
You can add security policies to control whether communications through the FortiGate unit operate in NAT or Route mode. Security policies control the flow of traffic based on the source address, destination address, and service of each packet. In NAT mode, the FortiGate unit performs network address translation before it sends the packet to the destination network. In Route mode, there is no translation.
By default, the FortiGate unit has a NAT mode security policy that allows users on the internal network to securely download content from the external network. No other traffic is possible until you have configured further security policies.
You typically use NAT/Route mode when the FortiGate unit is operating as a gateway between private and public networks. In this configuration, you would create NAT mode policies to control traffic flowing between the internal, private network and the external, public network (usually the Internet).
If you have multiple internal networks, such as a DMZ network in addition to the internal, private network, you could create route mode policies for traffic flowing between them.
Figure 4: Example NAT/Route mode network configuration
|
| Internal network | |
|
|
| 192.168.1.3 |
| Internal |
| |
| in NAT/Route mode | 192.168.1.99 |
|
| External |
|
|
| 204.23.1.5 |
| Route mode policies |
Internet |
| controlling traffic between | |
EscEnter |
| ||
| 8 |
| internal networks. |
|
| DMZ | DMZ network |
|
| 10.10.10.1 | |
| NAT mode policies controlling |
| |
traffic between internal and
external networks.
10.10.10.2
36 | Fortinet Inc. |
