Skip to main content
CourtK
CourtK
New Member
February 2, 2015
Question

Cannot access FTG in Transparent Mode

  • February 2, 2015
  • 4 replies
  • 12483 views

Hi,

I have the Fortigate in transparent mode and connected between our ASA and core Layer 3 switch. Traffic is going through the Fortigate. However, I'm not able to access or ping it (10.3.2.10) from my computer (10.1.1.57). I'm able to access and ping the ASA from my computer. My computer is on VLAN 100 and the ASA and Fortigate are on VLAN 200. The Fortigate has a route 0.0.0.0 to the ASA 10.3.2.1. How can I manage the Fortigate from my computer?

 

Thank you,

Courtney

 

    4 replies

    emnoc
    emnoc
    New Member
    February 2, 2015

    I don't think that will work. the ASA is on the outside so you will need a host of firewall policies allowing the traffic thru and back in. What happens if you use the L3 switch that's on the inside?

     

    Another option is to use a unique interface and plug that into a management vlan.

     

     

     

    CourtK
    CourtKAuthor
    New Member
    February 2, 2015

    I should have stated that the layer 3 switch has several layer 2 switches directly connected to it. The layer 3 switch is the gateway to many VLANs. I figured I couldn't have the Fortigate between the layer 3 switch and one of the layer 2 switches and be able to monitor/throttle the entire network.

    CourtK
    CourtKAuthor
    New Member
    February 6, 2015

    I setup a switch port near my desk with VLAN access ID 200 and attached a laptop to it with the correct IP.  This allows me to manage the fortinet from my desk. This is a temporary setup until we move the Fortinet into NAT mode in a couple months.

    Jeff_FTNT
    Staff
    Jeff_FTNT
    Staff
    February 2, 2015

    You may try set up on FGT like:

    config router static

    edit 2

    set dst 10.1.1.0/23

    set gateway 10.3.2.3

    end

    On vlan interface connect to "10.3.2.3"

    "set allowaccess ping https ssh http snmp telnet"

    Hope it works.

    ashukla_FTNT
    Staff
    ashukla_FTNT
    Staff
    February 5, 2015

    There is no vlan interface for management and switch will send tagged packet so firewall will not reply.

    You can do the following:

     

    Give a management ip to firewall under config system setting from an unused subnet say 1.1.1.1/24 and configure same subnet ip on Layer3 switch say 1.1.1.2/24

    config system settings

    set manageip 1.1.1.1/24

    set gateway 1.1.1.2

     

    Either connect another cable on the firewall and configure the switch port with 1.1.1.2 address or configure the switch in such a way that it send traffic to 1.1.1.1 untagged using same interface.

     

    Most important point is the management traffic request should go untagged.

     

    Firewall managemnet ip can be of any subnet irrespective of connected subnet as management is different from traffic forwarding.

     

     

     

     

    ashukla_FTNT
    Staff
    ashukla_FTNT
    Staff
    February 6, 2015

    Does it matter what the management port IP is? Does it have to match the subnet (10.3.2.0) of the traffic that it's checking?

     

    No it doesn't matter. For forwarding the traffic in transparent mode firewall will look only at destination mac address and it doesn't look at ip header for forwarding. For security function like poilcy check and utm etc it will look at ip layer and other layers but packet forwarding happens only at looking at mac address.

     

    So the management ip can be anything irrespective of network where the firewall is connected. As long as you can route the traffic toward the management ip network and the gateway is set the firewall management will work.

     

    I believe if you try the way I mentioned earlier i am pretty sure it should work.

    Terms & ConditionsAccessibility statement