beautypg.com

Transparent mode standalone configuration – Fortinet FortiGate 4000 User Manual

Page 54

background image

54

Fortinet Inc.

Planning the FortiGate configuration

Getting started

For each FortiGate-4000 unit, the following interfaces are available for processing
network traffic in NAT/Route mode:

• External: the interface to the external network (usually the Internet).
• Internal: the interface to the internal network.

In addition, the 10/100 out of band management interface is available for out of band
management. The out of band management IP address must not be on the same
subnet as the internal or external interfaces.

You can add security policies to control whether communications through the
FortiGate-4000 unit operate in NAT or Route mode. Security policies control the flow
of traffic based on the source address, destination address, and service of each
packet. In NAT mode, the FortiGate-4000 unit performs network address translation
before it sends the packet to the destination network. In Route mode, there is no
translation.

By default, the FortiGate-4000 unit has a NAT mode security policy that allows users
on the internal network to securely download content from the external network. No
other traffic is possible until you have configured further security policies.

You typically use NAT/Route mode when the FortiGate-4000 unit is operating as a
gateway between private and public networks. In this configuration, you would create
NAT mode policies to control traffic flowing between the internal, private network and
the external, public network (usually the Internet).

Figure 17: Example NAT/Route mode standalone network configuration

Transparent mode standalone configuration

In Transparent mode standalone configuration, each FortiGate-4000 unit in the
FortiGate-4000 chassis operates as a separate Transparent mode FortiGate-4000
antivirus firewall. Each of these FortiGate-4000 unit is invisible to the network. Similar
to a network bridge, the FortiGate internal and external interfaces must be on the
same subnet. You only have to configure a management IP address so that you can
make configuration changes. The management IP address is also used for antivirus
and attack definition updates.

In addition, the 10/100 out of band management interface is available for out of band
management. The out of band management IP address must not be on the same
subnet as the management IP address.

Internal network

192.168.1.3

External

204.23.1.5

NAT mode policies controlling

traffic between internal and

external networks.

Internet

FortiGate-4000 unit
in NAT/Route mode

Internal

192.168.1.99

POWER ON/OFF

LAN 1

LAN 2

PWR/KVM STATUS

KVM/ACCESS