Connect Fortinet Firewall to Internet in NAT/Route mode

To Connect and configure a new FortiGate unit to securely connect a private network to the Internet.The FortiGate unit should also protect the private network from Internet threats but still allow anyone on the private network to freely connect to the Internet.

Steps to Configure

1 Connect the FortiGate wan1 interface to your ISP-supplied equipment.

2 Connect the internal network to the FortiGate internal interface.
3 Power on the ISP's equipment, the FortiGate unit, and the PCs on the Internal network.
4 From a PC on the Internal network, connect to the FortiGate web-based manager.
You can configure the PC to get its IP address using DHCP and then browse to
You could also give the PC a static IP address on the subnet.
5 Login using admin and no password.
6 On the sidebar menu, go to System > Network > Interface and select wan1.
7 Select Edit and change the following settings:

8 Select OK.
9 Select internal, then select Edit.
10 Change the following settings:

11 Select OK.
12 Go to Router > Static > Static Route and select Create New. 
13 Add the following default route:.

14 Select OK.
15 Go to Policy > Policy > Policy and select Create New.
16 Add the following security policy that allows users on the private network to access the Internet.

17 Select Enable NAT and Use Destination Interface Address.
18 Select OK.

To Confirm

Open a web browser and browse to
Go to Policy > Policy > Policy. Right-click on any of the column headings and select Column
Settings and add the Count column. This information shows the packet counts for the security
policy you added to verify that it is processing traffic.

Your FortiGate model may already have the Count feature set by default.

Go to Policy > Monitor > Policy Monitor to view the sessions being processed by the FortiGate unit.

A graph illustrating active sessions for each policy is displayed. Since there is only one policy, the
graph contains only one entry. You can select the bar graph for policy 1 to view the top sessions by
source address, destination address, or destination port.


  1. To trying to remove limited internet access Create a firewall program that permit right to use . Create a new protection policy that incorporate the program. This policy will be self-determining of the existing Internet browsing policy.

  2. kindly share the configuration command in CLI