FortiOS 6.0 Online Help Link FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link

Home > Online Help

Installing a FortiGate in NAT/Route mode

There are two main ways to install a FortiGate using network address translation (NAT)/Route mode: Standard installation in NAT/Route mode, where Internet access is provided by a single Internet service provider (ISP), and Redundant Internet installation, where two ISPs are used.

NAT/Route mode vs. Transparent mode

A FortiGate can operate in one of two modes: NAT/Route or Transparent.

The most common of the two operating modes is NAT/Route mode, where a FortiGate is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the IP addresses of the private network using NAT. NAT/Route mode is also used when two or more ISPs provide the FortiGate with redundant Internet connections.

A FortiGate in Transparent mode is installed between the internal network and the router. In this mode, the FortiGate does not make any changes to IP addresses and only applies security scanning to traffic. When a FortiGate is added to a network in Transparent mode, no network changes are required, except to provide the FortiGate with a management IP address. Transparent mode is used primarily when there is a need to increase network protection but changing the configuration of the network itself is impractical.

For more information about Transparent Mode, see the Transparent Mode handbook.

Standard installation in NAT/Route mode

In this configuration, a FortiGate is installed as a gateway or router between a private network and the Internet. By using NAT, the FortiGate is able to hide the IP addresses of the private network.

Redundant Internet installation

In this configuration, a WAN link interface is created that provides the FortiGate with redundant Internet connections from two ISPs. The WAN link interface combines these two connections, allowing the FortiGate to treat them as a single interface.

Installing a FortiGate with Redundant Internet

note icon If you have previously configured your FortiGate using the standard installation, you will have to delete all routes and policies referring to an interface that will be used to provide redundant Internet. This includes the default Internet access policy that is included on many FortiGate models.


  1. Connect your ISP devices to your FortiGate’s Internet-facing interfaces (typically WAN1 and WAN2).
  2. Go to Network > SD-WAN to create a WAN link interface, which is used to group multiple Internet connections together so that the FortiGate can treat them as a single interface.
  3. Set the interface's Status to Enable.
  4. Under Interface, select Create New. Add WAN1 and enter the Gateway IP provided by your primary ISP. Do the same for WAN2, but use the Gateway IP provided by your secondary ISP.
  1. Select an appropriate method for the SD-WAN Usage from the following options, and Apply your changes when finished:
  • Bandwidth - A bandwidth cap is defined for active members of the SD WAN link.
  • Volume - A volume ratio is set for each active member.
  • Sessions - A sessions ratio is set for each active member.
  1. Go to Network > Static Routes and create a new default route. Set Interface to the SD-WAN link.
  2. Go to Policy & Objects > IPv4 Policy and select Create New to add a security policy that allows users on the private network to access the Internet.