Description

This article describes how to configure a management IP on the FortiGate when operating in Transparent mode.

Scope

FortiGate, Transparent Mode.

Solution

A FortiGate in transparent mode can be assigned a single IP address for remote access management, and multiple static routes can be configured. This can be used if in-band management needs to be applied.

When out-of-band management is desired (dedicated interface for remote management access), it is recommended to use a separate VDOM in NAT mode.

In-band management details and an example:
The management IP address is bound to all ports or VLANs belonging to the same VDOM (manageip parameter creates a virtual interface '<vdom_name>.b' for this purpose).
Remote access services are subject to the same rules as in NAT mode and have to be enabled/disabled on each port.

Example of management IP configuration in transparent mode.

config system settings

    set manageip 10.1.1.100/255.255.255.0
    set gateway 10.1.1.254

end

Note that the gateway setting is optional:

• In case it is NOT set, the firewall would send out an ARP query for the IP it wants to reach though all interfaces associated with that VDOM (arp who-has <IP> tell <manageip>) and as soon as FortiGate would get an ARP reply with the MAC address corresponding to the IP it would send the first IP packet out via that interface.
• With the gateway IP set, the firewall would be sending all packets via its next hop device. The same procedure for discovering the gateway IP will occur, at first ARP query will be broadcast to find behind which interface the gateway IP is located, and once the MAC would be learned, traffic generated from FortiGate (for that transparent VDOM) will be sent via that interface only.

Additionally:

• Within FortiOS, a VLAN is considered a logical interface.
• If the physical interface is not associated with the transparent VDOM in question, then the physical interface itself would not be used for the ARP query (only ARP packets with an associated VLAN tag would be sent out via such an interface).

config system interface

    edit <interface>

        set allowaccess ping ssh https snmp

    next

end

It is also possible to add a second IP address for management and additional default routes:

config system settings

    set opmode transparent
    set manageip 192.168.182.136/255.255.254.0 10.1.1.1/255.255.255.0

end

config router static

    edit 1

        set gateway 192.168.183.254

    next
    edit 2

        set gateway 10.1.1.254

    next

end

Note: ping-server (dead gateway detection) is not supported in transparent mode.

Out-of-band management details and example:
When VDOM is enabled, and the VDOMs are operating in transparent mode, it is recommended to avoid L2 loops and allow more routing flexibility, to keep one VDOM (generally the root VDOM) in NAT mode, with one or more VLAN or physical interface as out-of-band management.

The management VDOM has to have IP connectivity to the Internet to allow communication with the FDS and retrieve service information (antivirus, IPS, FortiGuard, FortiCare, etc).
All Syslog and FortiManager communication also goes through the management VDOM.

Note:
The MAC address of the gateway can be validated by running the commands below:

FortiGate # show system settings

config system settings

    set opmode transparent
    set manageip 192.168.2.2/255.255.255.0
    set gateway 192.168.2.1

end

FortiGate # get system arp
Address Age(min) Hardware Addr Interface
192.168.2.1 0 e0:23:ff:fc:bc:07 root.b

FortiGate # diagnose ip arp list
index=23 ifname=root.b 192.168.2.1 e0:23:ff:fc:bc:07 state=00000002 use=307 confirm=307 update=602 ref=14

The Layer2 forwarding table can be viewed by running this command:

FortiGate # diagnose netlink brctl name host root.b

2 5 wan1 e0:23:ff:fc:bc:07 0 Hit(0)