Transparent Web Filtering Using a Virtual Wire Pair

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This cookbook recipe shows how to insert FortiGate transparent web filtering between two network devices.  The FortiGate is configured with a management interface and Virtual Wire (V-Wire) pair connected between a network switch and router.  Once inserted between the network devices, V-Wire policy and web-filtering are configured to allow and inspect traffic. 

In this example, Port 1 is used for management, Ports 2 and 3 are configured as the virtual wire pair.

1. Configure the management interface

Port 1 is chosen to the be the management interface. If the management interface isn’t already configured, it can be configured through the CLI.

Using a console cable, access the Fortinet command line interface, and configure the management port IP address, default gateway, and DNS.

At the CLI prompt, enter:

config system interface  
      edit port1
      set ip 172.31.1.254/24
   end

config router static
     edit 1
          set gateway 172.31.1.1
          set device port1
     end
 end

config system dns
      set primary 208.91.112.53
      set secondary 208.91.112.52
 end

Once the management IP address is set, access the FortiGate login screen using the new management IP address.

2. Configure the Virtual Wire Pair

On the FortiGate, go to Network > Interface

Select Create New > Virtual Wire Pair

 

In the New Virtual Wire page, assign the interface name, assign the interface members, and select Wild Card VLAN if multiple VLANs are being used on the connection.

 

3. Configure the Virtual Wire Pair Policy & Enable Web Filtering

On the FortiGate, go to Policy & Objects > IPv4 Virtual Wire Pair Policy. 

Create a new policy, assign the policy name, select bidirectional traffic flow (dual arrows) for the wire pair, and assign the Source, Destination, Schedule, Service, and Action as needed. 

Under Security Profiles, enable Web Filter and select the applicable policy.

4.  Results

Once the virtual wire policy is created, traffic should now flow through the virtual wire pair and web filtering should be enabled. 

Traffic can be verified by going to FortiView > All Sessions and review the source and destination ports.  Traffic should be visible flowing across ports 2 and 3.

 

 

Tony Russi

Tony Russi

Systems Engineer at Fortinet
Tony Russi is a Systems Engineer working for the Enterprise SE team. An Air Force veteran, he has over 25 years experience in networking and security.Look for more articles coming up!
Tony Russi

Latest posts by Tony Russi (see all)

  • Was this helpful?
  • Yes   No