This article provides technical details about the forwarding domain in FortiGate’s transparent mode and how to implement it.

Once the FortiGate is configured in transparent mode, it starts acting like a layer 2 switch, following 802.1d standards (Ethernet MAC bridging in this case, since it is not running a spanning tree).

This means all its ports are sitting in the same Broadcast Domain and traffic received on one port is flooded to all other ports except the one the traffic came in through.

To segment or narrow this broadcast domain scope (like split the big broadcast domain into smaller ones), configure the 'forwarding domain'.

Every port (physical or virtual) which are assigned with the same forwarding domain ID or to the same forwarding domain will start acting as a broadcast domain and creating a new broadcast domain boundary.

The network diagram below will be used to demonstrate this article.

Topology Description:

• HQ-SW has interface G0/1 in VLAN100, G0/2 in VLAN200, and G0/0 as trunk to FortiGate.
• Branch-SW has interface G0/1 in VLAN300, G0/2 in VLAN400, and G0/0 as trunk to FortiGate.
• FGT-Transparent has port1 as a trunk to HQ-SW and port2 as a trunk to Branch-SW.
• PC100 is sitting VLAN100, PC200 in VLAN200, PC300 in vlan300 and PC400 in VLAN400.

With the forwarding domain configured, PC100 can communicate with PC300, because it is in the same forwarding domain (broadcast domain).

And PC200 can communicate with PC400.

Note.

A firewall policy is required for this to work (ensure to configure a firewall policy).

Configuration and verification:

Virtual interfaces are created and assigned VLAN100, 200, 300, and 400 on the FortiGate.

Then VLAN100 and 300 interfaces are assigned to forwarding domain 100300, so any device sitting in VLAN100 and 300 with the same IP subnet assigned can reach each other.

VLAN200 and 400 interfaces are assigned to forwarding domain 200400.

The below screenshot shows the configuration and the verification.

1. Creating VLAN interfaces and allocating forwarding domains (ID <0 - 2147483647) to them.

2. Configure firewall policy.

3. Verify FDB (forwarding database):

diagnose netlink brctl name host <vdom_name.b>

4. Sniffer (VLAN100 to VLAN300 ping).

5. Sniffer (VLAN200 to VLAN400 ping).

6. Ping (from 192.168.100.1 -> 192.168.100.3 & 192.168.200.2 -> 192.168.200.4).

Notes:

1. If the VLAN interfaces are in different forwarding domains, it is also possible to allow inter-vlan traffic, but the routing part will be performed on the upstream device (firewall, router, L3 switch) and it needs to have a policy allowing the inter-vlan traffic, which is the most recommended scenario.

Topology:

VLAN configuration on FortiGate in transparent mode:

config system interface
    edit "VLAN10_IN"
        set vdom "root"
        set forward-domain 10
        set device-identification enable
        set role lan
        set snmp-index 8
        set interface "LACP"
        set vlanid 10
    next
    edit "VLAN10_OUT"
        set vdom "root"
        set forward-domain 10
        set device-identification enable
        set role lan
        set snmp-index 9
        set interface "port2"
        set vlanid 10
    next
    edit "VLAN20_IN"
        set vdom "root"
        set forward-domain 20
        set device-identification enable
        set role lan
        set snmp-index 10
        set interface "LACP"
        set vlanid 20
    next
    edit "VLAN20_OUT"
        set vdom "root"
        set forward-domain 20
        set device-identification enable
        set role lan
        set snmp-index 11
        set interface "port2"
        set vlanid 20
    next
end

Firewall Policy on the upstream device in NAT mode:

Firewall Policy on the FortiGate device in Transparent mode:

2. When trying to specify the source and destination interfaces that are in different forwarding domains on the FortiGate in transparent mode, the issue below will be found:

    

3. When a VLAN interface is being used in a firewall policy, the 'forward-domain' setting can not be changed. An error message will show up as below: