Skip to main content
kriu
kriu
New Member
October 25, 2024
Solved

FG-60E in transparent mode

  • October 25, 2024
  • 2 replies
  • 1548 views

Hi. Is it possible to configure the system for FG-60E so that in transparent mode it can download signatures for security services. FG-60E would be between the optical modem (also in transparent mode) and another main firewall (NGFW). In this other NGFW there is the IP address of the WAN gateway to the Internet.
WAN-LAN.png

Best answer by jdelafuente_FTNT

You got it!

Use wan2 with L3 configuration as admin interface, you can connect it into your customer LAN.

 

Best regards

2 replies

jdelafuente_FTNT
Staff & Editor
jdelafuente_FTNT
Staff & Editor
October 26, 2024

No, you need at least  one IP for internet connection for updates, 
Maybe if you use 3rd port connected to LAN and receive internet from NGFW.
Also, in your architecture you lost visibility of internal network traffic, you only see traffic from your WAN IP.
Better place for this scenario is between NGFW and LAN.

kriu
kriuAuthor
New Member
October 26, 2024

I know that the solution you suggested is the most convenient, but my main NGFW already supports LAN's, WLAN and 3 access points, all connected to 6 LAN interfaces. Would configuring a second WAN in FG-60E (different IP address) allow the FG-60E to contact license servers? I mean WAN1 in transparent mode with LAN1 and WAN2 external IP to the Internet.

jdelafuente_FTNT
Staff & Editor
jdelafuente_FTNTAnswer
Staff & Editor
October 26, 2024

You got it!

Use wan2 with L3 configuration as admin interface, you can connect it into your customer LAN.

 

Best regards

kriu
kriuAuthor
New Member
January 21, 2026

Will CLI commands like those listed below be suitable?


1. Transparent mode:

config system settings
set opmode transparent
end

config system interface
edit "mgmt"
set ip 192.168.X.X 255.255.255.0
next
end


====

2. WAN2 for DHCP:

config system interface
edit "wan2"
set mode dhcp
set allowaccess ping https ssh
next
end


====

3. Polisy for FortiGate to WAN2:

edit 1
set name "FGT-to-Internet"
set srcintf "any"
set dstintf "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end


====

4.Test:

execute ping 8.8.8.8
execute ping update.fortiguard.net

Terms & ConditionsAccessibility statement