Skip to main content
EmeraldForge
EmeraldForge
New Member
January 7, 2026
Question

FortiGate 401F IPS Transparent - UTM inspection on asymmetric traffic on L3

  • January 7, 2026
  • 1 reply
  • 276 views

Hi all,

I’m currently working with two FortiGate 401F units that I want to deploy either in a Virtual Wire Pair or in transparent mode to serve as IPS devices. These are placed in a classic 3-tier layer design and should sit transparently between the Core and Distribution layers.

In our current setup we are dealing with asymmetric routing, and the FortiGates are supposed to act as IPS. We have the FGSP cluster configured, and sessions are being synced correctly. However, when following the Fortinet documentation for UTM inspection on asymmetric traffic (https://docs.fortinet.com/document/fortigate/7.4.9/administration-guide/324430/utm-inspection-on-asymmetric-traffic-on-l3), the traffic is not being forwarded back to the session owner. Instead, it still exits out of the transparent interfaces.

So far, even with symmetric session pickup / session routing options tried, the traffic path remains as if the FortiGates are just passing through without proper asymmetric session steering back to the primary unit.

 

The following confuguration have been applied to both Fortigates:

 

config system standalone-cluster
  set standalone-group-id 1
  set group-member-id 1
  config cluster-peer
    edit 1
     set peerip <peer-ip>
     set syncvd <Transparent VDOM>
    next
end

config firewall policy
 edit 1
   set name "Distribution->Core"
   set srcintf "x5"
   set dstintf "x7"
   set action accept
   set srcaddr "all"
   set dstaddr "all"
   set schedule "always"
   set service "ALL"
   set utm-status enable
   set logtraffic all
   set auto-asic-offload disable
  next
  edit 2
   set name "Core->Distribution"
   set srcintf "x7"
   set dstintf "x5"
   set action accept
   set srcaddr "all"
   set dstaddr "all"
   set schedule "always"
   set service "ALL"
   set utm-status enable
   set logtraffic all
   set auto-asic-offload disable
  next
end

 

config system interface
edit "x8"
   set vdom "root"
   set ip <Peer-ip/Mask>
   set allowaccess ping https ssh snmp fgfm
   set type physical
   set speed 10000full
   next
end

Has anyone successfully deployed FortiGates as transparent IPS in an environment with asymmetric routing using Virtual Wire Pairs or transparent mode and FGSP?
Specifically…

  • How did you ensure traffic is always inspected and returned to the session owner?

  • Are there any configuration caveats in transparent/virtual-wire setups with asymmetric routing?

  • Any recommendations on settings that are easy to overlook?

Thanks in advance!

1 reply

AEK
SuperUser
AEK
SuperUser
January 7, 2026

Hi Emerald

Its difficult for me to recall the whole context, but I remember I had some issues with UTM on FGSP.

There were a transparent VDOM and here was the config.

config system standalone-cluster
  set standalone-group-id 1
  set group-member-id 1
end

config system cluster-sync
  edit 2
    set peerip 10.0.0.1
    set syncvd "nat-vdom" "transparent"
  next
  edit 1
    set peerip 10.0.0.9
    set syncvd "transparent" "nat-vdom"
  next
end

config system ha
  ...
  set sync-packet-balance enable
  set session-pickup enable
  set session-pickup-connectionless enable
  set session-pickup-expectation enable
  ...
end

The above config is for 7.0.x. I guess it changed on the new versions.

Also check the below posts if it can help. It is not about transparent but just in case. BTW I don't remember anything special for transparent VDOM comparing with NAT vdom.

https://community.fortinet.com/t5/Support-Forum/Problem-with-FGSP-and-FGCP/m-p/328002

https://community.fortinet.com/t5/Support-Forum/UTM-fail-over-on-FGSP/m-p/270952

Hope it helps.

AEK
Terms & ConditionsAccessibility statement