Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.a
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home CTAP Cloud User Guide

    Understanding deployment topologies

    Understanding deployment topologies

    When deploying a FortiGate-based assessment, there are two primary deployment topologies you can use: One-Arm Sniffer and Transparent Mode.

    Note

    Configuration files generated by the CTAP Cloud portal support both One-Arm Sniffer and Transparent Mode at the same time. The interfaces used by each mode are pre-defined in the configuration file. Smaller models will typically only include a single 1 GE port, but devices with 10 GE capabilities will also be configured with a 10 GE interface. Similarly, transparent mode ports (LAN and WAN destined) are pre-defined and map to their respective 1 GE interfaces (or 10 GE interfaces in higher end models).

    One-Arm Sniffer

    One-Arm Sniffer mode is the least invasive deployment method that can be used during an assessment and is the most common way to deploy FortiGate-based assessments. This deployment configuration is also sometimes referred to as promiscuous mode or mirrored mode.

    FortiGates deployed in sniffer mode are simply analyzing a copy of inbound and outbound network traffic sent from an upstream switch. A copy of the network traffic is sent from a mirrored port on the switch. In other words, the switch facilitates both LAN destined and WAN destined traffic, and a third mirrored port is configured to siphon traffic to the deployed FortiGate for additional inspection.

    Advantages

    Disadvantages

    • Passively scans traffic out-of-band (not inline)

    • Unobtrusive to install; no network downtime required while cabling

    • Does not present a new potential point of failure for the network backbone

    • Requires a more expensive managed switch with port mirroring capabilities

    • Configuration varies between switch vendors

    • Sniffer traffic is processed by the CPU; be extra aware of bandwidth requirements
    Note

    The CTAP team recommends using One-Arm Sniffer mode when possible as it is the least intrusive option for running assessments.

    Transparent Mode

    When deployed in Transparent Mode, the FortiGate sits directly on the network backbone and inspects traffic as it flows through the system (LAN <> WAN). Since it can affect the flow of network traffic, it is less commonly used during assessments. Transparent mode is also sometimes called an inline, virtual wire, or port pair configuration.

    Advantages

    Disadvantages

    • Easy to install by connecting connect between the core router and firewall

    • Illustrates performance capabilities of FortiGate within customer's actual network

    • Undersized systems can result in dropped packets, negatively impacting network

    • Requires some (minimal) network downtime during installation and cabling

    • Introduces new potential points of failure within network backbone: the system and the new cable
    Note

    The CTAP team only recommends using transparent mode when the end customer explicitly requests it. It applies primarily in cases where the a demonstration of the FortiGate's performance relative to the model used is requested or there is no managed switch available.
    Previous
    Next

    Understanding deployment topologies

    Understanding deployment topologies

    When deploying a FortiGate-based assessment, there are two primary deployment topologies you can use: One-Arm Sniffer and Transparent Mode.

    Note

    Configuration files generated by the CTAP Cloud portal support both One-Arm Sniffer and Transparent Mode at the same time. The interfaces used by each mode are pre-defined in the configuration file. Smaller models will typically only include a single 1 GE port, but devices with 10 GE capabilities will also be configured with a 10 GE interface. Similarly, transparent mode ports (LAN and WAN destined) are pre-defined and map to their respective 1 GE interfaces (or 10 GE interfaces in higher end models).

    One-Arm Sniffer

    One-Arm Sniffer mode is the least invasive deployment method that can be used during an assessment and is the most common way to deploy FortiGate-based assessments. This deployment configuration is also sometimes referred to as promiscuous mode or mirrored mode.

    FortiGates deployed in sniffer mode are simply analyzing a copy of inbound and outbound network traffic sent from an upstream switch. A copy of the network traffic is sent from a mirrored port on the switch. In other words, the switch facilitates both LAN destined and WAN destined traffic, and a third mirrored port is configured to siphon traffic to the deployed FortiGate for additional inspection.

    Advantages

    Disadvantages

    • Passively scans traffic out-of-band (not inline)

    • Unobtrusive to install; no network downtime required while cabling

    • Does not present a new potential point of failure for the network backbone

    • Requires a more expensive managed switch with port mirroring capabilities

    • Configuration varies between switch vendors

    • Sniffer traffic is processed by the CPU; be extra aware of bandwidth requirements
    Note

    The CTAP team recommends using One-Arm Sniffer mode when possible as it is the least intrusive option for running assessments.

    Transparent Mode

    When deployed in Transparent Mode, the FortiGate sits directly on the network backbone and inspects traffic as it flows through the system (LAN <> WAN). Since it can affect the flow of network traffic, it is less commonly used during assessments. Transparent mode is also sometimes called an inline, virtual wire, or port pair configuration.

    Advantages

    Disadvantages

    • Easy to install by connecting connect between the core router and firewall

    • Illustrates performance capabilities of FortiGate within customer's actual network

    • Undersized systems can result in dropped packets, negatively impacting network

    • Requires some (minimal) network downtime during installation and cabling

    • Introduces new potential points of failure within network backbone: the system and the new cable
    Note

    The CTAP team only recommends using transparent mode when the end customer explicitly requests it. It applies primarily in cases where the a demonstration of the FortiGate's performance relative to the model used is requested or there is no managed switch available.
    Previous
    Next