Fortinet black logo

IPS Architecture Guide

Home FortiGate / FortiOS 7.4.0 IPS Architecture Guide
7.4.0
7.4.0

Transparent mode

Transparent mode

Transparent mode is an operation mode where the FortiGate acts like a bridge. It is similar to virtual wire mode except that in transaparent mode, all interfaces in the same VDOM are in the same L2 forwarding domain. Therefore, using multiple interfaces in transparent mode needs special attention as the wrong configuration can easily create a loop.

Transparent mode operation applies to overall FortiGate operation. Using VDOMs where transparent mode is required is best practice. In transparent mode, all ports belong to the same forwarding domain by default. You can assign ports to different forwarding domains within the same FortiGate/VDOM, or you may use individual VDOMs to separate ports into different forwarding domains. If the connected ports are trunk ports, you should isolate each VLAN interface pair in its own VDOM or forwarding domain. You must configure a policy with an IPS profile for inspection to occur. You can use both source and destination MAC address objects in IPS policies.

Considering virtual wire mode over transparent mode is best practice, since deployment is simpler and virtual wire mode offers the same capabilities as transparent mode with the added benefit of operating in NAT mode.

Previous
Next

Transparent mode

Transparent mode is an operation mode where the FortiGate acts like a bridge. It is similar to virtual wire mode except that in transaparent mode, all interfaces in the same VDOM are in the same L2 forwarding domain. Therefore, using multiple interfaces in transparent mode needs special attention as the wrong configuration can easily create a loop.

Transparent mode operation applies to overall FortiGate operation. Using VDOMs where transparent mode is required is best practice. In transparent mode, all ports belong to the same forwarding domain by default. You can assign ports to different forwarding domains within the same FortiGate/VDOM, or you may use individual VDOMs to separate ports into different forwarding domains. If the connected ports are trunk ports, you should isolate each VLAN interface pair in its own VDOM or forwarding domain. You must configure a policy with an IPS profile for inspection to occur. You can use both source and destination MAC address objects in IPS policies.

Considering virtual wire mode over transparent mode is best practice, since deployment is simpler and virtual wire mode offers the same capabilities as transparent mode with the added benefit of operating in NAT mode.

Previous
Next