beautypg.com

Fortinet FortiGate-800 User Manual

Page 148

background image

148

Fortinet Inc.

Virtual domains in Transparent mode

Network configuration

To support VLANs in Transparent mode, you add virtual domains to the FortiGate unit.
A virtual domain contains at least 2 VLAN subinterfaces. For VLAN traffic to be able to
pass between the FortiGate Internal and external interface you would add a VLAN
subinterface to the internal interface and another VLAN subinterface to the external
interface. If these VLAN subinterfaces have the same VLAN IDs, the FortiGate unit
applies firewall policies to the traffic on this VLAN. If these VLAN subinterfaces have
different VLAN IDs, or if you add more than two VLAN subinterfaces to the virtual
domain, you can also use firewall policies to control connections between VLANs.

When the FortiGate unit receives a VLAN tagged packet at an interface, the packet is
directed to the VLAN subinterface with matching VLAN ID. The VLAN subinterface
removes the VLAN tag and assigns a destination interface to the packet based on its
destination MAC address. The firewall policies for this source and destination VLAN
subinterface pair are applied to the packet. If the packet is accepted by the firewall,
the FortiGate unit forwards the packet to the destination VLAN subinterface. The
destination VLAN ID is added to the packet and it is sent to the VLAN trunk.

When a packet enters a virtual domain on the FortiGate unit, it is confined to that
virtual domain. In a given domain, you can only create firewall policies for connections
between VLAN subinterfaces or zones in the virtual domain. The packet never
crosses the virtual domain border.

The FortiGate-800 supports 64 virtual domains.

Virtual domain properties

Configuring a virtual domain

Adding firewall policies for virtual domains

Deleting virtual domains

Figure 31: FortiGate unit with two virtual domains

VLAN1

VLAN1

VLAN2

VLAN2

VLAN3

VLAN3

Virtual Domain 1

Virtual Domain 2

content filtering

antivirus

NIDS

content filtering

antivirus

NIDS

Internal

External

VLAN1

VLAN3

VLAN2

VLAN Switch

or router

VLAN Switch or router

VLAN trunk

VLAN1

VLAN2

VLAN3

VLAN trunk

FortiGate unit

VLAN1

VLAN3

VLAN2

Internet

See also other documents in the category Fortinet Hardware: