Fortigates in line Transparent HA mode

Question

We are planning to put two Fortigate in line in HA active passive and transparent mode behind existing Cisco firewalls to inspect traffic.

I was wondering if there are features not supported under this configuration?

Can the incoming ports on fortigates be directly connected to firewall ports without going to a switch first? Firewalls are in HA as well. If it fails over, how will the Fortigates know to fail over to the other unit?

If we turn on deep inspection, what kind of certificates are required and where should they be installed? Is it internal sub-root CA? For incoming traffic? For Outgoing traffic?

AEK · Answer

the following articles lists the features that are not supported in transparent mode:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Features-not-supported-in-Transparent-Mode/ta-p/290844

I personally used transparent mode in production and I confirm it is very helpful when you don't want to change L3 topology.

If I understand your question about connecting Cisco FW directly to FGT without switch, I'd say yes you can, but in that case for the fail-over to operate correctly you will need to connect each Cisco firewall to both FortiGates, the active and the passive one.

For deep inspection, you have two choices:

Either use the FGT embedded certificate and install the related CA cert on all Corp clients via GPO
Or install on your FGT a subordinate CA issued from your Corp root CA.
Ref: https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/680736/microsoft-ca-deep-packet-inspection
It is usually for outgoing traffic. For incoming traffic you use server certificate in the server certificate.

Hope it helps.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded