Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ss85
New Contributor

Failure to change opmode from NAT mode to Transparent mode

Hi All, 

 

First of all, I'm new to Fortigate. Next is my issue.

I wanted to set my opmode from NAT to transparent. However, i receive command fail message from the CLI. I have no idea what this message means. Did i missed out any steps before i can change the mode? What are the causes or factors which cause the failure. Need advices from any gurus.

 

Below is my CLI command for your reference. 

 

FIREWALL-1 # config vdom FIREWALL-1 (vdom) # edit root current vf=root:0

FIREWALL-1 (root) # config system settings FIREWALL-1 (settings) # FIREWALL-1 (settings) # FIREWALL-1 (settings) # set opmode transparent FIREWALL-1 (settings) # end node_check_object fail! for opmode transparent Attribute 'opmode' value 'transparent' checking fail -651 Command fail. Return code -651

 

By the way, im using Fortinet FG_101E with FortiOS v6.2.3. Hope this helps and awaiting for prompt reply.

Thank you very much.

10 REPLIES 10
Fullmoon
Contributor III

seems you forgot to define management ip and gateway as what stated in this link.

https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/463938

 

Fortigate Newbie

Fortigate Newbie
boneyard
Valued Contributor

you do not already have a full configuration on this device?

ss85
New Contributor

To Fullmoon, I have already created a management ip and gateway using GUI, in VDOM.

To boneyard, sorry but what do you mean by full configuration?

 

Some background info. My network will not be connected to any internet. I have created an IP for management, an IP for the vdom link and also an IP for the software switch ports, which is connected to other devices and I am able to ping them. Now what I wanted to do is to use the DMZ port to connect to a router port. However, I am unable to create the IP due to an error stating I'm using the same subnet as my management IP. I tried to create a new DMZ interface, but I'm unable to select any ports/interface in GUI as it wasn't shown in the dropdown box. I was thinking if the mode is changed from NAT to Transparent, I might be able to create the ip in default DMZ port.

 

Need advices if possible.

boneyard
Valued Contributor

ah, should have asked why you want to do transparent mode. because transparent mode is when you use the FortiGate as a bump in the wire, on a layer 2 segment. this isn't used often, i has some use cases but regular routed / NAT mode (which doesn't require you to use NAT) is in almost all cases the way to go.

 

see for more transparent mode info: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/463938 / https://kb.fortinet.com/kb/viewAttachment.do?attachID=Fortinet%20Solutions%20for%20Transparent%20Mod...

 

it means you don't use interface IP addresses except for the management, you clearly are in a different situation. so for what you are trying to do you don't need and even can't use transparent mode.

 

what you can use for your case is subnet overlap enable.

 

https://kb.fortinet.com/kb/documentLink.do?externalID=FD30014

 

still there is a reason this is disabled by default. routing issues can occur if you don't take proper care of traffic flows.

you can also manage the FortiGate on the IP address on the LAN side, then you can remove the IP and ignore the management port for now.

 

is this an office setup or just at home btw?

 

why are you setting an IP on the VDOM link, do you use VDOMs?

ss85
New Contributor

Hi boneyard, thank you very much for your prompt reply.

 

ah, should have asked why you want to do transparent mode. because transparent mode is when you use the FortiGate as a bump in the wire, on a layer 2 segment. this isn't used often, i has some use cases but regular routed / NAT mode (which doesn't require you to use NAT) is in almost all cases the way to go.

-Yes, I'm trying to configure a layer 2 network between router and other devices.

 

it means you don't use interface IP addresses except for the management, you clearly are in a different situation. so for what you are trying to do you don't need and even can't use transparent mode.

-I'm not really sure about this 'interface IP', but I do input IP at the "software switch" feature which is connected to other devices as mentioned.

 

you can also manage the FortiGate on the IP address on the LAN side, then you can remove the IP and ignore the management port for now.

-I can't ignore the management port as this port will also connect to other devices in future.

 

is this an office setup or just at home btw?

-Yes, this is an office setup.

 

why are you setting an IP on the VDOM link, do you use VDOMs?

-You mean I don't need to set an IP on the VDOM link? I use VDOMs as we got other Fortigate devices also uses VDOM and it works. So basically, we trying to follow legacy config. We tried to reuse the config for the new device, but it prompted us to input password, which we had no idea what password to use. By the way, the previous config was done by another of my colleague, but he have left the company.

 

 

 

 

boneyard
Valued Contributor

this becomes difficult via a forum, as by now we have to reverse engineer an environment.

 

do you perhaps have a Fortinet partner / distributor that can help?

 

else can you perhaps share a drawing of the setup you want to create?

ss85
New Contributor

Hi boneyard, I have attached a drawing of my setup I want to create. I need to create 2 split mode Vdom, 1 for management, another 1 for traffic in transparent mode on dmz port and lan ports. Management Vdom will have the ip of 192.168.x.x/16 while the traffic Vdom will have the ip of 14.0.1.x/24. Hope you or others who happen to bump into my post can help. Thank you very much.

 

 

 

boneyard
Valued Contributor

ok, so what are your actual VDOM names?

 

because in your first post you are trying to change something in the root VDOM. is that the management VDOM?

 

then if you actually want to do transparent mode in the traffic VDOM you should first go to that VDOM.

 

you suggest you have more of these configurations, you can you download one from another fortigate. change the hostname inside the configuration file and probably the management IP and load that.

 

you don't need passwords to save or restore configuration.

 

 

ss85
New Contributor

ok, so what are your actual VDOM names?

-1 is mgmt_vdom, another is traffic_vdom

 

because in your first post you are trying to change something in the root VDOM. is that the management VDOM?

-I'm trying to change the opmode from NAT to Transparent mode, not in management VDOM

 

you suggest you have more of these configurations, you can you download one from another fortigate. change the hostname inside the configuration file and probably the management IP and load that.-Will try this solution.

 

Thanks for the suggestion. :)

Labels
Top Kudoed Authors