FortiOS 5.2 Getting Started: Port pairing in Transparent mode

When you create a port pair, all traffic accepted by one of the paired interfaces can only exit out the other interface. Restricting traffic in this way simplifies your FortiGate configuration because security policies between these interfaces are pre-configured.

In this example you will create a wan1 to Internal port pair to make it easier to allow access to a web server protected by a FortiGate in Transparent mode. In this unusual configuration, the web server is connected to the FortiGate’s wan1 interface and the FortiGate’s Internal interface is connected to an internal network. Users on the internal network access the web server through the FortiGate.

Traffic between port-paired interfaces does not check the bridge table and MAC addresses are not learned. Instead traffic received by one interface in a port pair is forwarded out the other (if allowed by a firewall policy). This makes port pairing useful for unusual topologies where MAC addresses do not behave normally. For example, port paring can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request’s MAC address pair.

1. Switching the FortiGate unit to transparent mode and adding a static route

Go to System > Dashboard > Status.

In the System Information widget, select Change beside Operation Mode.

Change the Operation Mode to Transparent. Add a Management IP/Netmask. Also add a Default Gateway for your network so that the FortiGate unit can connect to the Internet.

2. Creating an internal and wan1 port pair

Go to System > Network > Interfaces.

Select Create New > Port Pair. Create a port pair that includes the internal and wan1 interfaces.

All traffic accepted by the internal interface can only exit out of the wan1 interface.

3. Creating security policies

Go to Policy & Objects > Policy > IPv4.

Create a security policy that allows internal users to access the protected web server using HTTP and HTTPS.

Create a second security policy that allows connections from the web server to the internal network and to the Internet using any service. 

4. Results

Connect to the web server from the internal network and surf the Internet from the server itself.

Go to Log & Report > Traffic Log > Forward Traffic to verify that there is traffic from the internal to wan1 interface.

Select an entry for details.

Go to Policy & Objects > Monitor > Policy Monitor to view the active sessions.