Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eferreira_FTNT

FOS 5.2 transparent mode module

Hi, This is a recording of the first draft of the transparent mode module for FOS 5.2: https://www.brainshark.com/fortinet/vu?pi=zGJzT1BNYzJRhMz0 You are more than welcome to watch it and share your comments and feedback in the forum. Regards, Edy
1 Solution
ede_pfau
Esteemed Contributor III

Thanks for the preview.

Some things where I stuck:

You talk about "MAC addresses" often. I wonder why you avoid mentioning the OSI layer model, Layer 2 and 3.

 

pg 4. NAT mode: "FortiGate ports have IP addresses." ...which certainly is not true - they don't need to have addresses. Rather, "Ports need to have unique IP addresses if any.".

pg 5. It really would be enlightening if you could clarify whether a TP-mode FGT is a switch or a hub. All doc examples only show 2 ports active which doesn't allow this distinction to be made. Later on on pg. 6 you start talking about it being a bridge, then drop that in favor of "switch". As bridges are nearly extinct today I'd feel more comfortable with "switch".

One property of a switch is that it will forward a packet only to the port which has previously seen the destination's MAC address. If the destination MAC is not yet known a switch has to broadcast an ARP request to all ports. So, eventually, a switch can also connect collision domains.

"Forwarding domain" pg7-9: IMHO forwarding broadcasts from one VLAN to all ports is correct behavior as a VLAN has the explicit advantage NOT to tie VLAN members to one physical segment. I assume that's why this is the default way VLAN broadcasts work in FortiOS. You elaborate that this might have disadvantages in large networks which is a corner case in my opinion - connectivity before efficiency. At least, the student should not get the impression that without defining forwarding domains VLANs are not correctly set up.

diag command: only 16 seconds are not sufficient to explain the data which you can obtain from the output, which is a pity. As we all know, diag command are essential, and essentially not undocumented.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
3 REPLIES 3
Mark_Oakton
Contributor

thanks, its usefule
Infosec Partners
Infosec Partners
MatthewSabin

Good overview. Thanks!

 

I would like more detail in how to configure and troubleshoot.

ede_pfau
Esteemed Contributor III

Thanks for the preview.

Some things where I stuck:

You talk about "MAC addresses" often. I wonder why you avoid mentioning the OSI layer model, Layer 2 and 3.

 

pg 4. NAT mode: "FortiGate ports have IP addresses." ...which certainly is not true - they don't need to have addresses. Rather, "Ports need to have unique IP addresses if any.".

pg 5. It really would be enlightening if you could clarify whether a TP-mode FGT is a switch or a hub. All doc examples only show 2 ports active which doesn't allow this distinction to be made. Later on on pg. 6 you start talking about it being a bridge, then drop that in favor of "switch". As bridges are nearly extinct today I'd feel more comfortable with "switch".

One property of a switch is that it will forward a packet only to the port which has previously seen the destination's MAC address. If the destination MAC is not yet known a switch has to broadcast an ARP request to all ports. So, eventually, a switch can also connect collision domains.

"Forwarding domain" pg7-9: IMHO forwarding broadcasts from one VLAN to all ports is correct behavior as a VLAN has the explicit advantage NOT to tie VLAN members to one physical segment. I assume that's why this is the default way VLAN broadcasts work in FortiOS. You elaborate that this might have disadvantages in large networks which is a corner case in my opinion - connectivity before efficiency. At least, the student should not get the impression that without defining forwarding domains VLANs are not correctly set up.

diag command: only 16 seconds are not sufficient to explain the data which you can obtain from the output, which is a pity. As we all know, diag command are essential, and essentially not undocumented.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors