Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

Created on ‎08-02-2022 11:04 PM

Fortigate Transparent mode (Operating in transparent mode)

Hi Everyone,

 

I hope you are doing great,

 

Today I was doing a lab in FortiGate firewall in transparent mode, I have seen while configuring it in transparent mode - 

config system settings
set opmode transparent
set manageip 192.168.2.1 255.255.255.0
set gateway 192.168.2.100

After that, I saw that all the policies has been lost after changing the mode NAT to transparent mode.

however, I have gone through FortiGate docs the definition is the of transparent mode -

In Transparent mode, Fortigate Firewall is installed between the internal network and router. I will make you in the below screenshots, and one more thing In transparent mode even I can't configure the network for multiple interface/ IP addresses,  could you please make me understand why transparent mode deployed an internal network without subnets and why, please find the below snapshots what I have desinged.

transparent1.JPGtransparent2.JPGtransparent3.JPGtransparent4.JPGtransparent5.JPG

 

Even the NAT option is not available here.

 

Waiting for your response. 

 

Thank you.

 

Labels:
21302
0 Kudos
5 REPLIES 5
akristof
Staff
Staff

Created on ‎08-02-2022 11:37 PM

Hi,

Here is the dedicated document on transparent mode:

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/5aa37c8a-1a11-11e9-9685-f8bc12...

Just to summarize it. Transparent mode does not do any changes to packets, like NAT, it is just forwarding them from one interface to other and inspecting traffic. As said, it is usually installed between 2 routers, where you don't want to change routing, you just want to transparently inspect traffic.

Adrian
21293
0 Kudos
kcheng
Staff
Staff

Created on ‎08-03-2022 02:58 AM

Hi @Umesh 

 

As mentioned by Adrian, transparent mode FortiGate behaves differently compared to NAT mode FortiGate. On Transparent mode FortiGate, the only IP address that you can configure would be a management IP. Most L3 features that are available in NAT mode FortiGate would not be available in Transparent mode. You may refer to the following document for feature comparison:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/62428/transparent-mode-features

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
21284
0 Kudos
Umesh
Contributor
In response to kcheng

Created on ‎08-04-2022 12:53 AM

Hi Cheng,

 

In which situation do we deploy FortiGate as a transparent mode? 

I have gone though below defination - 

In transparent mode, the FortiGate is installed between the internal network and the router. In this mode, FortiGate does not make any changes to IP addresses and only applies security scanning to traffic. When a FortiGate is added to a network in transparent mode, no network changes are required, except to provide the FortiGate with a management IP address. transparent mode is used primarily when there is a need to increase network protection but changing the configuration of the network itself is impractical.

 

but couldn't understand clearly could please make me understand in layman's term?

 

Thank you

21273
0 Kudos
kcheng
Staff
Staff
In response to Umesh

Created on ‎08-04-2022 02:25 AM

Hi @Umesh 

 

In layman term, transparent mode FortiGate is like a Layer 2 device. Hence, majority of the layer 3 features would not be available in transparent mode. In L3(NAT) deployment, the outside interface and internal interface IP subnet would need to be assigned with different subnet. However, in transparent mode, the upstream device (ISP Router/Switch and etc) would have the same IP range with the internal hosts. Hence, if you do not want to modify the IP subnet design on the network, that would be when you should use transparent mode FortiGate as it would require you to make no changes on the upstream and downstream devices.

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
21267
Debbie_FTNT
Staff
Staff
In response to kcheng

Created on ‎08-04-2022 09:11 AM

To make it even more layman's terms:

You can think of a transparent FortiGate as a switch with firewall features.

It has a single (management) IP, should not be doing any routing, and is essentially invisible to network devices unless it is blocking something.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
21257
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.