- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Transparent mode - BPDU
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transparent mode - BPDU
Hello everyone,
I have a question: in case of active/standby HA cluster of two Fortigates in transparent mode (280D), is there possibility for unit in passive mode to process BPDU packets?
Thank you very much for your help!
Ivan
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The questions would be why would you want that?
Do you have "set stpforward enable" enabled on the interface pairs?
if yes, than you should be okay but you should double check on both units by using "diag netlink brctl" list commands
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you emnoc!
I have topology that looks like this. Two ASAs and two FortiGates, both in active/standby failover. FortiGates must stand between three L2 switches in triangle. The point is, we should cover every possible failure scenario, from links between devices to devices itself. This is Internet segment, and internal traffic is going outside toward SW1. You also have Internet router that is sitting in front of SW1, which is ASA's upstream next hop.
If standby FortiGate is forwarding BPDU packets (when I configure it with 'set stp-forward enable') I guess this would work well. But I don't know about STP behavior when there's more than two STP speaking devices on same LAN segment.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, guess I didn't attach image. And my experienced colleague just explained to me that I could achieve all of this without cross links between FortiGates and switches and without BPDU packet forwarding at all. Fact is that passive unit doesn't process any traffic at all at any given moment. Thanks anyway!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So are you running tagged intefaces on the 3 links between the FGT and what/why the cross the links betweem FGTs and sw2/sw3?
If you could add port#s and the interface for the opmode transparent ( tags and forrwarddomain if applicable ) that might give us a better ideal of the topology from the cisco ASA to sw1. I don't think the cross-links between each FGT to the opposite switches are need from the picture
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, didn't explain well. Link between FortiGates and also link between ASAs are just failover links, not links for regular traffic. Also all switches are just L2 switches. And there's only one VLAN that should be forwarded from ASA to upstream (that is VLAN between ASA and Internet router). I guess by default all interfaces on transparent FortiGate are in same forwarding domain, right?
This is just a plan, and implementation should happen in near future.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi isasic,
We are trying to send untagged (VLAN) packets through a similar setup - transparent, directly connected router on one side, switches on the other. We can ping through our transparent VDOM but web browsing is getting hung-up, and I am unable to find any logs describing why.
Are you having success with your setup?
Thanks, Russ
Related Posts
- Configuring FortiMail to Filter Incoming Emails... 128 Views
- ZTNA - tcp forwarding not working... 390 Views
- Firewall in Transparent Mode - cant... 339 Views
- DOM-A uses NAT mode ( Root... 173 Views
- Transparent Mode with Three WAN Connection 269 Views
Labels
-
FortiGate
6,643 -
FortiClient
1,325 -
5.2
801 -
5.4
639 -
FortiManager
575 -
FortiAnalyzer
419 -
6.0
416 -
5.6
362 -
FortiSwitch
341 -
FortiAP
338 -
FortiClient EMS
270 -
6.2
251 -
FortiMail
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
154 -
6.4
128 -
FortiNAC
109 -
FortiGuard
105 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
76 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
65 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
SD-WAN
29 -
Firewall policy
28 -
FortiConnect
24 -
High Availability
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
Logging
12 -
LDAP
11 -
VDOM
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
fortilink
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.