I'm working with Firewall in Transparent Mode and I want to use Hardware switches to give more flexibility and simplify the config when need to change the physical port.
Before that we define the each vlan on the Input physical port and the output physical port, put the same vlans on the same forward domain, and make the firewall policy's. So if we need to change the any physical port, we need to redefine all vlans on the new port and change all policy's.
To replace that I will define 2 hardware switchs, one for input and one for output, define the vlans over each hardware switch and put the same vlans on the same forward domain.
If I need to change the port, this task will be very easy, only add the new port to the hardware switch and delete the old one, no more changes will be needed.
This configuration has any performance limitation or issue? I'm missing something?
Hello @DamianE ,
Thank you for reaching out .
As per my understanding, Firewall in transparent mode does not do any changes to packets, it acts like a bridge and just forwards them from one port to another and perform inspection.
You would consider the firewall as another switch from network perspective configured in the middle with trunk ports.
Switch > trunk<Firewall>trunk<Switch
If you change a port on the physical switch, you will need only to configure the VLAN on that new port.
You assign the VLANs that you want to communicate to each other to the same forwarding domains (broadcast domain) and they will be able to communicate. As long as the forwarding domain for that VLAN remains the same there is no issue.
Regarding limitation what would be the expected traffic to pass through the firewall?
Does it exceed the available bandwidth on the ports?
Regards!
Thanks @dbu for your reply, may be I didn't explain well my idea.
For example, if I have your topology:
Switch > trunk<Firewall>trunk<Switch
On the left side of the firewall I have the port 1 and on the right the port 2...so if the trunk port carries 20 vlans, I need to define 20 vlans on the port 1 and 20 on the port 2. And then in the policy's I need to declare those vlans interface on source or destination interfaces...if y have 50 policy's, thera are 100 definitions.
Ok, if for some reason I need to change the port1 to port5, i need to redeclare the 20 vlans over the port 5 and then change all te associated policy's, so I make to change over 30-40 configurations changes.
Well, If instead of using a physical port I use a hardware switch with one port, the declaration of the vlans would be done on the hardware switch. So if you had to change port 1 for port 5, you would only have to add port 5 to the switch hardware, you would not have to redeclare the vlans, and you would not have to modify the policies since the interface names would not change. So it would only be 1 configuration change and not 30-40.
The question is, if the use of hardware switch's has any performance difference or limitation than use the direct single port...or any special consideration.
I want to simplify the configuration tasks but not over performance reduction...because of that why I'm consulting
Regards
Thank you for clarifying @DamianE .
Now i think is clear for me to .
In this case i believe you will only get better from what you had. Hardware switch does not use CPU, traffic is forwarded directly between the ports on the FortiGate. So i believe this will provide better performance and ease of configuration.
Cheers!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1741 | |
1109 | |
755 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.