Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syao
Staff
Staff

Created on ‎12-27-2023 07:26 AM Edited on ‎01-01-2024 09:57 PM By Community Manager

Article Id 290861

Technical Tip: How to tagged an untagged packet with FortiGate in transparent mode

Description This article describes how to tag an untagged packet with FortiGate in transparent mode in a Single or Multi-VDOM environment.
Scope FortiGate v7.X.
Solution

This article assumes the network infrastructure in the following diagram is in place:


diagram-transparent.png

 

  1. ISP offers a VoIP solution and requires the IP phones to communicate over VLAN400. However, it has only one physical connection to the FortiGate (port1). The ISPs are using two VLANs: VLAN500 for Data (not shown in this example) and VLAN400 for Voice.
  2. The ISP is not aware that IP phones are connected to port3 of the FortiGate. These devices are not able to send VLAN-tagged frames and require DHCP to obtain an IP.
  3. This setup can usually be found in small offices/branch offices in which a VLAN-aware switch is unavailable. The FortiGate port3 interface is solely dedicated to the IP phones segment.
  4. This example uses a multiVDOM (NAT and Transparent) approach in which port3 and a VLAN interface are assigned to a dedicated transparent VDOM for Voice traffic.

 

  1. Convert the FortiGate (voice vdom) operation mode to transparent mode.

config system settings

set opmode transparent
set manageip 192.168.1.10/255.255.255.0

end

 

  1. Create the VLAN interface and assign both interfaces (VLAN and port3) to the VDOM. Note: If multiVDOM is in use, the VLAN interface must be created from the 'Global'.

config system interface

edit "port3"

set vdom "VOICE-VDOM"
set type physical
set alias "Connected to IP Phones"
set snmp-index 3

next

edit "VOICE_EXTERNAL"

set vdom "VOICE-VDOM"
set alias "Connected To ISP"
set device-identification enable
set snmp-index 9
set interface "port1"
set vlanid 400

next

end

 

  1. Configure firewall policy between the two interfaces:

 

config firewall policy

edit 1

set name "INTERNAL-EXTERNAL-VLAN400"
set srcintf "port3"
set dstintf "VOICE_EXTERNAL"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"

next

edit 2

set name "EXTERNAL-INTERNAL-VLAN400"
set srcintf "VOICE_EXTERNAL"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"

next

end

 

Verification:


DHCP Discover a packet captured from Port3 of the FortiGate:

Client-DISCOVER.png
DHCP Discover a packet captured from the Port1 of the FortiGate:


ISP-Discover.png
215
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.