FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gfranceschi
Staff
Staff
Article Id 198171
Description
This article provides information about the parameter "vlanforward".
config system interface
  edit interface-name
   set type physical
   set vlanforward [enable/disable]

Solution
vlanforward is meaningful at OSI Layer2, so in Transparent (TP) mode.

In TP mode, the vlanforward parameter allows control of what will happen to an incoming VLAN tagged packet when there is not a VLAN interface configured like:
config system interface
    edit "VLAN_110"
        set vdom "TP"
        set interface "wan1"
        set vlanid 110
    next

If vlanforward is enabled, then the packet is forwarded out the appropriate egress port without any inspection of the traffic inside the VLAN tagged packet.

If disabled then the packet is dropped.

If the FortiGate has the parameter vlanforward enable on the physical interface, then, the vlans will cross the FortiGate.

To control the traffic of vlans, disable vlan forward and configure interface with a specific vlanid.

Vlanforward can also be enabled to transfer vlanid that does not have a specific vlan interface configured.

Consider also the parameter forwarding domain.  The VLAN interfaces are all in the default forwarding domain of 0.  Due to the behavior of the FortiGate this will cause flooding of packets between interfaces and VLAN's in the same VDOM when operating in transparent mode.

If you defined vlans interfaces, and create accordingly forwarding-domain and Firewall policies, the FortiGate will inspect the traffic until application level when a protection profile is attached to the Firewall policy.

See the related article  "Technical Note: Configure a FortiGate unit in Transparent mode with trunks (802.1q - VLANs) and forwarding domains" for more information.

The parameter is defined in FortiOS CLI Reference version 5.4.1 as follows:
vlanforward = Enable/disable VLAN forwarding.
The default value is disable

config system interface
    edit "wan1" 
    set vdom "root"
    set allowaccess ping fgfm
    set type physical
    set snmp-index 2
    set vlanforward disable
    next

The vlanforward default setting has been modified for security reasons. The default setting was previously enabled. If vlanforward is enabled under all interfaces in TP mode, even without any firewall policy config, traffic with vlan tags can go through the FortiGate.  This introduced a potential security issue, the default was moved to disable starting with v5.0.10, v5.2.2, and v5.4.0.

The value of the parameter is not modified under upgrade.

Related Articles

Technical Note: Configure a FortiGate unit in Transparent mode with trunks (802.1q - VLANs) and forw...

Contributors