Home

FortiGate Firewall Internet Connectivity Guide: From Physical Setup to Cloud Management

.

Connecting a FortiGate firewall to the internet is a fundamental task for network security and functionality. Based on official Fortinet documentation and technical community resources, this process typically involves a combination of physical hardware connection, interface configuration, and policy creation. While basic connectivity can often be established by simply plugging in cables to predefined WAN ports, optimal configuration requires understanding operational modes, routing, and security policies to ensure both internet access and network protection.

Understanding FortiGate Operational Modes

A critical first decision is selecting the correct operating mode for your FortiGate unit. FortiGate firewalls primarily operate in two distinct modes, each serving different network architectures.

In NAT/Route mode, the most common configuration, the FortiGate acts as a network gateway or router positioned between your internal network and the internet. This mode utilizes Network Address Translation (NAT) to hide the private IP addresses of your internal network devices. It is the recommended mode for most deployments where the FortiGate serves as the primary point of internet ingress and egress.

Conversely, Transparent mode places the FortiGate between the internal network and an existing router. Operating like a security bridge, it applies security scanning without altering IP addresses. This mode is particularly useful for adding security layers to an existing network where reconfiguring the entire network's IP scheme is impractical.

Step-by-Step Connection and Configuration

1. Physical Installation & Initial Boot

For many Small and Medium Business (SMB) FortiGate models, the initial physical setup is straightforward. These appliances come with predefined WAN ports (often labeled WAN or WAN1) that are configured by default to obtain an IP address automatically via DHCP from your Internet Service Provider (ISP).

The basic steps are:

  • Have an on-site technician connect an Ethernet cable from your ISP's modem or internet link to the FortiGate's WAN port.
  • Connect the FortiGate's internal (LAN) port to your network switch.
  • Power on the FortiGate unit and wait several moments for it to complete its boot sequence.

2. Configuring Interfaces for Internet Access

After initial boot, you must log into the FortiGate's web-based manager (usually via the default IP on the internal interface) to configure the interfaces. The official username is typically admin with no default password.

  • WAN Interface Configuration: Navigate to System > Network > Interfaces. Edit the internet-facing interface (e.g., wan1). The configuration depends on your ISP's requirements—it may be set to DHCP to obtain an address automatically, or you may need to enter a static IP address, subnet mask, and gateway provided by your ISP.
  • Internal Interface Configuration: Edit your internal interface (e.g., internal or lan). Configure the IP address and subnet (e.g., 192.168.1.1/24) that will serve as the default gateway for your local network. You can also enable a DHCP server here to automatically assign IP addresses to devices on your internal network.

3. Establishing Routing and DNS

For the FortiGate to route traffic to the internet, a default route must be configured.

  • Go to Router > Static > Static Routes and create a new route.
  • Set the Destination IP/Mask to 0.0.0.0/0.0.0.0 (representing all unknown traffic).
  • Set the Device to your internet-facing interface (e.g., wan1).
  • Set the Gateway to the IP address provided by your ISP as the default gateway or to the next-hop router in your network topology.

Next, configure DNS settings under System > Network > DNS to ensure the FortiGate can resolve domain names. You can use your ISP's DNS servers or public DNS servers like those from Google (8.8.8.8) or Cloudflare (1.1.1.1).

4. Creating Security Policies to Permit Traffic

Firewalls operate on a default-deny principle. To allow users to access the internet, you must create security policies that explicitly permit this traffic.

  • Navigate to Policy & Objects > Firewall Policy and create a new policy.
  • Set the Incoming Interface to your internal network interface.
  • Set the Outgoing Interface to your WAN interface.
  • Configure the Source and Destination addresses (you can use "all" initially for testing, but should restrict this later).
  • Under Service, you can select common services like HTTP, HTTPS, and DNS for general web access. A separate, less restrictive policy can be created for administrator PCs.
  • Ensure NAT is enabled on the policy.
  • Give the policy a name and click OK.

5. Connecting via FortiGate Cloud

For cloud-managed deployments, the FortiGate can be configured through FortiGate Cloud. After the physical connection is made:

  • From the FortiGate Cloud portal, navigate to Network Overview and select your FortiGate.
  • In the pop-up menu, click on Management. If this option is not visible, a FortiCloud Service subscription may be required.
  • If prompted, authorize the connection and set an admin password for the FortiGate.
  • Once connected, the FortiGate's status (CPU, memory) will be visible, and you can proceed with remote configuration.

FAQs: FortiGate Internet Connectivity

I've plugged in my FortiGate, but I still can't access the internet. What are the first things to check? 

Follow this basic checklist: 1) Verify the physical cabling is correct (ISP -> WAN1, LAN1 -> internal switch). 2) Confirm the WAN interface has a valid IP address (check under System > Network > Interfaces). 3) Ensure a default route (0.0.0.0/0) exists pointing to the correct gateway on the WAN interface. 4) Verify that a firewall policy exists allowing traffic from the internal network to the WAN. 5) Check that DNS servers are configured correctly.

What's the difference between using my FortiGate in NAT mode versus putting my existing router in front of it?

In a standard NAT/Route mode setup, the FortiGate replaces your existing router as the network's gateway, handling routing, NAT, and security. The alternative, discussed in community forums, involves connecting the FortiGate's WAN port to a LAN port on an existing router. In this scenario, the existing router still performs NAT, placing the FortiGate (and your network) in a double-NAT situation. This is often used for testing or when the FortiGate is being deployed transparently to filter traffic without disrupting the existing network structure.

How do I configure a static IP address from my ISP on the FortiGate? 

Edit your WAN interface (System > Network > Interfaces). Change the addressing mode from "DHCP" to "Static." Enter the IP Address, Netmask, and Default Gateway provided by your ISP. You will also need to manually enter the DNS server addresses in System > Network > DNS.

Can I manage my FortiGate from the internet? 

Yes, but it must be done carefully to avoid security risks. This typically involves creating a specific firewall policy that allows access to the FortiGate's management interfaces (HTTPS, SSH) from a trusted external source IP address only. It is strongly recommended to use IPsec or SSL VPN for secure remote management instead of exposing the management interface directly to the internet.

Why is my internet access slow through the FortiGate? 

Performance issues can have several causes. First, check the FortiGate's CPU and memory utilization in the dashboard. High usage may indicate insufficient hardware resources for your traffic load. Ensure that security profiles (like IPS, antivirus, or deep inspection) are not overly aggressive for your model. Also, verify that your internet bandwidth does not exceed the rated throughput of your FortiGate model for the enabled security features.