Tag Archives: fortigate Using a VDOM in Transparent mode

Using a VDOM in Transparent mode

Using a VDOM in Transparent mode

The essential steps to configure a VDOM in Transparent mode are:

  • Switching to Transparent mode
  • Adding VLAN subinterfaces
  • Creating security policies

You can also configure the security profiles that manage antivirus scanning, web filtering and spam filtering. In Transparent mode, you can access the web-based manager by connecting to an interface configured for administrative access and using HTTPS to access the management IP address. In the following examples, administrative access is enabled by default on the internal interface and the default management IP address is 10.11.0.1.

 

Switching to Transparent mode

A VDOM is in NAT/Route mode by default when it is created. You must switch it to Transparent mode, and add a management IP address so you can access the VDOM from your management computer.

Before applying the change to Transparent mode, ensure the VDOM has admin- istrative access on the selected interface, and that the selected management IP address is reachable on your network.

 

To switch the VDOM to Transparent mode – web-based manager:

1. Go to Global > System > VDOM.

2. Edit the VDOM you wish to use in Transparent mode.

3. Select Operation mode to Transparent.

4. Enter the management IP/Netmask. The IP address must be accessible to the subnet where the management computer is located. For example 10.11.0.99/255.255.255.0 will be able to access the 10.11.0.0 subnet.

5. Select Apply.

When you select Apply, the FortiGate unit will log you out. When you log back in, the VDOM will be in Transparent mode.

 

To switch the VDOM to Transparent mode – CLI:

config vdom edit <name>

config system settings set opmode transparent

set mangeip 10.11.0.99 255.255.255.0 end

end

 

Adding VLAN subinterfaces

There are a few differences when adding VLANs in Transparent mode compared to NAT/Route mode.

In Transparent mode, VLAN traffic is trunked across the VDOM. That means VLAN traffic cannot be routed, changed, or inspected. For this reason when you assign a VLAN to a Transparent mode VDOM, you will see the Addressing Mode section of the interface configuration disappear in from the web-based manager. It is because with no routing, inspection, or any activities able to be performed on VLAN traffic the VDOM simply re- broadcasts the VLAN traffic. This requires no addressing.

Also any routing related features such as dynamic routing or Virtual Router Redundancy Protocol (VRRP) are not available in Transparent mode for any interfaces.

 

Creating security policies

Security policies permit communication between the FortiGate unit’s network interfaces based on source and destination IP addresses. Typically you will also limit communication to desired times and services for additional security.

In Transparent mode, the FortiGate unit performs antivirus and antispam scanning on each packet as it passes through the unit. You need security policies to permit packets to pass from the VLAN interface where they enter the unit to the VLAN interface where they exit the unit. If there are no security policies configured, no packets will be allowed to pass from one interface to another.

For more information, see the Firewall handbook.