Created on 05-04-2022 10:17 PM Edited on 02-05-2024 09:07 AM By Stephen_G
Description |
This article describes an issue that may be encountered when configuring a Virtual Wire Pair on a Fortigate firewall whereby tagged VLAN traffic (dot1Q) is not allowed to pass. |
Scope | All FortiGates. |
Solution |
If tagged VLAN traffic is to pass through a virtual wire pair it is necessary to enable an option for this to occur, otherwise this traffic is dropped (and cannot be seen in a sniffer).
The required option is as follows:
# config system virtual-wire-pair edit <name_of_virtual_wire_pair> set wildcard-vlan enable
This can be further filtered to permit only the VLANs that should pass through the wire pair:
E.g. to only permit VLANs 100 & 200:
set vlan-filter <100,200>
Or, to allow ALL VLANs, set the range to the full permissible range of VLANs (0 to 4094) as follows:
set vlan-filter <0-4094>
Virtual Wire Pairs: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/768211/virtual-wire-pairs |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.