FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spathak
Staff
Staff
Article Id 191842

Description


A FortiGate in transparent mode can be assigned with a single IP address for remote access management and multiple static routes can be configured.
This can be used if in-band management wants to be applied.

When out-of-band management is desired (dedicated interface for remote management access), it is recommended to use a separate VDOM in NAT mode.

This article describes how to configure management IP in transparent mode.

Solution


In-band management details and an example.

The management IP address is bound to all ports or VLANs belonging to the same VDOM (manageip parameter creates a virtual interface "<vdom_name>.b" for this purpose).
Remote access services are subject to the same rules as in NAT mode and have to be enabled/disabled on each port.

Example of management IP configuration in transparent mode.

# config system settings
    set manageip 10.1.1.100/255.255.255.0
    set gateway 10.1.1.254
end

The gateway setting is optional:

- In case it is NOT set, the firewall would send out an ARP query for the IP it wants to reach though all interfaces associated with that VDOM (arp who-has <IP> tell <manageip>) and as soon as FortiGate would get an ARP reply with the MAC address corresponding to the IP it would send the first IP packet out via that interface.

- With the gateway IP set, the firewall would be sending all packets via its next hop device. The same procedure for discovering the gateway IP will occur - at first ARP query will be broadcasted to find behind what interface the gateway IP is located and once the MAC would be learned, traffic generated from FortiGate (for that transparent VDOM) would be sent via that interface only.

NOTES:
- within FortiOS VLAN is considered as an interface
- if the physical interface is not associated with the transparent VDOM in question then physical interface itself would not be used for the ARP query (only ARP packets with associated VLAN tag would be sent out via such interface)



# config system interface
    edit <interface>
        set allowaccess ping ssh https snmp
    end

It is also possible to add a second IP address for management and additional default routes:

# config system settings
    set opmode transparent
    set manageip 192.168.182.136/255.255.254.0 10.1.1.1/255.255.255.0
end
 
# config router static

    edit 1
        set gateway 192.168.183.254
    next
    edit 2
        set gateway 10.1.1.254
   
next
end

ping-server (dead gateway detection) is not supported in transparent mode.

Out-of-band management details and example.

When VDOM is enabled and the VDOMs are operating in transparent mode, it is recommended, to avoid L2 loops and allow more routing flexibility, to keep one VDOM (generally the root VDOM) in NAT mode, with one or more VLAN or physical interface as out-of-band management.

The management VDOM has to have IP connectivity to the Internet to allow communication with the FDS and retrieve service information (antivirus, IPS, FortiGuard, FortiCare, etc…).
All Syslog and FortiManager communication also go through the management VDOM.