FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to configure FortiGate in order to allow communication of devices over Fortigate via GOOSE Protocol.

IEC 61850 (IEC 61850 – Communication Networks and Systems in Substations) standard defines GOOSE protocol (Generic Object Oriented Substation Event) as a publisher/subscriber type communication.

This protocol is used for information exchange between IEDs (IED – Intelligent Electronic Device) in a Substation over the Ethernet.


IEC 61850 defines a special XML based language used for describing a substation and substation elements called SCL (Substation Configuration Language


GOOSE (Generic Object Oriented Substation Event) protocol is an event-based protocol.

The concept of GOOSE communication is that the publisher periodically sends messages and when an event happens (ex. Trip, Contactor closed …), it sends a burst of messages with new data.


Because the protocol is publisher/subscriber-based, there is no confirmation that the sent message is correctly received by the subscriber, so the message burst minimalizes the chance of message loss.


GOOSE protocol is also a link-layer protocol, meaning that this is an L2 protocol, it cannot run over a Fortigate configured in NAT mode.

GOOSE traffic can traverse the FortiGate via Virtual Wire Pair.

Related article:

Make sure to enable the "Wildcard VLAN" option, as the GOOSE protocol can add an 802.1q tag with a value of 0.

In order to allow tagged traffic over virtual wire pair, you have to enable the 'Wildcard VLAN' option.