VLANs in transparent mode

VLANs in transparent mode

In transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide services such as antivirus scanning, web filtering, spam filtering and intrusion protection to traffic. There are some limitations in transparent mode in that you cannot use SSL VPN, PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic. The limits in transparent mode apply to IEEE 802.1Q VLAN trunks passing through the unit.

 

VLANs and transparent mode

You can insert the FortiGate unit operating in transparent mode into the VLAN trunk without making changes to your network. In a typical configuration, the FortiGate unit internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal network VLANs. The FortiGate external interface forwards VLAN-tagged packets through another VLAN trunk to an external VLAN switch or router and on to external networks such as the Internet. You can configure the unit to apply different policies for traffic on each VLAN in the trunk.

To pass VLAN traffic through the FortiGate unit, you add two VLAN subinterfaces with the same VLAN ID, one to the internal interface and the other to the external interface. You then create a security policy to permit packets to flow from the internal VLAN interface to the external VLAN interface. If required, you create another security policy to permit packets to flow from the external VLAN interface to the internal VLAN interface. Typically in transparent mode, you do not permit packets to move between different VLANs. Network protection features, such as spam filtering, web filtering and anti-virus scanning, are applied through the UTM profiles specified in each security policy, enabling very detailed control over traffic.

When the FortiGate unit receives a VLAN-tagged packet at a physical interface, it directs the packet to the VLAN subinterface with the matching VLAN ID. The VLAN tag is removed from the packet, and the FortiGate unit then applies security policies using the same method it uses for non-VLAN packets. If the packet exits the FortiGate unit through a VLAN subinterface, the VLAN ID for that subinterface is added to the packet and the packet is sent to the corresponding physical interface.

 

There are two essential steps to configure your FortiGate unit to work with VLANs in transparent mode:

  • Add VLAN subinterfaces
  • Create security policies

You can also configure the protection profiles that manage antivirus scanning, web filtering and spam filtering. For more information on UTM profiles, see the UTM Guide.

 

Add VLAN subinterfaces

The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4094, with 0 being used only for high priority frames and 4095 being reserved. You add VLAN subinterfaces to the physical interface that receives VLAN-tagged packets.

For this example, we are creating a VLAN called internal_v225 on the internal interface, with a VLAN ID of 225. Administrative access is enabled for HTTPS and SSH. VDOMs are not enabled.

 

To add VLAN subinterfaces in transparent mode – web-based manager

1. Go to System > Network > Interface.

2. Select Create New.

3. Enter the following information and select OK.

Name                                           internal_v225

Type                                            VLAN

Interface                                     internal

VLAN ID                                      225

Administrative Access             Enable HTTPS, and SSH. These are very secure access methods.

Comments                                  VLAN 225 on internal interface

The FortiGate unit adds the new subinterface to the interface that you selected.

Repeat steps 2 and 3 to add additional VLANs. You will need to change the VLAN ID, Name, and possibly Interface when adding additional VLANs.

 

To add VLAN subinterfaces in transparent mode – CLI

config system interface edit internal_v225

set interface internal set vlanid 225

set allowaccess HTTPS SSH

set description “VLAN 225 on internal interface”

set vdom root

end

 

Create security policies

In transparent mode, the FortiGate unit performs antivirus and antispam scanning on each VLAN’s packets as they pass through the unit. You need security policies to permit packets to pass from the VLAN interface where they enter the unit to the VLAN interface where they exit the unit. If there are no security policies configured, no packets will be allowed to pass from one interface to another.

 

To add security policies for VLAN subinterfaces – web based manager

1. Go to Policy & Objects > Objects > Addresses.

2. Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets.

3. Go to Policy & Objects > Policy > IPv4 or Policy & Objects > Policy > IPv6 and select Create New.

4. From the Incoming Interface/Zone list, select the VLAN interface where packets enter the unit.

5. From the Outgoing Interface/Zone list, select the VLAN interface where packets exit the unit.

6. Select the Source and Destination Address names that you added in step 2.

7. Select OK.

 

To add security policies for VLAN subinterfaces – CLI

config firewall address

edit incoming_VLAN_address

set associated-interface <incoming_VLAN_interface>

set type ipmask

set subnet <IPv4_address_mask)

next

edit outgoing_VLAN_address

set associated-interface <outgoing_VLAN_interface>

set type ipmask

set subnet <IPv4_address_mask>

next

end

config firewall policy or config firewall policy6 edit <unused_policy_number>

set srcintf <incoming_VLAN_interface>

set srcaddr incoming_VLAN_address

set destintf <outgoing_VLAN_interface>

set destaddr outgoing_VLAN_address set schedule always

set service <protocol_to_allow_on VLAN>

set action ACCEPT

next end

 

Example of VLANs in transparent mode

In this example, the FortiGate unit is operating in transparent mode and is configured with two VLANs: one with an ID of 100 and the other with ID 200. The internal and external physical interfaces each have two VLAN subinterfaces, one for VLAN_100 and one for VLAN_200.

The IP range for the internal VLAN_100 network is 10.100.0.0/255.255.0.0, and for the internal VLAN_200 network is  10.200.0.0/255.255.0.0.

The internal networks are connected to a Cisco 2950 VLAN switch, which combines traffic from the two VLANs onto one in the FortiGate unit internal interface. The VLAN traffic leaves the FortiGate unit on the external network interface, goes on to the VLAN switch, and on to the Internet. When the FortiGate units receives a tagged packet, it directs it from the incoming VLAN subinterface to the outgoing VLAN subinterface for that VLAN.

This section describes how to configure a FortiGate-800 unit, Cisco switch, and Cisco router in the network topology shown below.

 

VLAN transparent network topology

 

General configuration steps

The following steps summarize the configuration for this example. For best results, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Configure the FortiGate unit which includes

  • Adding VLAN subinterfaces
  • Adding the security policies

2. Configure the Cisco switch and router

 

Configure the FortiGate unit

The FortiGate unit must be configured with the VLAN subinterfaces and the proper security policies to enable traffic to flow through the FortiGate unit.

 

Add VLAN subinterfaces

For each VLAN, you need to create a VLAN subinterface on the internal interface and another one on the external interface, both with the same VLAN ID.

 

To add VLAN subinterfaces – web-based manager

1. Go to System > Network > Interface.

2. Select Create New.

3. Enter the following information and select OK:

Name                                           VLAN_100_int

Interface                                     internal

VLAN ID                                      100

4. Select Create New.

5. Enter the following information and select OK:

Name                                           VLAN_100_ext

Interface                                     external

VLAN ID                                      100

6. Select Create New.

7. Enter the following information and select OK:

Name                                           VLAN_200_int

Interface                                     internal

VLAN ID                                      200

8. Select Create New.

9. Enter the following information and select OK:

Name                                           VLAN_200_ext

Interface                                     external

VLAN ID                                      200

 

To add VLAN subinterfaces – CLI

config system interface edit VLAN_100_int

set status down set type vlan

set interface internal set vlanid 100

next

edit VLAN_100_ext set status down set type vlan

set interface external set vlanid 100

next

edit VLAN_200_int set status down set type vlan

set interface internal set vlanid 200

next

edit VLAN_200_ext set status down set type vlan

set interface external set vlanid 200

end

 

Add the security policies

Security policies allow packets to travel between the VLAN_100_int interface and the VLAN_100_ext interface. Two policies are required; one for each direction of traffic. The same is required between the VLAN_200_int interface and the VLAN_200_ext interface, for a total of four required security policies.

 

To add the security policies – web-based manager

1. Go to Policy & Objects > Policy > IPv4 or Policy & Objects > Policy > IPv6 and select Create New.

2. Enter the following information and select OK:

Incoming Interface                   VLAN_100_int

Source Address                        all

Outgoing Interface                   VLAN_100_ext

Destination Address                 all

Schedule                                    Always

Service                                       ALL

Action                                         ACCEPT

3. Select Create New.

4. Enter the following information and select OK:

Incoming Interface                   VLAN_100_ext

Source Address                        all

Outgoing Interface                   VLAN_100_int

Destination Address                 all

Schedule                                    Always

Service                                       ALL

Action                                         ACCEPT

5. Go to Policy & Objects > Policy > IPv4 or Policy & Objects > Policy > IPv6 and select Create New.

6. Enter the following information and select OK:

Incoming Interface                   VLAN_200_int

Source Address                        all

Outgoing Interface                   VLAN_200_ext

Destination Address                 all

Schedule                                    Always

Service                                       ALL

Action                                         ACCEPT

Enable NAT                                Enable

7. Select Create New.

8. Enter the following information and select OK:

Incoming Interface                   VLAN_200_ext

Source Address                        all

Outgoing Interface                   VLAN_200_int

Destination Address                 all

Schedule                                    Always

Service                                       ALL

Action                                         ACCEPT

 

To add the security policies – CLI

config firewall policy or  config firewall policy6 edit 1

set srcintf VLAN_100_int set srcaddr all

set dstintf VLAN_100_ext set dstaddr all

set action accept set schedule always set service ALL

next edit 2

set srcintf VLAN_100_ext set srcaddr all

set dstintf VLAN_100_int set dstaddr all

set action accept set schedule always set service ALL

next edit 3

set srcintf VLAN_200_int

set srcaddr all

set dstintf VLAN_200_ext set dstaddr all

set action accept set schedule always set service ALL

next edit 4

set srcintf VLAN_200_ext set srcaddr all

set dstintf VLAN_200_int set dstaddr all

set action accept set schedule always set service ALL

end

 

Configure the Cisco switch and router

This example includes configuration for the Cisco Catalyst 2900 ethernet switch, and for the Cisco Multiservice 2620 ethernet router. If you have access to a different VLAN enabled switch or VLAN router you can use them instead, however their configuration is not included in this document.

 

Configure the Cisco switch

On the VLAN switch, you need to define VLAN_100 and VLAN_200 in the VLAN database and then add a configuration file to define the VLAN subinterfaces and the 802.1Q trunk interface.

Add this file to the Cisco switch:

interface FastEthernet0/3 switchport access vlan 100

!

interface FastEthernet0/9 switchport access vlan 200

!

interface FastEthernet0/24

switchport trunk encapsulation dot1q switchport mode trunk

!

 

The switch has the following configuration:

Port 0/3                                             VLAN ID 100

Port 0/9                                             VLAN ID 200

Port 0/24                                           802.1Q trunk

 

Configure the Cisco router

You need to add a configuration file to the Cisco Multiservice 2620 ethernet router. The file defines the VLAN subinterfaces and the 802.1Q trunk interface on the router. The 802.1Q trunk is the physical interface on the router.

 

The IP address for each VLAN on the router is the gateway for that VLAN. For example, all devices on the internal VLAN_100 network will have 10.100.0.1 as their gateway. Add this file to the Cisco router:

!

interface FastEthernet0/0

!

interface FastEthernet0/0.1 encapsulation dot1Q 100

ip address 10.100.0.1 255.255.255.0

!

interface FastEthernet0/0.2 encapsulation dot1Q 200

ip address 10.200.0.1 255.255.255.0

!

 

The router has the following configuration:

Port 0/0.1                                         VLAN ID 100

Port 0/0.2                                         VLAN ID 200

Port 0/0                                             802.1Q trunk

 

Test the configuration

Use diagnostic network commands such as traceroute (tracert) and ping to test traffic routed through the network.

 

Testing traffic from VLAN_100 to VLAN_200

In this example, a route is traced between the two internal networks. The route target is a host on VLAN_200. The Windows traceroute command tracert is used.

 

From VLAN_100, access a Windows command prompt and enter this command:

C:\>tracert 10.1.2.2

Tracing route to 10.1.2.2 over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 10.1.1.1

2 <10 ms <10 ms <10 ms 10.1.2.2

Trace complete.

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “VLANs in transparent mode

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.