Description
This article describes the best practices and some troubleshooting tips for a FortiGate in a Transparent mode.
Configuration best practice in Transparent mode :
- Spanning tree BPDUs are not forwarded by default; take care when introducing a FortiGate in the network, as L2 loops might be introduced or STP broke.
To forward spanning tree BPDUs, in CLI, use set stpforward enable on all interfaces where forwarding is required.
- Use the forward domain to forward traffic between only specific interfaces or VLANs and avoid keeping trunks with the default setting (vlan_forward = enabled).
This will, for each VLAN, create independent broadcast domains on the FortiGate and confine all broadcasts and multicast traffic between the interfaces belonging to the same forward-domain. As a rule, if there are more than 2 interfaces (VLANs or physical) in a VDOM, always configure different forward_domains on the pairs of interfaces unless it is required to bridge traffic across more than 2 interfaces.
Another alternative is to create one VDOM per pair of interface/VLAN.
- Only Ethernet II frames were forwarded. If IPX or any other protocols in the network can use different frame types, these are not forwarded by default. For this, the parameter l2forward under the interface configuration has to be enabled.
- In case of multicast traffic in the network passing through FortiGate multicast policies are required.
For example, multicast policies need to be set if a FortiGate in transparent mode is inserted between 2 OSPF neighbors on an Ethernet segment. In this case, multicast IP 224.0.0.5 and 224.0.0.6 should be allowed for both directions. Same for RIP V2 (224.0.0.9).
- If an out-of-band management is required, use if possible the VDOM root in NAT mode as management VDOM and create (an) other Transparent mode VDOM(s) for the user traffic.
- If using VLAN interfaces in transparent mode, leave the physical interfaces carrying the VLANs on a nat/route VDOM and only associate the required VLAN interfaces in the transparent VDOMs.
- If the FortiGate in transparent mode bridges traffic to a router or host using a virtual MAC for one direction and a different physical MAC for the other direction (for instance if VRRP, and HSRP protocols are used), it is highly recommended to create a static mac entry in the FortiGate transparent VDOM for the virtual MAC used.
This is to make sure the virtual MAC address is known from the transparent mode bridge table.
Note: Static mac entry can be created for interfaces using forward_domain 0 (the default forward-domain).
Refer to the below KB article to configure the Static Mac entry:
Technical Tip: Transparent mode with VRRP, HSRP or Network Load Balancer
Scope
FortiGate or VDOM in Transparent mode.
Solution
Troubleshooting steps when facing connectivity problems through a FortiGate in Transparent mode.
- Check first the L2 MAC address table of the FortiGate.
Note: In transparent mode, to forward L2 traffic, the FortiGate does rely on its L2 forwarding database, which can be dumped with the command 'diag netlink brctl name host root.b' (for the root VDOM), while the ARP table would only be used for its own IP communications.
The ARP/GARP that are sent by the external devices will be used to populate the L2 FDB and change appropriately the destination MAC addresses for existing sessions in case of MAC changes.
Those commands will dump the L2 forwarding table for each VDOM bridge instance. From there, the devices' MAC addresses that are located on each VLAN/VDOM will be available.
diag netlink brctl list
diag netlink brctl name host <VDOM_name>.b
Example for the root VDOM:
diag netlink brctl name host root.b
-
Verify traffic with a sniffer trace:
Capture a sniffer trace with the following commands; run this while making a ping from one device to another device on either side of the FortiGate and while initiating appropriate traffic that exhibits a problem.
This will tell if the packets are ingressing and egressing the FortiGate.
Keep each trace running long enough to get some representative samples.
-
One global and simultaneous trace:
diagnose sniffer packet any "" 4 0 l <-- to stop the sniffer trace, type CTRL+C.
-
One trace on each port:
diagnose sniffer packet portA "" 4 0 l
diagnose sniffer packet portB "" 4 0 l
etc...
-
If applicable, one trace for each VLAN with more verbosity:
diagnose sniffer packet <each_vlan_interface> "" 6 0 l
-
Debug flow:
Capture in each VDOM a debug flow trace with the following CLI commands procedure.
Run this while making a ping from one device to another device on either side of the FortiGate and while initiating appropriate traffic that exhibits a problem.
This will inform if the traffic is blocked or forwarded and give information about the matching policy.
-
diag debug flow filter add <IP_address_of_source_device>
diag debug flow show console enable
diagnose debug console timestamp enable
diag debug flow show function-name enable
diag debug flow trace start 10000
diag debug enable
To stop the debug, type 'diag debug flow trace stop'.
-
diag debug flow filter add <IP_address_of_destination_device>
diag debug flow show console enable
diagnose debug console timestamp enable
diag debug flow show function-name enable
diag debug flow trace start 10000
diag debug enable
To stop the debug, type 'diag debug flow trace stop'.
Example of debug flow output when traffic flows :
id=20085 trace_id=113 msg="vd-tp_mode received a packet(proto=6, 10.160.0.160:4370->10.160.0.152:23) from internal."
id=20085 trace_id=113 msg="Find an existing session, id-00000a40, original direction"
id=20085 trace_id=113 msg="enter fast path"
id=20085 trace_id=113 msg="send out via dev-dmz1, dst-mac-00:01:02:03:04:05"
Related Articles:
Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate wi...
Technical Tip : Troubleshoot and verify if traffic is hitting a Firewall Policy
Troubleshooting Tip: FortiGate session table information
Technical Tip: Configuring a FortiGate in Transparent mode to forward traffic on VLANs and remapping...
Technical Note: FortiGate and Gratuitous ARP (GARP)
