54 Fortinet Inc.
Planning the FortiGate configuration Getting started
For each FortiGate-4000 unit, the following interfaces are available for processing
network traffic in NAT/Route mode:
• External: the interface to the external network (usually the Internet).
• Internal: the interface to the internal network.
In addition, the 10/100 out of band management interface is available for out of band
management. The out of band management IP address must not be on the same
subnet as the internal or external interfaces.
You can add security policies to control whether communications through the
FortiGate-4000 unit operate in NAT or Route mode. Security policies control the flow
of traffic based on the source address, destination address, and service of each
packet. In NAT mode, the FortiGate-4000 unit performs network address translation
before it sends the packet to the destination network. In Route mode, there is no
translation.
By default, the FortiGate-4000 unit has a NAT mode security policy that allows users
on the internal network to securely download content from the external network. No
other traffic is possible until you have configured further security policies.
You typically use NAT/Route mode when the FortiGate-4000 unit is operating as a
gateway between private and public networks. In this configuration, you would create
NAT mode policies to control traffic flowing between the internal, private network and
the external, public network (usually the Internet).
Figure 17: Example NAT/Route mode standalone network configuration
Transparent mode standalone configuration
In Transparent mode standalone configuration, each FortiGate-4000 unit in the
FortiGate-4000 chassis operates as a separate Transparent mode FortiGate-4000
antivirus firewall. Each of these FortiGate-4000 unit is invisible to the network. Similar
to a network bridge, the FortiGate internal and external interfaces must be on the
same subnet. You only have to configure a management IP address so that you can
make configuration changes. The management IP address is also used for antivirus
and attack definition updates.
In addition, the 10/100 out of band management interface is available for out of band
management. The out of band management IP address must not be on the same
subnet as the management IP address.
Internal network
192.168.1.3
External
204.23.1.5
NAT mode policies controlling
traffic between internal and
external networks.