Installing a FortiGate in Transparent mode

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will learn how to connect and configure a new FortiGate unit in Transparent mode to securely connect a private network to the Internet.

Transparent mode is used if you want to apply security scanning to traffic without applying routing or network address translation (NAT), such as when a FortiGate is used as an Internal Segmentation Firewall (ISFW).

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Changing the FortiGate’s operation mode

From the PC on the internal network, connect to the FortiGate’s web-based manager using either FortiExplorer or an Internet browser (for information about connecting to the web-based manager, please see your models QuickStart Guide).

Login using an admin account (the default admin account has the username admin and no password).

 

Go to the Dashboard and enter the following command into the CLI console widget, substituting your own IP addresses where necessary:

config system settings
  set opmode transparent
  set manageip 192.168.200.111 255.255.255.0
  set gateway 192.168.200.99
end

You can now access the FortiGate using the new Management IP address (in the example, https://192.168.200.111).

Go to the Dashboard. The System Information widget shows the Operation Mode is Transparent.

 

 

2. (Optional) Setting the FortiGate’s DNS servers

The FortiGate unit’s DNS Settings are set to use FortiGuard DNS servers by default, which is sufficient for
most networks. However, if you need to change the DNS servers, go to Network > DNS, select Specify, and add Primary and Secondary DNS servers.

 

3. Creating a policy to allow traffic from the internal network to the Internet

Go to Policy & Objects > IPv4 Policy and create a new policy. Give the policy a Name that indicates that the policy will be for traffic to the Internet (in the example, Internet).

Set the Incoming Interface to the internal interface (called internal on some FortiGate models) and the Outgoing Interface to the Internet-facing interface (typically wan1). Set Source, Schedule, and Services as required.

Make sure the Action is set to ACCEPT.

 

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

 

4. Connecting the network devices

Go to the Dashboard and locate the System Resources widget. Select Shutdown to power off the FortiGate unit.

Alternatively, you can enter the following command in the CLI Console:

execute shutdown

Wait until all the lights, except for the power light, on your FortiGate have turned off. If your FortiGate has a power button, use it to turn the unit off. Otherwise, unplug the unit.

You can now connect the FortiGate unit between the internal network and the router.

Connect the wan1 interface to the router internal interface and connect the internal network to the FortiGate internal interface port.

 

Power on the FortiGate unit.

5. Results

You can now browse the Internet using any computer that connects to the FortiGate’s internal interface.

You can view information about the traffic being processed by your FortiGate by going to FortiView > All Sessions and selecting the now view.

Select Add Filter and filter for Policy, selecting the name of your new policy. Only traffic flowing through the new policy is displayed.

 

 

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin
  • Was this helpful?
  • Yes   No
Some FortiGate models include an IPv4 security policy in the default configuration. If you have one of these models, edit it to include the logging options shown below, then proceed to the results section.
  • Mike Compton

    I am trying to set the Fortigate 61e in transparent mode between a cable modem and a Google Wifi in a mesh configuration. Will this work? I think that I have the configuration right but it doesn’t appear to work as expected. The cable modem is in wan1 and the Google Wifi is in Lan1 I have a rule that allows all from lan1 to wan1 however the Google Wifi never receives a ip from the cable modem via dhcp in this configuration..

    • Ismael Rivera

      I had the same problem connecting a Cisco router to the wan1 interface. DHCP messages don’t seem to be reaching either the router or the PCs. If you were to connect the modem to one of the lan ports it will work, but logging traffic with web filter and application control isn’t functioning for me in this configuration. Strange thing is, I had IP phones able to get DHCP assignments while the router was on wan1.

  • Mansur

    HI,

    I am using PPPOE internet connection in Dlink router and , i Have Fortigate50E, I need to use PPPOE connect DLINK router and i need access VPN and other policies need to enable in Fortigate 50E ,it is possible? you have video link ?

  • Sinisa Jovanovic

    Can we use Public IP(s) for both management IP as well as on internal NIC ( different IP’s ofcourse ) in transparent mode?

  • Emanuel X

    Hi

    HI can put Public IP Address and Private IP Address in the same segment(over the same switch) with this mode ?? thanks

  • Rohit

    Does the HA and UTM feature will work in transparent mode????

  • Hawaiian Telcom – Managed Serv

    Does the Fortigate do SSL decryption while in transparent mode?

    • Kerrie Newton

      Hello,

      SSL inspection while in transparent mode works in FortiOS 5.4.2 and up.

      Kerrie

  • James

    In this mode, can we still have the FortiGate log everything to our FortiAnalyzer?

    • Kerrie Newton

      Hi James,

      Yes, a FortiGate running in transparent mode can still log to a FortiAnalyzer

      Kerrie

  • Alip

    I try it to VM but it doesn’t run very well. it stack when I save config. please help. thankyou.

    • Victoria Martin

      Hello Alip,

      If you want to use your FortiGate-VM in transparent mode, your VMware server’s virtual switches must operate in promiscuous mode. Please refer to the VM installation guide, page 19, for more information: http://docs.fortinet.com/uploaded/files/2324/fortigate-vm-install-52.pdf

      If your switches are already in promiscuous mode, then I would suggest you contact Support so they can take a look at your configuration. We have an article about working with Support that you may find useful: http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

      I hope that helps!

      • Ilyas Trance Ambient

        Hello, does Transparent-mode Fortigate-VM work with Vmware Vswitch mapped to PNICs (physical (not virtual) NICs via PCI passthrough)?
        Or PNICs via PCI passthrough is relevant to a NAT-mode of Fortigate-VM?

  • Salman Saleem

    1.Do i try to sign back in to the fortigate through the “lan” interface or should i do it on the “mgmt” port and then go on to the “management ip” I specified?
    2.I’m currently doing this on a separate Vdom, so i dont seem to see the “dns servers” option in the Network settings. So can i still force safe search on google and youtube while having my vdom work on Transparent mode, or are these recursive dns queires processed only on NAT mode?
    Thanks for the help..

    • Victoria Martin

      Hello Salman,

      1. Once the FortiGate is in Transparent mode, you must use the Management IP to connect to it (or, in the case of a VDOM, you can connect to the root VDOM).

      2. When a VDOM is in transparent mode, there is no DNS server, so unfortunately you will not be able to use the DNS method to force Safe Search. You can however use full SSL inspection, as mentioned in the recipe about blocking adult content: http://cookbook.fortinet.com/blocking-adultmature-content-google-safesearch/

      • Salman Saleem

        Thanks! If there was no VDOM and still in transparent mode, then will I get the option for the dns servers?

        • Victoria Martin

          To use a DNS server, you need to be in NAT/Route mode.

          • Roger

            Hi Victoria,

            Considering that I will be having my provider doing nat/routes through their managed firewall, however, I would like to use the transparent modem in order to have some visibility and control within my internal lan. I can see above some people having issues to connect a router to the fortinet therefore I would liketo just ask you the following;

            My provider will be delivering a Fiber connection 100 MB link (Main) and another redundancy link 20 MB ADSL. Obviously the cisco router with the main link will be giving an ethernet cable for the 100 MB fiber link as well a modem will be giving another one from the modem (ADSL redundancy) the configuration above seems simple, pretty much I have to get the dns from my provider (coming from the cisco router – Fiber link as well the router IP which the fortinet will be using as a gateway. Is there anyway to make sure that the tutorial above is giving the whole info required to make it work? Another question: I am checking a unit 60E which according to specs would handle well a network office with 90/100 users, I am referring to performance and no freezing ups that could slow down the network. I really want to show the customer how good is the fortinet unit for reporting and control within their network as I explained to my customer that providers will manage their link at certain extent which will not include the internal network. I want to know more in details of features like sandbox and reports, could you please get back to me with that?

          • Victoria Martin

            Hi Roger,

            Your scenerio sounds like a good match for this recipe. For performance information, you’ll need to refer to datasheets or speak with your sales person to make sure the 60E is the right fit.