Transparent web filtering using a virtual wire pair

This cookbook recipe shows how to insert FortiGate transparent web filtering between two network devices.  The FortiGate is configured with a management interface and Virtual Wire (V-Wire) pair connected between a network switch and router.  Once inserted between the network devices, V-Wire policy and web-filtering are configured to allow and inspect traffic. 

In this example, Port 1 is used for management, Ports 2 and 3 are configured as the virtual wire pair.

1. Configure the management interface

Port 1 is chosen to the be the management interface. If the management interface isn’t already configured, it can be configured through the CLI.

Using a console cable, access the Fortinet command line interface, and configure the management port IP address, default gateway, and DNS.

At the CLI prompt, enter:

config system interface  
      edit port1
      set ip

config router static
     edit 1
          set gateway
          set device port1

config system dns
      set primary
      set secondary

Once the management IP address is set, access the FortiGate login screen using the new management IP address.

2. Configure the Virtual Wire Pair

On the FortiGate, go to Network > Interface

Select Create New > Virtual Wire Pair


In the New Virtual Wire page, assign the interface name, assign the interface members, and select Wild Card VLAN if multiple VLANs are being used on the connection.


3. Configure the Virtual Wire Pair Policy & Enable Web Filtering

On the FortiGate, go to Policy & Objects > IPv4 Virtual Wire Pair Policy. 

Create a new policy, assign the policy name, select bidirectional traffic flow (dual arrows) for the wire pair, and assign the Source, Destination, Schedule, Service, and Action as needed. 

Under Security Profiles, enable Web Filter and select the applicable policy.

4.  Results

Once the virtual wire policy is created, traffic should now flow through the virtual wire pair and web filtering should be enabled. 

Traffic can be verified by going to FortiView > All Sessions and review the source and destination ports.  Traffic should be visible flowing across ports 2 and 3.