FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
skobayashi_FTNT
Description
This article explains a precaution when configuring Fortinet VM appliances with a transparent mode (L2-bridge mode) on VMware ESXi.

1. When you deploy an OVF template of Fortinet VM appliance, all source network of each interfaces(vNICs) will be mapped to one destination network/PortGroup by default, unless you manually map destination network for each:



 
2. If at least two of vNICs are mapped to one network/PortGroup, and then if you switch operation mode of VM guest OS to transparant mode, an L2 loop will occur between VM and vSwitch:




Definitely, this loop can cause traffic storm, CPU spike and network problems on ESXi/guest VM and other devices.

Scope
  • Fortinet VM Appliances
    • FortiGate VM
    • FortiMail VM
    • FortiWeb VM
  • Transparent-mode enabled
  • VMware ESXi

Solution
There are two ways to avoid an L2 loop.

Before switching the guest OS between transparent mode, you have to take one or both of these steps.
 
 
1. Make all vNIC interfaces belong to different network (PortGroup and/or VLAN):
 
2. Make all unused vNIC interfaces disconnected from vSwitch:

Internal Notes
Also if multiple VMs are running in tranparent mode and they have same mapping to PortGroup, it can cause an L2 loop.

Example:
 

          [VM-1]
  (vNIC-1a)    (vNIC-1b)
     |            |
<PortGroupA>  <PortGroupB>
     |            |
  (vNIC-2a)    (vNIC-2b)
          [VM-2]


Contributors