Fortigate transparent mode - TCP packet enters twice

Kole · ‎05-26-2017

Dear,

I want to bought Fortigate 201E and want to use one VDOM in transparent mode. Scenario:

servers ---(many vlans)---Fortigate--(many vlans)--router(default gateway for all vlans)

When one server open tcp connection to other server same packet goes thru Fortinet to router, and again thru Fortinet to other server.

I found that I can disable anty-replay and that should work http://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-transparent-52/Replay-Traffic-Sce...

Does anyone use Fortigate in this scenario?

Does it normally works and can I use hardware acceleration in this case?

Is it possible to disable inspection in second direction? I don't wont to double inspect packets.

Best Regards

emnoc · ‎05-26-2017

Qs:

What do you many vlans?

What method are you finding the TCP twice?

Do you have a router-on-a-stick deployed?

Did you run diag debug flow and with the correct filters for the traffic between client--->server

Did you run diag sniffer packet any "host x.x.x.x and port yyyy " 4 and monitor the interfaces?

or better yet just look at the client SYN

example

diag sniffer packet any "tcp[13]==2 and port 443 and host 1.2.3.4"

replace port and host with your details and then have a client hit the target.

keep in mind the following;

if you a router on a stick and a single physical link you will see every packet twice from a logical state ( in one vlan and out another for that link )

If your running meshed vdoms, you will see the traffic also ( once in each vdom )

Ken

PCNSE

NSE

StrongSwan

Kenundrum · ‎05-26-2017

Are the servers on different vlans also on different IP subnets? In general, that's not a supported configuration for transparent mode unless you use a different VDOM for each.

What you should have is a bunch of vlans that have the same ip subnet- so that if you have a computer in vlan 2 that needs to talk to vlan 3, the fortigate rule would look like vlan2->vlan3 and because they are the same ip range, no gateway would be necessary.

if you do have multiple vdoms in transparent mode to deal with such a config- each vdom would have independent policies. you'd need one policy out vdom a and another into vdom b. Just set the content inspection to happen at one of those rules as necessary. I typically scan traffic closest to it's destination as long as all the inline devices are controlled by us.

CISSP, NSE4

Kole · ‎05-28-2017

Dear,

I don't use different VDOM for different VLAN. All vlans are in same vdom (transparent mode). My idea is just put Fortigate between servers and router and inspect traffic but not change anything in network. I want to use Fortigate in transparent mode.

I added L2 and L3 diagram in my first post. I need normal communication between server 1 and server 2. They are in different subnets and router is default gateway for all servers (subinterfaces on router).

Can I configure Fortigate to not block communication between server 1 and server 2? In this scenario every packets from server 1 to server 2 goes thru Fortigate twice. I would like to configure Fortigate to not inspect every packet twice.

Thanks

Kole · ‎05-30-2017

Hi,

I don't have Fortigate. I want to buy it but first I have to know does it works in my scenario. I attached scenario picture in first post (uper diagram is L2 and down diagram is L3)

My problem is when server 1 ping server 2 echo request goes from server 1 to Fortigate on vlan 1. Fortigate create session for that packet and forward it on vlan 1 to router. Router return that packet on vlan 2 to Fortigate. Fortigate see that this is same packet and that already has session for it. It will drop packet.

Is there any way to configure Fortigate to pass that packet? In my scenario I should have normal communication between servers.

Thanks

Kenundrum · ‎05-30-2017

I believe you would want something similar to the diagram below. It is (in effect) how I have my transparent VDOMs set up. The transparent mode operation lets you have multiple VLANs operate with a single IP subnet for layer 2 separation. It isn't designed to handle more than 1 subnet. Separating the "protected" devices on a different vlan allows you more flexibility with the deployment options and you can use as little as 1 switch to plug everything together. The different vlan interfaces on the fortigate can be trunked on the same physical port as well.

In the below scenario, you would have rules going in/out of VDOM1 and rules in/out of VDOM2, but it avoids the replay packet drops and you can choose where content scanning happens. As long as there are no other routers sitting on the VLANs 101/102, all traffic will be forced to the fortigate interface for routing to the rest of the network.

CISSP, NSE4

Kole · ‎05-31-2017

Dear,

I want use similar scenario. I will use only one VDOM for all vlans. I have too many vlans (more than 30) and I can't separate vlans in different VDOMs.

I'm not sure does it that work. I hope that someone use scenario like my in production to help me.

Thanks