Skip to main content
Kole
Kole
New Member
May 26, 2017
Question

Fortigate transparent mode - TCP packet enters twice

  • May 26, 2017
  • 3 replies
  • 11204 views

 

Dear,

 

I want to bought Fortigate 201E and want to use one VDOM in transparent mode. Scenario: 

 

servers ---(many vlans)---Fortigate--(many vlans)--router(default gateway for all vlans)

 

When one server open tcp connection to other server same packet goes thru Fortinet to router, and again thru Fortinet to other server. 

I found that I can disable anty-replay and that should work http://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-transparent-52/Replay-Traffic-Scenario/ReplayTrafficScenario.htm

 

Does anyone use Fortigate in this scenario?

Does it normally works and can I use hardware acceleration in this case?

Is it possible to disable inspection in second direction? I don't wont to double inspect packets.

 

Best Regards

 

    3 replies

    emnoc
    emnoc
    New Member
    May 26, 2017

    Qs:

     

    What do you many vlans?

     

    What method are you finding the TCP twice?

     

    Do you have a router-on-a-stick deployed?

     

    Did you run diag debug flow and with the correct filters for the traffic between client--->server

     

    Did you run diag sniffer packet any "host x.x.x.x and port yyyy " 4 and monitor the interfaces?

     

    or better yet just look at the client SYN

     

    example

     

           diag sniffer  packet  any "tcp[13]==2 and port 443 and host 1.2.3.4"

     

     

    replace  port and host with your details and then have a client  hit the target.

     

     

     

     

    keep in mind the following;

     

     

     if you a router on a stick and a single physical link you will see every packet twice from a logical state  ( in one vlan and out another for that link )

     

    If your running meshed vdoms, you will see the traffic also ( once in each vdom )

     

     

    Ken

     

     

    Kenundrum
    Kenundrum
    New Member
    May 26, 2017

    Are the servers on different vlans also on different IP subnets? In general, that's not a supported configuration for transparent mode unless you use a different VDOM for each.

    What you should have is a bunch of vlans that have the same ip subnet- so that if you have a computer in vlan 2 that needs to talk to vlan 3, the fortigate rule would look like vlan2->vlan3 and because they are the same ip range, no gateway would be necessary.

    if you do have multiple vdoms in transparent mode to deal with such a config- each vdom would have independent policies. you'd need one policy out vdom a and another into vdom b. Just set the content inspection to happen at one of those rules as necessary. I typically scan traffic closest to it's destination as long as all the inline devices are controlled by us.

    Kole
    KoleAuthor
    New Member
    May 29, 2017

    Dear,

     

    I don't use different VDOM for different VLAN. All vlans are in same vdom (transparent mode). My idea is just put Fortigate between servers and router and inspect traffic but not change anything in network. I want to use Fortigate in transparent mode.

     

    I added L2 and L3 diagram in my first post. I need normal communication between server 1 and server 2. They are in different subnets and router is default gateway for all servers (subinterfaces on router). 

     

    Can I configure Fortigate to not block communication between server 1 and server 2? In this scenario every packets from server 1 to server 2 goes thru Fortigate twice. I would like to configure Fortigate to not inspect every packet twice.

     

    Thanks

    Kole
    KoleAuthor
    New Member
    May 30, 2017

    Hi,

     

    I don't have Fortigate. I want to buy it but first I have to know does it works in my scenario. I attached scenario picture in first post (uper diagram is L2 and down diagram is L3)

     

    My problem is when server 1 ping server 2 echo request goes from server 1 to Fortigate on vlan 1. Fortigate create session for that packet and forward it on vlan 1 to router. Router return that packet on vlan 2 to Fortigate. Fortigate see that this is same packet and that already has session for it. It will drop packet.

    Is there any way to configure Fortigate to pass that packet? In my scenario I should have normal communication  between servers.

     

    Thanks

    Kole
    KoleAuthor
    New Member
    May 31, 2017

    Dear,

     

    I want use similar scenario. I will use only one VDOM for all vlans. I have too many vlans (more than 30) and I can't separate vlans in different VDOMs. 

     

    I'm not sure does it that work. I hope that someone use scenario like my in production to help me.

     

    Thanks

    Terms & ConditionsAccessibility statement