LAB 4 - Transparent Mode
LAB 4 - Transparent Mode
LAB 4 - Transparent Mode
© FORTINET
Lab 4: Transparent Mode
In this lab, you will create a transparent mode VDOM. You will also configure an inter-VDOM link, this time
between a transparent mode VDOM and a NAT mode VDOM.
Objectives
l Configure a transparent mode VDOM.
l Configure an inter-VDOM link.
Time to Complete
Estimated: 20 minutes
Lab Topology
The goal of this lab is to create the topology below. You will use VDOMs to logically split the Local-FortiGate into
two virtual firewalls: the root VDOM and the inspect VDOM. The root VDOM is in NAT mode. The inspect
VDOM is in transparent mode and will be inspecting the traffic for virus protection. So all Internet traffic coming
from Local-Windows must transverse first the root VDOM, and then the inspect VDOM.
Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate.
© FORTINET
To restore the FortiGate configuration file
1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.
3. Ensure the Scope is set for Global, then click Local PC, and then click Upload.
4. Click Desktop > Resources > FortiGate-Infrastructure > Layer2 > local-layer-2.conf, and then click
Open.
5. Click OK.
6. Click OK to reboot.
The configuration file for this exercise already has VDOMs enabled. In this exercise, you need to create only a
transparent mode VDOM called inspect and then move the interface to the inspect VDOM.
You will create a new VDOM, and then change its operation mode to transparent.
Field Value
© FORTINET
5. Click OK.
6. Continuing on the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved
session.
7. At the login prompt, enter the user name admin and password password.
8. Enter the following command to change the inspect VDOM operation mode from the default NAT mode to
transparent mode:
config vdom
edit inspect
config system settings
set opmode transparent
set manageip 10.200.1.200/24
end
end
It is the management IP address for the transparent mode VDOM. Interfaces that belong to a transparent
mode VDOM do not have IP addresses, but the VDOM itself has one. You can use this IP address for
administrative access to the device and this VDOM.
© FORTINET
Take the Expert Challenge!
On the Local-FortiGate GUI (10.0.1.254 | admin/password), move the port1 interface to the
inspect VDOM.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.
4. Click OK.
In this exercise, you will create an inter-VDOM link. Then, you will create the firewall policies that allow Internet
access across both VDOMs. Finally, you will configure and test antivirus inspection in the inspect VDOM.
Create the inter-VDOM link for routing traffic from the root VDOM to the Internet through the inspect VDOM.
Field Value
Field Value
7. Click OK.
The Interfaces page displays with the updated configurations.
8. Review the inter-VDOM link interfaces you just created (expand vlink).
© FORTINET
Note that vlink0 and vlink1 are logical interfaces that you can use to route traffic between the root and
inspect VDOMs. An IP address is configurable only on the NAT mode VDOM interface.
You will create firewall policies to allow Internet traffic to pass through both VDOMs. You will also enable antivirus
inspection in the inspect VDOM.
l Create two firewall policies to allow Internet traffic to pass through both VDOMs. One policy will be from
vlink1 to port1 and the other will be from port3 to vlink0.
l In the inspect VDOM, enable the default antivirus inspection profile on firewall policy.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.
After you complete the challenge, see Route Inter-VDOM traffic on page 69.
© FORTINET
Field Value
Name Inspected_Internet
Source all
Destination all
Schedule always
Service ALL
Action ACCEPT
5. In the Security Profiles section, turn on the AntiVirus switch, and then, in the antivirus profile drop-down menu,
select g-default.
© FORTINET
6. Click OK.
Field Value
Name Internet
© FORTINET
Field Value
Source all
Destination all
Schedule always
Service ALL
Action ACCEPT
6. Click OK.
© FORTINET
Route Inter-VDOM traffic
To route traffic from Local-Windows to the inspect VDOM, you must create a default route in the root VDOM.
Field Value
Destination Subnet
0.0.0.0/0.0.0.0
Gateway 10.200.1.254
Interface vlink0
4. Click OK.
You will use the traceroute command to confirm that Internet traffic is crossing the inter-VDOM link. Then, you
will try to download a virus to confirm that antivirus inspection in the inspect VDOM is working.
tracert –d 10.200.3.1
A transparent VDOM does not route packets like a NAT VDOM. Instead, it forwards frames based on the
destination MAC addresses as a LAN Layer 2 switch. A traceroute shows the IP addresses of all the routers
along a path to a destination. The inspect VDOM is not acting as a router, but as a Layer 2 switch.
http://www.eicar.org
© FORTINET
4. Click Download ANTI MALWARE TESTFILE, and then click Download.
6. Confirm that the antivirus profile in the inspect VDOM blocks the following action.
© FORTINET
Review log files on root VDOM
1. Return to the browser tab where you are logged into the Local-FortiGate GUI and the root VDOM, and click Log
& Report > Forward Traffic.
2. Locate a log entry for the www.eicar.org website.
3. Click on one of the following entries to view more details.
Remember that the root VDOM is the unrestricted Internet side of the inter-VDOM link. In the next steps
you will review the logs for the inspect VDOM.