Configuring NAT Mode

The initial configuration of the firewall is performed by Selectel engineers:

  • configuring the default static route;
  • configuring aggregated links for two external interfaces connected to different switches for reliability;
  • configuring DHCP mode for the local interface.

Configuring Network Interfaces

Graphical Interface

Go to the Network → Interfaces tab to configure the interfaces. If you need to change DHCP mode to manual, select the lan interface and click Edit.

Set the following parameters:

  • Role: LAN
  • Addressing Mode: Manual
  • IP/Network Mask: specify the local subnet
  • Interface Members: select the required ports

Console Interface

To change through the CLI, enter the following:

config system interface
edit lan
set ip <IP> <MASK>
set role lan
end

Configuring Static Routes

Graphical Interface

Go to the Networks → Static Routes tab to add a static route.

Console Interface

To change through the CLI, enter the following:

config router static
edit 1
set gateway <IP>
set distance 1
set device <INTERFACE>
end

Configuring DNS (Optional)

Graphical Interface

The FortiGate DNS settings are configured to use FortiGuard DNS servers by default, which is sufficient for most networks. If you need to change the DNS servers, go to the Networks → DNS tab, select Specify, and add primary and secondary DNS servers.

Console Interface

To change through the CLI, enter the following:

config system dns
set primary <IP>
set secondary <IP>
end

Configuring Policies

Graphical Interface

To create a new policy or edit an existing one, go to Policy & Objects → Firewall Policy. This example creates a policy for Internet access:

  1. Set a name for the policy.
  2. Select the internal interface as the Incoming Interface and the external interface as the Outgoing Interface.
  3. Determine the Source and Destination IP addresses by clicking + and selecting an IP address from the existing ones or by creating a new address in the pop-up window. To create a new address, click Create or go to Policy & Objects → Addresses → Create New. In this example, the all address is selected.
  4. Select Schedule and Services according to your requirements.
  5. Make sure that the Action is set to ACCEPT.
  6. Enable NAT and select Use Outgoing Interface Address.
  7. In the Logging Options section, enable logging with the Log Allowed Traffic parameter and select the desired type – Security Events or All Sessions.
  8. Make sure the Enable this policy option is active.

Console Interface

To change through the CLI, enter the following:

config firewall policy
    edit 1
        set name "Internet Access"
        set srcintf lan
        set dstintf wan1
        set srcaddr all
        set dstaddr all
        set action accept
        set schedule always
        set service ALL
        set nat enable
    next