Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kenundrum
Contributor III

Transparent Mode Question

I' m looking to buy a new firewall to segment and inspect some datacenter traffic without disrupting existing networking and routing and so we' re looking at something to run in transparent mode. My current employer has no fortinet equipment but i have a lot of experience with it in the past so we' re doing a vendor selection process between a few manufacturers. I don' t have much experience running with transparent mode and something came up todat during my call with a fortinet rep that didn' t in other calls. i' m hoping to get some quick guidance from the community. We' re looking to set up something similar to the diagram below i quickly mocked up. We want to have protected servers connect directly to a fortigate and then have the fortigate use either a 10G uplink port or aggregate a few 1G ports to attach to our primary switching infrastructure. The engineer on the call expressed concern that he had not seen anything set up that way ever and wanted to double check with others before stating that would work. Apparently he was concerned over the 1-to-1 port mapping that happens in transparent mode and didn' t know if it could do a 1-to-many. None of the other vendors expressed any concern over this. I have a test environment set up with a free linux software firewall installed on an old server and it was able to replicate this topology. 3 interfaces were bridged together with 2 servers plugged in and a third interface going out to a switch. The bridged interface needed an ip address on the same subnet in order to inspect traffic, but otherwise worked. Has anyone set something up like this before? i' m finding it hard to believe that this is not a common deployment scenario.

CISSP, NSE4

 

CISSP, NSE4
4 REPLIES 4
Carl_Wallmark
Valued Contributor

Hi, I dont see any problem running this setup, when the Fortigate is in transparent mode, you could think of it as a L2 switch. However you still need firewall policys, lets say Port1 -> Port2 etc... Or you could create zones like ServerZone and make Port1-Port3 members, or if you if you want to seperate them. The inspection takes place in the firewall policys, and you only give the firewall (or the transparent VDOM) an IP address. So based on your picture and description I can´t find anything wrong.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Kenundrum
Contributor III

Thank you for that. That is exactly how I envisioned the setup.

CISSP, NSE4

 

CISSP, NSE4
emnoc
Esteemed Contributor III

I' ve never personally seen this setup either. Not saying it' s going to work or cause problems but wanted to point the following; 1: you are going eat up and be limited by the number of ports you can connect to servers 2: might be hard or next to impossible to add a HA peer later on 3: Not typical a transparent-mode setup by any firewall vendor that I' m aware of ( transparent involves 2 ports in a in/out fashion here you have N x ports sharing one single uplink port ) What I would do is place the servers on the l2/l3switch directly in a common server vlan or unique vlan And then move the fortigate directly in the path between the rest-of-network and the switch.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
lightmoon1992
New Contributor

Setup illustrated is doable. no doubt about it as i made it many times in standalone and HA A-A scenario However, i really don' t recommend the direct connectivity thing as the FortiGate wasn' t meant to be used as switch " in fact it can do so" as such setup will introduce a lot of limitations down the road if you will consider HA and link redundancy. what i do recommend is to get use of server farm switch from to trunk all traffic toward the FortiGate and apply whatever security policy needed. also keep in mind that you can also segment the servers zone so you don' t place all of your servers into one broadcast domain. this is highly required for financial institutions and large enterprise deployments (mandatory requirement for PCI-DSS) Mohammad

Mohammad Al-Zard

 

Mohammad Al-Zard
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors