Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sselvam
Staff
Staff

Created on ‎05-26-2020 01:07 AM

Article Id 193078

Technical Tip: VLAN forward interface parameter

Description
This describes how to parameter 'vlanforward'.
# config system interface
    edit interface-name
         set type physical
         set vlanforward [enable/disable]
    end

Solution
'vlanforward' is meaningful at OSI Layer2, so in Transparent (TP) mode.

In TP mode, the 'vlanforward' parameter allows control of what will happen to an incoming VLAN tagged packet when there is not a VLAN interface configured like:
# config system interface
    edit "VLAN_110"
        set vdom "TP"
        set interface "wan1"
        set vlanid 110
     next
end
If 'vlanforward' is enabled, then the packet is forwarded out the appropriate egress port without any inspection of the traffic inside the VLAN tagged packet.
If disabled then the packet is dropped.
If the FortiGate has the parameter 'vlanforward' enable on the physical interface, then, the VLANs will cross the FortiGate.
To control the traffic of VLANs, disable 'vlanforward' and configure interface with a specific vlanid.
'vlanforward' can also be enabled to transfer vlanid that does not have a specific VLAN interface configured.
Consider also the parameter forwarding domain.
The VLAN interfaces are all in the default forwarding domain of 0. 
Due to the behavior of the FortiGate this will cause flooding of packets between interfaces and VLAN's in the same VDOM when operating in transparent mode.
If VLANs interfaces are defined and create accordingly forwarding-domain and Firewall policies, the FortiGate will inspect the traffic until application level when a protection profile is attached to the firewall policy.

The parameter is defined in FortiOS CLI Reference version 5.4.1 as follows:
'vlanforward' = Enable/disable VLAN forwarding.
The default value is disable.
# config system interface
    edit "wan1" 
    set vdom "root"
    set allowaccess ping fgfm
    set type physical
    set snmp-index 2
    set vlanforward disable
    next
The 'vlanforward' default setting has been modified for security reasons.
The default setting was previously enabled.
If 'vlanforward' is enabled under all interfaces in TP mode, even without any firewall policy config, traffic with VLAN tags can go through the FortiGate.
This introduced a potential security issue, the default was moved to disable starting with firmware versions v5.0.10

The value of the parameter is not modified under upgrade.

Related Articles

Technical Note: vlanforward interface parameter

5705
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.