beautypg.com

Virtual domains in transparent mode, Virtual – Fortinet FortiGate 4000 User Manual

Page 153

background image

Network configuration

Virtual domains in Transparent mode

FortiGate-4000 Installation and Configuration Guide

153

Virtual domains in Transparent mode

In Transparent mode, The FortiGate unit can apply firewall policies and services, such
as virus scanning, to traffic on an IEEE 802.1 VLAN trunk. The FortiGate unit
operating in Transparent mode can be inserted into the trunk without making changes
to the network. In a typical configuration, the FortiGate internal interface accepts
VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal
VLANs. The FortiGate external interface forwards tagged packets through the trunk to
an external VLAN switch or router. This external switch or router could be connected
to the Internet. The FortiGate unit can be configured to apply different policies for
traffic on each VLAN in the trunk.

To support VLANs in Transparent mode, you add virtual domains to the FortiGate unit.
A virtual domain contains at least 2 VLAN subinterfaces. For VLAN traffic to be able to
pass between the FortiGate Internal and external interface you would add a VLAN
subinterface to the internal interface and another VLAN subinterface to the external
interface. If these VLAN subinterfaces have the same VLAN IDs, the FortiGate unit
applies firewall policies to the traffic on this VLAN. If these VLAN subinterfaces have
different VLAN IDs, or if you add more than two VLAN subinterfaces to the virtual
domain, you can also use firewall policies to control connections between VLANs.

When the FortiGate unit receives a VLAN tagged packet at an interface, the packet is
directed to the VLAN subinterface with matching VLAN ID. The VLAN subinterface
removes the VLAN tag and assigns a destination interface to the packet based on its
destination MAC address. The firewall policies for this source and destination VLAN
subinterface pair are applied to the packet. If the packet is accepted by the firewall,
the FortiGate unit forwards the packet to the destination VLAN subinterface. The
destination VLAN ID is added to the packet and it is sent to the VLAN trunk.

When a packet enters a virtual domain on the FortiGate unit, it is confined to that
virtual domain. In a given domain, you can only create firewall policies for connections
between VLAN subinterfaces or zones in the virtual domain. The packet never
crosses the virtual domain border.

The FortiGate-4000 supports 512 virtual domains.

Virtual domain properties

Configuring a virtual domain

Adding firewall policies for virtual domains

Deleting virtual domains