Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Rifqi
New Contributor II

Limitiation using Transparent Mode on Fortigate

Hi guys, i'm new user using fortigate,

 

I want to know if we implement fortigate on transparent mode, what limitation we can get ?

or any documentation so i can read before i implement fortigate transparent mode.

 

Appreciate your feedback,

Thank you.

#Fortigate #Transparent Mode

1 Solution
johnsmith3321
New Contributor II

Transparent mode is a valuable feature of FortiGate firewalls that allows them to be easily integrated into existing networks without requiring any changes to the network topology or IP addressing. However, it's important to be aware of the limitations of transparent mode before deploying it in your network.

Limitations of Transparent Mode:

  1. Limited Layer 3 Features: Transparent mode operates at Layer 2 of the OSI model, which means it doesn't have access to Layer 3 information like IP addresses or routing tables. Consequently, features like NAT, VPN, and certain security features like IP reputation filtering may not be available or fully functional in transparent mode.

  2. Limited Visibility and Troubleshooting: Transparent mode can make it challenging to track and troubleshoot network traffic issues. Since the FortiGate doesn't act as a router, it doesn't have the same level of visibility into network traffic as it would in routing mode.

  3. Increased Complexity for Complex Networks: In complex networks with multiple VLANs or routing domains, transparent mode can add complexity to the network management and troubleshooting process.

  4. Potential Performance Impact: Transparent mode may impact network performance, especially in high-traffic environments. The additional processing overhead of inspecting traffic at Layer 2 can introduce latency and reduce overall throughput.

Considerations for Transparent Mode Deployment:

  1. Network Simplicity: Transparent mode is best suited for simple networks with minimal VLANs or routing domains where ease of deployment is a priority and Layer 3 features aren't essential.

  2. Security Requirements: If you require advanced security features like VPN, IPSec, or sophisticated traffic filtering based on IP addresses or protocols, routing mode may be a better option.

  3. Performance Considerations: In high-traffic environments, transparent mode may impact network performance. Evaluate your network's bandwidth and traffic patterns before deploying transparent mode.

  4. Troubleshooting and Visibility: If you need detailed network visibility and troubleshooting capabilities, routing mode may provide a better overview of network traffic and facilitate easier troubleshooting.

Network Management Complexity: For complex networks with multiple VLANs or routing domains, transparent mode may add complexity to the network management process. Consider the impact on network management before deploying transparent mode in such environments.

Recommendations:

  1. Thorough Evaluation: Carefully evaluate your network's requirements and limitations before deciding whether transparent mode is the right choice for your environment.

  2. Performance Testing: If performance is a concern, conduct performance testing to assess the impact of transparent mode on your network's throughput and latency.

  3. Documentation and Training: Ensure proper documentation of the network configuration and provide adequate training to network administrators to effectively manage and troubleshoot networks in transparent mode.

  4. Consider Alternative Deployment Methods: Explore alternative deployment methods like routing mode or a combination of transparent and routing modes to suit specific network segments and requirements.

By carefully considering the limitations and recommendations, you can make an informed decision about whether the transparent mode is the most suitable deployment option for your FortiGate firewall and network environment.

 
 

View solution in original post

9 REPLIES 9
Dongkwan
Staff
Staff

Hi Rifqi,

 

  • Do not connect two ports to the same VLAN on a switch or to the same hub. Some Layer 2 switches become unstable when they detect the same MAC address originating on more than one switch interface or from more than one VLAN.
  • If you operate multiple VLANs on your FortiGate unit, assign each VLAN id to its own forwarding domain to ensure that the scope of the broadcast does not extend beyond the VLAN it originated in.

 

Please check the below useful link.

 

https://docs.fortinet.com/document/fortigate/6.4.0/best-practices/626611/transparent-mode

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/302871/transparent-mode 

Kwan
Rifqi
New Contributor II

Hi Kwan,

 

Thank for your usefull link that you shared, i still reading it.

 

AlexC-FTNT
Staff
Staff

Transparent mode checks and forwards the traffic while the unit remains transparent/invisible to the network. This also means it performs no routing (no SDWAN, no VPN, not possible to address it on anoher IP/interface other than management IP). UTM profiles can be used, but that is almost all it can be set up.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Rifqi
New Contributor II

Hi Alex,

 

so when we using transparent mode, we cannot set  up  SDWAN, sslvpn gateway or putting ip address in interfaces, but we still set up IPS, web filtering, etc in policy/ rules ?

AlexC-FTNT

Yes, correct. FortiGate in transparent mode can't terminate or initiate a connection by itself, except through management interface. It's not a very utilized mode as it is quite restricting on the capabilities of the unit.

 

Here's one more discussion you may want to check:
https://community.fortinet.com/t5/Support-Forum/Fortigate-Transparent-mode-Operating-in-transparent-...


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
abarushka
Staff
Staff

Hello,

 

I would recommend to check transparent mode administration guide by following the link below:

 

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/5aa37c8a-1a11-11e9-9685-f8bc12...

 

It also mentions limitations.

FortiGate
Rifqi
New Contributor II

Hello Abaruskha,

 

thank for your recomendation, i will reading it too.

johnsmith3321
New Contributor II

Transparent mode is a valuable feature of FortiGate firewalls that allows them to be easily integrated into existing networks without requiring any changes to the network topology or IP addressing. However, it's important to be aware of the limitations of transparent mode before deploying it in your network.

Limitations of Transparent Mode:

  1. Limited Layer 3 Features: Transparent mode operates at Layer 2 of the OSI model, which means it doesn't have access to Layer 3 information like IP addresses or routing tables. Consequently, features like NAT, VPN, and certain security features like IP reputation filtering may not be available or fully functional in transparent mode.

  2. Limited Visibility and Troubleshooting: Transparent mode can make it challenging to track and troubleshoot network traffic issues. Since the FortiGate doesn't act as a router, it doesn't have the same level of visibility into network traffic as it would in routing mode.

  3. Increased Complexity for Complex Networks: In complex networks with multiple VLANs or routing domains, transparent mode can add complexity to the network management and troubleshooting process.

  4. Potential Performance Impact: Transparent mode may impact network performance, especially in high-traffic environments. The additional processing overhead of inspecting traffic at Layer 2 can introduce latency and reduce overall throughput.

Considerations for Transparent Mode Deployment:

  1. Network Simplicity: Transparent mode is best suited for simple networks with minimal VLANs or routing domains where ease of deployment is a priority and Layer 3 features aren't essential.

  2. Security Requirements: If you require advanced security features like VPN, IPSec, or sophisticated traffic filtering based on IP addresses or protocols, routing mode may be a better option.

  3. Performance Considerations: In high-traffic environments, transparent mode may impact network performance. Evaluate your network's bandwidth and traffic patterns before deploying transparent mode.

  4. Troubleshooting and Visibility: If you need detailed network visibility and troubleshooting capabilities, routing mode may provide a better overview of network traffic and facilitate easier troubleshooting.

Network Management Complexity: For complex networks with multiple VLANs or routing domains, transparent mode may add complexity to the network management process. Consider the impact on network management before deploying transparent mode in such environments.

Recommendations:

  1. Thorough Evaluation: Carefully evaluate your network's requirements and limitations before deciding whether transparent mode is the right choice for your environment.

  2. Performance Testing: If performance is a concern, conduct performance testing to assess the impact of transparent mode on your network's throughput and latency.

  3. Documentation and Training: Ensure proper documentation of the network configuration and provide adequate training to network administrators to effectively manage and troubleshoot networks in transparent mode.

  4. Consider Alternative Deployment Methods: Explore alternative deployment methods like routing mode or a combination of transparent and routing modes to suit specific network segments and requirements.

By carefully considering the limitations and recommendations, you can make an informed decision about whether the transparent mode is the most suitable deployment option for your FortiGate firewall and network environment.

 
 
Rifqi
New Contributor II

Hi Johnsmith3321, 


Thank for your explanation, very insightfull for me. 

Top Kudoed Authors