Fortinet black logo

Handbook

VLANs in transparent mode

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:9196
Download PDF

VLANs in transparent mode

In transparent mode, a FortiGate behaves like a layer-2 bridge but it can still provide services such as antivirus scanning, web filtering, spam filtering, and intrusion protection to traffic. There are some limitations in transparent mode because you can't use SSL VPN, PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic. The limits in transparent mode apply to IEEE 802.1Q VLAN trunks passing through the device.

VLANs and transparent mode

You can insert a FortiGate operating in transparent mode into the VLAN trunk without making changes to your network. In a typical configuration, the FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal network VLANs. The FortiGate external interface forwards VLAN‑tagged packets through another VLAN trunk to an external VLAN switch or router and on to external networks, such as the Internet. You can configure the unit to apply different policies for traffic on each VLAN in the trunk.

To pass VLAN traffic through the FortiGate, add two VLAN subinterfaces with the same VLAN ID, one to the internal interface and the other to the external interface. You then create a security policy to permit packets to flow from the internal VLAN interface to the external VLAN interface. If required, you create another security policy to permit packets to flow from the external VLAN interface to the internal VLAN interface. Typically in transparent mode, you don't permit packets to move between different VLANs. Network protection features, such as spam filtering, web filtering, and anti-virus scanning, are applied through the Security Profiles specified in each security policy, enabling very detailed control over traffic.

When the FortiGate receives a VLAN-tagged packet at a physical interface, it directs the packet to the VLAN subinterface with the matching VLAN ID. The VLAN tag is removed from the packet, and the FortiGate then applies security policies using the same method it uses for non-VLAN packets. If the packet exits the FortiGate through a VLAN subinterface, the VLAN ID for that subinterface is added to the packet and the packet is sent to the corresponding physical interface.

General configuration steps

There are two essential steps to configure a FortiGate to work with VLANs in transparent mode: add VLAN subinterfaces and create security policies.

You can also configure the Security Profiles that manage antivirus scanning, web filtering and spam filtering.

Add VLAN subinterfaces

The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4094, with 0 being used only for high priority frames and 4095 being reserved. You add VLAN subinterfaces to the physical interface that receives VLAN-tagged packets.

For this example, we're creating a VLAN called internal_v225 on the internal interface, with a VLAN ID of 225. Administrative access is enabled for HTTPS and SSH. VDOMs aren't enabled.

To add VLAN subinterfaces in transparent mode – GUI
  1. Go to Network > Interfaces.
  2. Select Create New and click on Interfaces.
  3. Enter the following information and select OK.
  4. Interface Name

    internal_v225

    Type

    VLAN

    Interface

    internal

    VLAN ID

    225

    Administrative Access

    Enable HTTPS, and SSH. These are very secure access methods.

    The FortiGate adds the new subinterface to the interface that you selected.

    Repeat steps 2 and 3 to add additional VLANs. You will need to change the VLAN ID, Name, and possibly Interface when adding additional VLANs.

To add VLAN subinterfaces in transparent mode - CLI:

config system interface

edit internal_v225

set interface internal

set vlanid 225

set allowaccess HTTPS SSH

set description “VLAN 225 on internal interface”

set vdom root

end

Create security policies

In transparent mode, the FortiGate performs antivirus and antispam scanning on each VLAN’s packets as they pass through the device. You need security policies to permit packets to pass from the VLAN interface where they enter the device to the VLAN interface where they exit the device. If there are no security policies configured, no packets will be allowed to pass from one interface to another.

To add security policies for VLAN subinterfaces - GUI:
  1. Go to Policy & Objects > Addresses.
  2. Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets.
  3. Go to Policy & Objects > IPv4 Policy or Policy & Objects > IPv6 Policy and select Create New.
  4. From the Incoming Interface list, select the VLAN interface where packets enter the unit.
  5. From the Outgoing Interface list, select the VLAN interface where packets exit the unit.
  6. Select the Source and Destination Address names that you added in step 2.
  7. Select OK.
To add security policies for VLAN subinterfaces - CLI:

config firewall address

edit incoming_VLAN_address

set associated-interface <incoming_VLAN_interface>

set type ipmask

set subnet <IPv4_address_mask)

next

edit outgoing_VLAN_address

set associated-interface <outgoing_VLAN_interface>

set type ipmask

set subnet <IPv4_address_mask>

next

end

config firewall policy or config firewall policy6

edit <unused_policy_number>

set srcintf <incoming_VLAN_interface>

set srcaddr incoming_VLAN_address

set destintf <outgoing_VLAN_interface>

set destaddr outgoing_VLAN_address

set schedule always

set service <protocol_to_allow_on VLAN>

set action ACCEPT

next

end

VLANs in transparent mode

In transparent mode, a FortiGate behaves like a layer-2 bridge but it can still provide services such as antivirus scanning, web filtering, spam filtering, and intrusion protection to traffic. There are some limitations in transparent mode because you can't use SSL VPN, PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic. The limits in transparent mode apply to IEEE 802.1Q VLAN trunks passing through the device.

VLANs and transparent mode

You can insert a FortiGate operating in transparent mode into the VLAN trunk without making changes to your network. In a typical configuration, the FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal network VLANs. The FortiGate external interface forwards VLAN‑tagged packets through another VLAN trunk to an external VLAN switch or router and on to external networks, such as the Internet. You can configure the unit to apply different policies for traffic on each VLAN in the trunk.

To pass VLAN traffic through the FortiGate, add two VLAN subinterfaces with the same VLAN ID, one to the internal interface and the other to the external interface. You then create a security policy to permit packets to flow from the internal VLAN interface to the external VLAN interface. If required, you create another security policy to permit packets to flow from the external VLAN interface to the internal VLAN interface. Typically in transparent mode, you don't permit packets to move between different VLANs. Network protection features, such as spam filtering, web filtering, and anti-virus scanning, are applied through the Security Profiles specified in each security policy, enabling very detailed control over traffic.

When the FortiGate receives a VLAN-tagged packet at a physical interface, it directs the packet to the VLAN subinterface with the matching VLAN ID. The VLAN tag is removed from the packet, and the FortiGate then applies security policies using the same method it uses for non-VLAN packets. If the packet exits the FortiGate through a VLAN subinterface, the VLAN ID for that subinterface is added to the packet and the packet is sent to the corresponding physical interface.

General configuration steps

There are two essential steps to configure a FortiGate to work with VLANs in transparent mode: add VLAN subinterfaces and create security policies.

You can also configure the Security Profiles that manage antivirus scanning, web filtering and spam filtering.

Add VLAN subinterfaces

The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4094, with 0 being used only for high priority frames and 4095 being reserved. You add VLAN subinterfaces to the physical interface that receives VLAN-tagged packets.

For this example, we're creating a VLAN called internal_v225 on the internal interface, with a VLAN ID of 225. Administrative access is enabled for HTTPS and SSH. VDOMs aren't enabled.

To add VLAN subinterfaces in transparent mode – GUI
  1. Go to Network > Interfaces.
  2. Select Create New and click on Interfaces.
  3. Enter the following information and select OK.
  4. Interface Name

    internal_v225

    Type

    VLAN

    Interface

    internal

    VLAN ID

    225

    Administrative Access

    Enable HTTPS, and SSH. These are very secure access methods.

    The FortiGate adds the new subinterface to the interface that you selected.

    Repeat steps 2 and 3 to add additional VLANs. You will need to change the VLAN ID, Name, and possibly Interface when adding additional VLANs.

To add VLAN subinterfaces in transparent mode - CLI:

config system interface

edit internal_v225

set interface internal

set vlanid 225

set allowaccess HTTPS SSH

set description “VLAN 225 on internal interface”

set vdom root

end

Create security policies

In transparent mode, the FortiGate performs antivirus and antispam scanning on each VLAN’s packets as they pass through the device. You need security policies to permit packets to pass from the VLAN interface where they enter the device to the VLAN interface where they exit the device. If there are no security policies configured, no packets will be allowed to pass from one interface to another.

To add security policies for VLAN subinterfaces - GUI:
  1. Go to Policy & Objects > Addresses.
  2. Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets.
  3. Go to Policy & Objects > IPv4 Policy or Policy & Objects > IPv6 Policy and select Create New.
  4. From the Incoming Interface list, select the VLAN interface where packets enter the unit.
  5. From the Outgoing Interface list, select the VLAN interface where packets exit the unit.
  6. Select the Source and Destination Address names that you added in step 2.
  7. Select OK.
To add security policies for VLAN subinterfaces - CLI:

config firewall address

edit incoming_VLAN_address

set associated-interface <incoming_VLAN_interface>

set type ipmask

set subnet <IPv4_address_mask)

next

edit outgoing_VLAN_address

set associated-interface <outgoing_VLAN_interface>

set type ipmask

set subnet <IPv4_address_mask>

next

end

config firewall policy or config firewall policy6

edit <unused_policy_number>

set srcintf <incoming_VLAN_interface>

set srcaddr incoming_VLAN_address

set destintf <outgoing_VLAN_interface>

set destaddr outgoing_VLAN_address

set schedule always

set service <protocol_to_allow_on VLAN>

set action ACCEPT

next

end