Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Deployment options for fortigate

I haven't touched a fortinet firewall yet, most of my experience is with other manufacturers, most recently Palo Alto. One of the things I really like about the Palo Alto's is the ability to install it in a transparent layer-2 bridge, v-wire in palo speak. In this mode it will inspect traffic and enforce firewall policies for the native untagged and also tagged VLANs when configuring aggregate virtual interfaces based on the VLAN tag.

Do the fortigate firewalls allow for a similar L2 deployment, staying out of the routing game, I'm asking as my current Palo account team at work can only get VM licenses and I don't want to keep an infrastructure or even a single host up to run a virtual firewall. So i'm interesting in switching to Fortinet and learning more about the hardware. With the 90G being introduced earlier today and seeing that it has two SFP+ ports, this could nicely supplant by PA-820.


Hi @taxo00


In Transparent mode, the FortiGate is installed between the internal network and the router. In this mode, the
FortiGate does not make any changes to IP addresses and only applies security scanning to traffic. When a
FortiGate is added to a network in Transparent mode, no network changes are required, except to provide the
FortiGate with a management IP address. Transparent mode is used primarily when there is a need to increase
network protection but changing the configuration of the network itself is impractical.
In NAT/Route mode, a FortiGate unit is installed as a gateway or router between two networks. This allows the
FortiGate hides the IP addresses of the private network using network address translation (NAT).

A VLAN configured on a physical port is used to classify a packet in a broadcast domain in ingress and to tag a packet in egress. A VLAN on the FortiGate conforms to the standard 802.1q. 

When the FortiGate unit receives a VLAN-tagged packet at a physical interface, it directs the packet to the VLAN subinterface with the matching VLAN ID. The VLAN tag is removed from the packet,
and the FortiGate unit then applies security policies using the same method it uses for non-VLAN packets. If the packet exits the FortiGate unit through a VLAN subinterface, the VLAN ID for that subinterface is added to the packet and the packet is sent to the corresponding physical interface.





- Have you found a solution? Then give your helper a "Kudos" and mark the solution.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors