FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mribbans_FTNT
Description

This article describes an issue that may be encountered when configuring a Virtual Wire Pair on a Fortigate firewall whereby tagged VLAN traffic (dot1Q) is not allowed to pass.

Scope All FortiGates.
Solution

If tagged VLAN traffic is to pass through a virtual wire pair it is necessary to enable an option for this to occur, otherwise this traffic is dropped (and cannot be seen in a sniffer).

 

The required option is as follows:

 

# config system virtual-wire-pair

    edit <name_of_virtual_wire_pair>

      set wildcard-vlan enable

 

This can be further filtered to permit only the VLANs that should pass through the wire pair:

 

E.g. to only permit VLANs 100 & 200:

 

set vlan-filter <100,200>

 

Or, to allow ALL VLANs, set the range to the full permissible range of VLANs (0 to 4094) as follows:

 

set vlan-filter <0-4094>

 

Virtual Wire Pairs:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/768211/virtual-wire-pairs