Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
avilt
New Contributor

Access Rules etup

I have FG100F firewall and I need to connect 10 systems to firewall directly without a switch, all systems are in the same subnet. I need to enforce access among these 10 systems. Can it be achieved in transparant mode?

 

 

6 REPLIES 6
sjoshi
Staff
Staff

Dear avilt,

 

Thank you for posting to the Fortinet Community Forum.

 

Problem Description:-
You want to connect 10 System directly to the firewall and you need to have reachability between them.

 

Are all the system need to be in same subnet?

If yes then you can configure hardware switch and add all the interface in the hardware switch and configure same subnet on all the 10 system. This can be achieve on NAT mode.

 

Else if they need to be in different subnet then you can create policy between the interface and it can also be achieve in NAT mode.

 

Transparent mode
Transparent mode is so named because the device is effectively transparent in that it does not appear on the network in the way that other network devices show as a nodes in the path of network traffic. Transparent mode is typically used to apply the FortiOS features such as Security Profiles etc. on a private network where the FortiGate unit will be behind an existing firewall or router.

 

These are some of the characteristics of transparent mode:

The FortiGate unit is invisible to the network.
All of its interfaces are on the same subnet and share the same IP address.
The FortiGate unit uses a Management IP address for the purposes of Administration.
Still able to use NAT to a degree, but the configuration is less straightforward


In transparent mode, you can also perform NAT by creating a security policy or policies that translates the source addresses of packets passing through the FortiGate unit as well as virtual IP addresses and/or IP pools.

 

Let us know if this helps.

 

Thanks

Salon Raj Joshi
ataro
New Contributor II

Thank you.

 

a) How to configure hardware switch? Are you referring to Transparent mode?

b) I do not have NAT requirements. If I want to put 10 systems in two groups (two subnets, 5 systems in each subnet) is it possible to connect all of them to firewall in transparent mode and define policies?

sjoshi

Hi,

 

In transparent mode All of its interfaces are on the same subnet and share the same IP address.

 

So you need to define the same subnet for all 10 system.

Since it will be in same subnet policy is not required.

Also for hardware switch.. It will be available by default in the new FGT.

 

Thanks

Salon Raj Joshi
ataro
New Contributor II

Please clarify the following statement

Since it will be in same subnet policy is not required.

sjoshi

Hi,

 

All the subsystem will be in same subnet.

Which means

System1:- 192.168.1.1/24

System2:- 192.168.1.2/24

System3:- 192.168.1.3/24

 

And in transparent mode, FGT will be working as a layer 2 device so if you sent a ping request from S1 to S2 by default the traffic will be reachable

 

Thanks

Salon Raj Joshi
ataro
New Contributor II

But if you define access policies, the traffic can be restricted, right?

Labels
Top Kudoed Authors