VLANs in Transparent mode
System Network
FortiGate Version 4.0 Administration Guide
154
01-400-89802-20090424
8
Select
OK
.
The FortiGate unit adds the new VLAN subinterface to the interface that you selected
in step
.
To add firewall policies for a VLAN subinterface
After you add a VLAN subinterface you can add firewall policies for connections between
a VLAN subinterface or from a VLAN subinterface to a physical interface.
1
Go to
Firewall > Address
.
2
Select
Create New
to add firewall addresses that match the source and destination IP
addresses of VLAN packets.
“About firewall addresses” on page 345
.
3
Go to
Firewall > Policy
.
4
Configure firewall policies as required.
VLANs in Transparent mode
In Transparent mode, the FortiGate unit can apply firewall policies and services, such as
authentication, protection profiles, and other firewall features, to traffic on an IEEE 802.1
VLAN trunk. You can insert the FortiGate unit into the trunk without making changes to the
network. In a typical configuration, the FortiGate internal interface accepts VLAN packets
on a VLAN trunk from a VLAN switch or router connected to internal VLANs. The
FortiGate external interface forwards tagged packets through the trunk to an external
VLAN switch or router that can be connected to the Internet. The FortiGate unit can be
configured to apply different policies for traffic on each VLAN in the trunk.
For VLAN traffic to be able to pass between the FortiGate internal and external interface
you add a VLAN subinterface to the internal interface and another VLAN subinterface to
the external interface. If these VLAN subinterfaces have the same VLAN IDs, the
FortiGate unit applies firewall policies to the traffic on this VLAN. If these VLAN
subinterfaces have different VLAN IDs, or if you add more than two VLAN subinterfaces,
you can also use firewall policies to control connections between VLANs.
If the network uses IEEE 802.1 VLAN tags to segment your network traffic, you can
configure a FortiGate unit to provide security for network traffic passing between different
VLANs. To support VLAN traffic in Transparent mode, you add virtual domains to the
FortiGate unit configuration. A virtual domain consists of two or more VLAN subinterfaces
or zones. In a virtual domain, a zone can contain one or more VLAN subinterfaces.
When the FortiGate unit receives a VLAN tagged packet at an interface, the packet is
directed to the VLAN subinterface with the matching VLAN ID. The VLAN subinterface
removes the VLAN tag and assigns a destination interface to the packet based on its
destination MAC address. The firewall policies for the source and destination VLAN
subinterface pair are applied to the packet. If the packet is accepted by the firewall, the
FortiGate unit forwards the packet to the destination VLAN subinterface. The destination
VLAN ID is added to the packet by the FortiGate unit and the packet is sent to the VLAN
trunk.
Figure 77
shows a FortiGate unit operating in Transparent mode with 2 virtual domains
and configured with three VLAN subinterfaces.
Note:
There is a maximum of 255 interfaces total allowed per VDOM in Transparent mode.
This includes VLANs. If no other interfaces are configured for a VDOM, you can configure
up to 255 VLANs in that VDOM.
Summary of Contents for Gate 60D
Page 705: ...www fortinet com...
Page 706: ...www fortinet com...