Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rbarnes
Staff
Staff

Created on ‎11-22-2025 06:03 AM Edited on ‎11-22-2025 06:05 AM By Moderator

Article Id 402631

Technical Tip: How to forward traffic from a transparent mode VDOM to a NAT mode VDOM through a Inter-VDOM link

Description

This article describes the configuration needed to forward traffic from a transparent mode VDOM to a routed NAT mode VDOM by using an Inter-VDOM link.
Scope FortiGate.
Solution

In certain circumstances, there is a need to route traffic from devices in a Transparent mode VDOM to devices in a NAT mode VDOM.

 

Take, for example, the following topology:

 

topology5nattotrans.png

 

Below are the needed settings to route traffic from the Transparent mode VDOM to a NAT mode VDOM.

 

  1. Configure the VDOM link in the 'global' VDOM.  
    1. Navigate to Network -> Interfaces -> Select 'create new VDOM link.'
    2. Ensure the 'type' is set to 'ethernet'.
    3. Note: An IP will be required on the 'root' side of the inter-vdom link; in this example, 'nattotrans0' is the interface on the 'root' side, while 'nattotrans1' is on the transparent VDOM side.
    4. For this example, the 'nattotrans0' interface needs to be on the same subnet as the client device.
                                                                                   

nattotranskb0cursorrem4.png

 

  1. In the transparent mode, VDOM configures the firewall policy. 

    1. Navigate to Policy & Objects -> Firewall Policy -> Select create new.

       

    2. Create a firewall policy from 'port6' to 'nattotrans1'.

       

 

rbarnes_0-1756241636640.png

 

CLI configuration:

 

config firewall policy
    edit 1
        set name "port6totrans"
        set srcintf "port6"
        set dstintf "nattotrans1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
end

 

  1. Configure the policy in the NAT mode VDOM.

    1. Navigate to Policy & Objects -> Firewall Policy -> Select create new.     

    2. Create a firewall policy from 'nattotrans0' to 'port2'.
      Note: Bi-directional policies aren't necessarily needed if traffic is only expected to originate from one direction.

 

nattotransfixedpolicy.png

 

CLI configuration: 

 

config firewall policy
    edit 14
        set name "port2transp"
        set srcintf "nattotrans0"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
end

 

Traffic should now pass from behind the transparent mode VDOM (transpvdom) to the NAT mode VDOM (root).

 

246
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.