Virtual Domains in Transparent mode

Virtual Domains in Transparent mode

A VDOM in Transparent mode is installed between the internal network and the router. In this mode, the VDOM does not make any changes to IP addresses and only applies security scanning to traffic. When a VDOM is added to a network in Transparent mode, no network changes are required, except to provide the VDOM with a management IP address.

Each VDOM on a FortiGate can be configured for NAT/Route mode or Transparent mode, regardless of the operation mode of other VDOMs on the FortiGate. For more information about NAT/Route mode, see “Virtual Domains in NAT/Route mode” on page 2602.

 

This chapter includes the following sections:

  • Transparent Mode Overview
  • Using a VDOM in Transparent mode
  • Virtual Domains in Transparent mode

 

Transparent Mode Overview

In transparent mode, a VDOM becomes a layer-2 IP forwarding bridge. This means that Ethernet frames are forwarded based on destination MAC address, and no other routing is performed. All incoming traffic that is accepted by the firewall, is broadcast out on all interfaces.

In transparent mode the VDOM is a forwarding bridge, not a switch. A switch can develop a port table and associated MAC addresses, so that it can bridge two ports to deliver the traffic instead of broadcasting to all ports. In transparent mode, the VDOM does not following this switch behavior, but instead is the forwarding bridge that broadcasts all packets out over all interfaces, subject to security policies.

 

Differences between NAT/Route and Transparent mode

The differences between NAT/Route mode and Transparent mode include:

 

Differences between NAT/Route and Transparent modes

Features NAT/Route mode Transparent mode
 

Specific Management IP address required

 

No

 

Yes

 

Perform Network Address Translation

(NAT)

 

Yes

 

Yes

 

Stateful packet inspection

 

Yes

 

Yes

 

Layer-2 forwarding

 

Yes

 

Yes

 

Layer-3 routing

 

Yes

 

No

 

Features NAT/Route mode Transparent mode
 

Unicast Routing / Policy Based routing

 

Yes

 

No

 

DHCP server

 

Yes

 

No

 

IPsec VPN

 

Yes

 

Yes

 

PPTP/L2TP VPN

 

Yes

 

No

 

SSL VPN

 

Yes

 

No

 

Security features

 

Yes

 

Yes

 

VLAN support

 

Yes

 

Yes – limited to VLAN trunks.

 

Ping servers (dead gateway detection)

 

Yes

 

No

To provide administrative access to a FortiGate unit or VDOM in Transparent mode, you must define a management IP address and a gateway. This step is not required in NAT/Route mode where you can access the FortiGate unit through the assigned IP address of any interface where administrative access is permitted.

If you incorrectly set the Transparent mode management IP address for your FortiGate unit, you will be unable to access your unit through the web-based manager. In this situation, you will need to connect to the FortiGate unit using the console cable and change the settings so you can access the unit. Alternately, if your unit has an LCD panel, you can change the operation mode and interface information through the LCD panel.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.