- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transparent Mode in Single Interface
Greetings,
I am trying to setup Fortigate 100E in transparent mode,
and just because of current network condition, it need to setup only with one interface as attached.
Is it possible to do ?
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why ?
A transparent mode typically has 2 interfaces ( in and out ) . In that diagram you can't control any part of the flow since it does not go thru the firewall.
Are you looking at doing IDS and need a one-leg configuration?
Ken Felix
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually I want to setup the new Fortigate without changing the physical layer.
The main goal is same with transparent mode that to control the data flow from internal and external traffic.
I guess this is not possible to achieve with pure config in Fortigate..
or are there any config should I try ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This has nothing to do with FortiGate config. If you understand networking at layer 2 at all, there is nothing that could convince the traffic to go from that middle device (switch?) to the FortiGate rather than straight to the router it is directly connected to. "Router on a stick" is the only configuration where you can use a single interface to control flows and that means NAT mode, not transparent. If you want to use transparent mode you have to move the link between your switch and router to a second interface on the FortiGate so that the only path for the various VLANs to reach their gateway (northbound traffic to the router) is through the FortiGate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeah transparent or virtual wire would be ideal. You could deploy that and set a policy to allow all and then trim it dowm. Laye2/3 will not need to be modify but you would need to interrupt the current connection to insert the fgt in the path.
We see a lot of dual firewall setup that way with l3 and a L2-only device and most of the time they use the FGT in transparent for IDS.
Ken Felix
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lobstercreed wrote:This has nothing to do with FortiGate config. If you understand networking at layer 2 at all, there is nothing that could convince the traffic to go from that middle device (switch?) to the FortiGate rather than straight to the router it is directly connected to. "Router on a stick" is the only configuration where you can use a single interface to control flows and that means NAT mode, not transparent. If you want to use transparent mode you have to move the link between your switch and router to a second interface on the FortiGate so that the only path for the various VLANs to reach their gateway (northbound traffic to the router) is through the FortiGate.
emnoc wrote:yeah transparent or virtual wire would be ideal. You could deploy that and set a policy to allow all and then trim it dowm. Laye2/3 will not need to be modify but you would need to interrupt the current connection to insert the fgt in the path.
We see a lot of dual firewall setup that way with l3 and a L2-only device and most of the time they use the FGT in transparent for IDS.
Ken Felix
Yes, thanks lobstercreed and emnoc for your input.
it is now clear that the transparent mode with only single interface is not possible.
Transparent mode can run perfectly (I just tested this way) when fortigate is placed in between the switch and router.
Regards, Rant
