Port pairing in Transparent mode

When you create a port pair, all traffic accepted by one of the paired interfaces can only exit out the other interface. Restricting traffic in this way simplifies your FortiGate configuration because security policies between these interfaces are pre-configured.

In this example you will create a wan1 to Internal port pair to make it easier to allow access to a web server protected by a FortiGate in Transparent mode. In this unusual configuration, the web server is connected to the FortiGate’s wan1 interface and the FortiGate’s Internal interface is connected to an internal network. Users on the internal network access the web server through the FortiGate.

Traffic between port-paired interfaces does not check the bridge table and MAC addresses are not learned. Instead traffic received by one interface in a port pair is forwarded out the other (if allowed by a firewall policy). This makes port pairing useful for unusual topologies where MAC addresses do not behave normally. For example, port paring can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request’s MAC address pair.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Switching the FortiGate unit to transparent mode and adding a static route

Go to System > Dashboard > Status.

In the System Information widget, select Change beside Operation Mode.

Change the Operation Mode to Transparent. Add a Management IP/Netmask. Also add a Default Gateway for your network so that the FortiGate unit can connect to the Internet.


2. Creating an internal and wan1 port pair

Go to System > Network > Interfaces.

Select Create New > Port Pair. Create a port pair that includes the internal and wan1 interfaces.

All traffic accepted by the internal interface can only exit out of the wan1 interface.



3. Creating security policies

Go to Policy & Objects > Policy > IPv4.

Create a security policy that allows internal users to access the protected web server using HTTP and HTTPS.


Create a second security policy that allows connections from the web server to the internal network and to the Internet using any service.


4. Results

Connect to the web server from the internal network and surf the Internet from the server itself.

Go to Log & Report > Traffic Log > Forward Traffic to verify that there is traffic from the internal to wan1 interface.

Select an entry for details.


Go to Policy & Objects > Monitor > Policy Monitor to view the active sessions.  

For further reading, check out Interfaces in the FortiOS 5.2 Handbook.

Bill Dickie

Technical Writer at Fortinet
After completing a science degree at the University of Waterloo, Bill began his professional life teaching college chemistry in Corner Brook, Newfoundland and fell into technical writing after moving to Ottawa in the mid '80s. Tech writing stints at all sorts of companies finally led to joining Fortinet to write the first FortiGate-300 Administration Guide.
If the Management IP is the same as the IP address that you logged into the FortiGate unit with, you will remain logged in after the operation mode has changed. Otherwise, log into the FortiGate unit using the management IP (in the example,