Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JaskiratM
Staff
Staff

Created on ‎05-30-2023 10:34 PM Edited on ‎05-31-2023 03:20 AM By Moderator

Article Id 258574

Technical tip: Deploy a FortiGate VM HA setup in NAT/Routed mode and in Transparent mode

Description

 

This article describes how to deploy a FortiGate VM HA setup in NAT and in Transparent mode.

 

Scope

 

The HA FortiGate VM in this article is deployed in AZURE, but the steps described apply to any FortiGate VM HA deployment in any Cloud or Virtual Environment.

Solution


1) First deploy the FortiGate VM in NAT/routed operation mode as an HA cluster in active-passive. Refer to the links below to learn how that in Cloud infrastructure:


AWS:

https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/aws-administration-guide/229470/depl...

 

AZURE:

https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-administration-guide/983245/ha...

 

GCP:

https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/gcp-administration-guide/842397/ha-f...

 

2) For Hypervisor/VM-Ware ESXi, it is necessary to first configure the VMware ESXi server's virtual switches to operate in promiscuous mode to allow traffic that is not addressed to the FortiGate VM to pass through it.

https://docs.fortinet.com/document/fortigate-private-cloud/7.4.0/vmware-esxi-administration-guide/64....

3) Once the HA setup in NAT mode is deployed, run the following configuration in the CLI to convert the FortiGate into Transparent mode:

 

config system settings
    set opmode transparent


Before saving it using 'end', set up a way to access the FortiGates once they are in Transparent mode.

A-> Management IP (Mandatory): configure a Management IP when converting the VMs into Transparent mode:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-management-IP-in-transpar...

 

JaskiratM_0-1685488150146.png


 B-> HA management Interface(optional): it is possible to configure the HA management interface to access the GUI/SSH of both the cluster units individually in Transparent mode:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface/ta-p/1901...

JaskiratM_1-1685488150149.png

 

4) Finally, type 'end' in the CLI to convert the FortiGates into Transparent mode. Sometimes the following error will occur:

JaskiratM_2-1685488150152.png

 

To resolve this issue, simply delete any aggregate, Hardware/software switch, FortiLink, or other kinds of interface clustering/zones. See this article for more information: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Change-from-NAT-to-transparent-mode-when-F....

Verification:
'get system status' can be used to verify that the FortiGate VM is now in transparent mode. Also, the above-mentioned steps only need to be performed on the primary as the HA will take care of the configuration sync.

JaskiratM_4-1685488260397.png

1551
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.