Skip to main content
skobayashi_FTNT
Staff
skobayashi_FTNT
Staff
February 28, 2013

Technical Tip: Precaution for configuring transparent mode on Fortinet-VM appliances

  • February 28, 2013
  • 0 replies
  • 5902 views
Description This article explains a precaution when configuring Fortinet -VM appliances with a transparent mode (L2-bridge mode) on VMware ESXi.
Scope
  • Fortinet VM Appliances
    • FortiGate-VM.
    • FortiMail-VM.
    • FortiWeb-VM.
  • Transparent-mode enabled.
  • VMware ESXi.
Solution
  1. When deploying an OVF template of Fortinet VM appliance, all source networks of each interfaces(vNICs) will be mapped to one destination network/PortGroup by default, unless the destination network is manually mapped for each:

 

Gab_FTNT_0-1743102522012.png

 
  1. If at least two vNICs are mapped to one network/PortGroup, and the operation mode of the VM guest OS is switched to transparent mode, an L2 loop will occur between the VM and vSwitch.

Gab_FTNT_1-1743102522009.png


Definitely, this loop can cause traffic storms, CPU spikes and network problems on ESXi/guest VM and other devices.

 

Before switching the guest OS to transparent mode, one or both of these steps must be taken.

 
 
Make all vNIC interfaces belong to different network (PortGroup and/or VLAN):
 
Gab_FTNT_2-1743102522013.png
 
Make all unused vNIC interfaces disconnected from vSwitch:
 
Gab_FTNT_3-1743102522014.png


If multiple VMs are running in transparent mode and they have the same mapping to PortGroup, it can cause an L2 loop.

Example:
 

          [VM-1]
  (vNIC-1a)    (vNIC-1b)
     |            |
<PortGroupA>  <PortGroupB>
     |            |
  (vNIC-2a)    (vNIC-2b)
          [VM-2]
 
Terms & ConditionsAccessibility statement