Installing a FortiGate in Transparent mode

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will learn how to connect and configure a new FortiGate unit in Transparent mode to securely connect a private network to the Internet.

Transparent mode is used if you want to apply security scanning to traffic without applying routing or network address translation (NAT), such as when a FortiGate is used as an Internal Segmentation Firewall (ISFW).

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Changing the FortiGate’s operation mode

From the PC on the internal network, connect to the FortiGate’s web-based manager using either FortiExplorer or an Internet browser (for information about connecting to the web-based manager, please see your models QuickStart Guide).

Login using an admin account (the default admin account has the username admin and no password).

 

Go to the Dashboard and enter the following command into the CLI console widget, substituting your own IP addresses where necessary:

config system settings
  set opmode transparent
  set manageip 192.168.200.111 255.255.255.0
  set gateway 192.168.200.99
end

You can now access the FortiGate using the new Management IP address (in the example, https://192.168.200.111).

Go to the Dashboard. The System Information widget shows the Operation Mode is Transparent.

 

 

2. (Optional) Setting the FortiGate’s DNS servers

The FortiGate unit’s DNS Settings are set to use FortiGuard DNS servers by default, which is sufficient for
most networks. However, if you need to change the DNS servers, go to Network > DNS, select Specify, and add Primary and Secondary DNS servers.

 

3. Creating a policy to allow traffic from the internal network to the Internet

Go to Policy & Objects > IPv4 Policy and create a new policy. Give the policy a Name that indicates that the policy will be for traffic to the Internet (in the example, Internet).

Set the Incoming Interface to the internal interface (called internal on some FortiGate models) and the Outgoing Interface to the Internet-facing interface (typically wan1). Set Source, Schedule, and Services as required.

Make sure the Action is set to ACCEPT.

 

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

 

4. Connecting the network devices

Go to the Dashboard and locate the System Resources widget. Select Shutdown to power off the FortiGate unit.

Alternatively, you can enter the following command in the CLI Console:

execute shutdown

Wait until all the lights, except for the power light, on your FortiGate have turned off. If your FortiGate has a power button, use it to turn the unit off. Otherwise, unplug the unit.

You can now connect the FortiGate unit between the internal network and the router.

Connect the wan1 interface to the router internal interface and connect the internal network to the FortiGate internal interface port.

 

Power on the FortiGate unit.

5. Results

You can now browse the Internet using any computer that connects to the FortiGate’s internal interface.

You can view information about the traffic being processed by your FortiGate by going to FortiView > All Sessions and selecting the now view.

Select Add Filter and filter for Policy, selecting the name of your new policy. Only traffic flowing through the new policy is displayed.

 

 

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
Some FortiGate models include an IPv4 security policy in the default configuration. If you have one of these models, edit it to include the logging options shown below, then proceed to the results section.
  • Sinisa Jovanovic

    Can we use Public IP(s) for both management IP as well as on internal NIC ( different IP’s ofcourse ) in transparent mode?

  • Emanuel X

    Hi

    HI can put Public IP Address and Private IP Address in the same segment(over the same switch) with this mode ?? thanks

  • Rohit

    Does the HA and UTM feature will work in transparent mode????

  • Hawaiian Telcom – Managed Serv

    Does the Fortigate do SSL decryption while in transparent mode?

    • Kerrie Newton

      Hello,

      SSL inspection while in transparent mode works in FortiOS 5.4.2 and up.

      Kerrie

  • James

    In this mode, can we still have the FortiGate log everything to our FortiAnalyzer?

    • Kerrie Newton

      Hi James,

      Yes, a FortiGate running in transparent mode can still log to a FortiAnalyzer

      Kerrie

  • Alip

    I try it to VM but it doesn’t run very well. it stack when I save config. please help. thankyou.

  • Salman Saleem

    1.Do i try to sign back in to the fortigate through the “lan” interface or should i do it on the “mgmt” port and then go on to the “management ip” I specified?
    2.I’m currently doing this on a separate Vdom, so i dont seem to see the “dns servers” option in the Network settings. So can i still force safe search on google and youtube while having my vdom work on Transparent mode, or are these recursive dns queires processed only on NAT mode?
    Thanks for the help..

    • Victoria Martin

      Hello Salman,

      1. Once the FortiGate is in Transparent mode, you must use the Management IP to connect to it (or, in the case of a VDOM, you can connect to the root VDOM).

      2. When a VDOM is in transparent mode, there is no DNS server, so unfortunately you will not be able to use the DNS method to force Safe Search. You can however use full SSL inspection, as mentioned in the recipe about blocking adult content: http://cookbook.fortinet.com/blocking-adultmature-content-google-safesearch/

      • Salman Saleem

        Thanks! If there was no VDOM and still in transparent mode, then will I get the option for the dns servers?

        • Victoria Martin

          To use a DNS server, you need to be in NAT/Route mode.