Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CourtK
New Contributor

Created on ‎02-02-2015 12:30 PM

Cannot access FTG in Transparent Mode

Hi,

I have the Fortigate in transparent mode and connected between our ASA and core Layer 3 switch. Traffic is going through the Fortigate. However, I'm not able to access or ping it (10.3.2.10) from my computer (10.1.1.57). I'm able to access and ping the ASA from my computer. My computer is on VLAN 100 and the ASA and Fortigate are on VLAN 200. The Fortigate has a route 0.0.0.0 to the ASA 10.3.2.1. How can I manage the Fortigate from my computer?

 

Thank you,

Courtney

 

Preview file
22 KB
10190
0 Kudos
8 REPLIES 8
emnoc
Esteemed Contributor III

Created on ‎02-02-2015 01:29 PM

I don't think that will work. the ASA is on the outside so you will need a host of firewall policies allowing the traffic thru and back in. What happens if you use the L3 switch that's on the inside?

 

Another option is to use a unique interface and plug that into a management vlan.

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
5008
0 Kudos
CourtK
New Contributor
In response to emnoc

Created on ‎02-02-2015 01:43 PM

I should have stated that the layer 3 switch has several layer 2 switches directly connected to it. The layer 3 switch is the gateway to many VLANs. I figured I couldn't have the Fortigate between the layer 3 switch and one of the layer 2 switches and be able to monitor/throttle the entire network.

5008
0 Kudos
CourtK
New Contributor
In response to CourtK

Created on ‎02-05-2015 04:24 PM

I setup a switch port near my desk with VLAN access ID 200 and attached a laptop to it with the correct IP.  This allows me to manage the fortinet from my desk. This is a temporary setup until we move the Fortinet into NAT mode in a couple months.

5008
0 Kudos
CourtK
New Contributor
In response to CourtK

Created on ‎02-05-2015 04:26 PM

Does it matter what the management port IP is?  Does it have to match the subnet (10.3.2.0) of the traffic that it's checking?

5008
0 Kudos
Jeff_FTNT
Staff
Staff
In response to CourtK

Created on ‎02-05-2015 04:28 PM

Yes, Management IP need in same subnet  as 10.3.2.0/24. Thanks

ckibbe@lafilm.edu wrote:

Does it matter what the management port IP is?  Does it have to match the subnet (10.3.2.0) of the traffic that it's checking?

5008
0 Kudos
Jeff_FTNT
Staff
Staff

Created on ‎02-02-2015 01:46 PM

You may try set up on FGT like:

config router static

edit 2

set dst 10.1.1.0/23

set gateway 10.3.2.3

end

On vlan interface connect to "10.3.2.3"

"set allowaccess ping https ssh http snmp telnet"

Hope it works.

5008
0 Kudos
ashukla_FTNT
Staff
Staff

Created on ‎02-05-2015 05:44 AM

There is no vlan interface for management and switch will send tagged packet so firewall will not reply.

You can do the following:

 

Give a management ip to firewall under config system setting from an unused subnet say 1.1.1.1/24 and configure same subnet ip on Layer3 switch say 1.1.1.2/24

config system settings

set manageip 1.1.1.1/24

set gateway 1.1.1.2

 

Either connect another cable on the firewall and configure the switch port with 1.1.1.2 address or configure the switch in such a way that it send traffic to 1.1.1.1 untagged using same interface.

 

Most important point is the management traffic request should go untagged.

 

Firewall managemnet ip can be of any subnet irrespective of connected subnet as management is different from traffic forwarding.

 

 

 

 

5008
0 Kudos
ashukla_FTNT
Staff
Staff

Created on ‎02-06-2015 12:27 PM

Does it matter what the management port IP is? Does it have to match the subnet (10.3.2.0) of the traffic that it's checking?

 

No it doesn't matter. For forwarding the traffic in transparent mode firewall will look only at destination mac address and it doesn't look at ip header for forwarding. For security function like poilcy check and utm etc it will look at ip layer and other layers but packet forwarding happens only at looking at mac address.

 

So the management ip can be anything irrespective of network where the firewall is connected. As long as you can route the traffic toward the management ip network and the gateway is set the firewall management will work.

 

I believe if you try the way I mentioned earlier i am pretty sure it should work.

5008
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.