Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Configuring FG 40F

Hello guys,


I will be detailing the below and I am searching for a full answer (full config) if possible:


I have a FG-40F which will be installed in order to mainly protect the assets.

I have sever A which will be exposed to the internet (accessed from internet via Real IP provided by the ISP - the ISP provided a /29 subnet real IP) [lets say this server will be assigned an IP from subnet to be created - the IP of server A will be]


I have another server B which will be accessed from the internal network and will access the internet by itself [this server will be assigned from to be created - Sever B IP will be]


I have 3 PCs which will be assigned from subnets to be created [,, and]


The WAN physical interface port will be assigned one of the Real IPs X.X.X.2/29 but have no clue where to configure the gateway. I asked the ISP for the their router gateway facing my WAN to route my internal traffic to via static routes in order to reach internet, they said you do not need anything from our side.


On physical interface 1 LAN, the IP of the FG 40F is configured; I need to create as VLAN interface in order to trunk  the vlan to the switch and I need this vlan interface to reach the internet. Under this LAN 1 interface too I need to create the other 3 vlan interfaces for the users and i need them to reach the internet and server B.


On physical interface 2 LAN, i need to create vlan interface of server B which must reach the internet.


On physical interface 3 LAN, I need to create vlan interface for Server A which is accessible from the internet (which must be DMZ). Server A should be totally isolated from the network and only accessible from the internet via couple of ports. So security should be on its top.


If anyone can please help me in configuring this scenario taking into consideration the Natting, policies, static routes if needed, security, etc..


I am sorry for flooding your screens and thanks in advance for the help.






A couple of things to clarify.

1. WAN side, if the ISP says "you don't have to do anything for routing", that generally means you get a different IP likely in a /30 subnet via DHCP or PPPoE on the wan interface. What did you configure and what IP did the 40F get on wan interface?

2. LAN side, you don't have any VLAN capable switch behind the 40F? If you have a switch, you regulary don't have to use individual LAN ports for each network. One connection to the switch is enough and all networks are separated and carried over by VLANs. 




Thank you Toshi,


1- No, we have a Real IP subnet/29; i.e. = IPs: to 182 - Mask: - Gateway: The ISP said "You do not need anything from our side" not "you don't have to do anything for routing" when I asked them about the transit vlan between us and them.
Now I think that i can use one of the Real IPs on the WAN interface, and I config the vlan interfaces via static routes to the gateway of the real IPs (5.177) subnet as a destination. Right?


2- Yes I have, but I want to assign 1 physical interface on the FW to be configured "under it" vlan interfaces for omly DMZ (which is the server accessed by the internet and should not be accessed by anything else other than internet and should be totally isolated from the rest of the network). how to secure it ? natting, policies, security feats. etc..

The other physical interface i will create under it all internal vlan interfaces. how to secure this too?




1. Then you already know the GW to configure for the default route - .5.177. But since one of them needs to be on wan interface (.178?), you can't route the rest toward the other LAN ports. You have to use VIP+SNAT to map one of the /29 IPs, say like .179, to the server's local/real IP

2. If you really want to use those three LAN ports separately you have to break them from "lan" hard-switch, Then all become lan1, lan2, lan3. However, if you configure VLANs on top of each, those three ports are left as untagged interfaces. Be careful if you connect them to the same device like switch. Since FGTs don't participate in STP, it can easily create a L2 loop or at least on the same broadcast domain.
Securing DMZ can be accomplished by policies. Without them, none can reach or even it can't go out to the internet.




Configuring an FG 40F is a multi-step process that can vary depending on your specific network requirements. Here is a general overview of the steps involved in configuring an FG 40F:

Connect the FortiGate 40F to your network: Connect the FortiGate 40F to your network using Ethernet cables. Ensure that the FortiGate 40F is powered on and the system LED is lit.

Set the FortiGate 40F's IP address: By default, the FortiGate 40F is set to DHCP mode. To set a static IP address for the FortiGate 40F, access the web-based manager and navigate to System > Network > Interface.

Create security policies: Security policies are used to control the flow of traffic through the FortiGate 40F. To create security policies, navigate to Policy & Objects > Policy > IPv4.

Configure firewall policies: Firewall policies are used to manage the traffic that is allowed to enter and leave your network. To configure firewall policies, navigate to Firewall > Policies.

Configure VPN settings: VPN settings are used to create secure connections between remote sites or users. To configure VPN settings, navigate to VPN > IPsec.

Set up DHCP server: If you want to set up a DHCP server to automatically assign IP addresses to devices on your network, navigate to System > Network > DHCP Server.

Configure advanced settings: Finally, you may want to configure advanced settings such as antivirus, web filtering, and intrusion prevention. To configure these settings, navigate to Security Profiles.


Rachel Gomez


Thank you Rachel,


I am seeking a deeper config design.




well to make a server or ports accessible from the internet you will have to do vip on the FGT (i.e.snat). You cannot assign a public ip to your server behind the FGT.

IF you want it to be completely open do a vip that forwards port 1-65535 any protocol to your server with one public ip as source and use that as destination in a policy. 

Then if anyone hits that public ip the traffic will hit your server.

If you only want specific ports you will have to do a vip for each (or a range if possible) and use that as destination in a policy.

source in these policies would be ANY or ALL.


Your Gateway has to be either entered as gw of the default route or as gateway of the sd-wan member if you use sdwan. If the WAN Port does PPPoE with DHCP you don't need to set it at all.


And for the vlans: we use one POrt as "Uplink" to the first switch. All vlans are virtual interfaces beyond that port. So that Port would be a "Vlan Trunk". The Switch then divide the vlans to their ports where needed. 

SInce a vlan in FOrtiOS is a (virtual) Interface it will be isolated from everything unless there is policy matching this traffic that is not policy #0 (= implicite deny) :)

Additional Routing would only be required if the FGT doesn't have an interface in the destination subnet.



"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors