Fortinet black logo

Handbook

Static routing in transparent mode

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:486463
Download PDF

Static routing in transparent mode

FortiOS operating modes allow you to change the configuration of a FortiGate, depending on its role in your network. A FortiGate can operate in two different modes: transparent operation mode or NAT operation mode. In transparent mode, a FortiGate acts as a bridge where all physical interfaces act like one interface. A FortiGate broadcasts traffic that arrives through any interface out through all interfaces.

In transparent mode, you install a FortiGate between your internal network and your router. The FortiGate doesn’t make any changes to IP addresses and applies only security scanning to traffic. When you add a FortiGate to a network in transparent mode, you don’t have to make any network changes except configuring the FortiGate with a management IP address. You usually use transparent mode when you want to increase your network protection but it’s impractical to change your network configuration.

When you configure routing in transparent mode on a FortiGate, all interfaces must be connected to the same subnet. This means all traffic comes from and leaves on the same subnet. This is important because it limits the static routing options to only gateways that are attached to this subnet. For example, if you have only one router that connects your network to the Internet, all static routing on the FortiGate uses this gateway. For this reason, static routing on a FortiGate in transparent mode may be a bit different, but it’s not as complex as routing in NAT mode.

To view the routing table in transparent mode, go to Network > Static Routes. When you view entries for static routes in transparent mode, you’ll see the following settings:

Field

Description

Destination

When Subnet is selected, shows the IP address and netmask of the destination of the traffic being routed. 0.0.0.0 is the default route and matches all traffic destinations.

Gateway

Specifies the IP address of the next hop for traffic. This is usually the IP address of a router on the edge of your network.

Priority

The FortiGate uses the priority if there’s more than one match for a route. This allows you to use multiple routes, but configure preferred routes.

Routes with a larger value have a lower priority. If the preferred route isn’t available, another route is used instead. If there is more than one match for a route, and the routes have the same priority, the FortiGate uses Equal Cost Multiple Path (ECMP) to share traffic between the routes.

The possible values are 0 to 4294967295. This setting only applies to static routes. The priority for routes that are dynamically learned from routing protocols is 0.

For more information about configuring a FortiGate in transparent mode, see the FortiOS Transparent Mode Handbook.

Source prefixes for static routes in transparent mode

If a FortiGate has more than one management IP address and default route, packets can’t differentiate between them and may reach the wrong management IP address. To avoid this, you can configure a source prefix that allows the FortiGate to differentiate between multiple default routes. This is necessary only for static routes in transparent mode.

To configure source prefixes - CLI:

config router static

edit <sequence-number>

set gateway <IP-address>

set src <source-prefix>

next

edit <sequence-number>

set gateway <IP-address>

set src <source-prefix>

next

end

This command is only available in transparent mode.

Static routing in transparent mode

FortiOS operating modes allow you to change the configuration of a FortiGate, depending on its role in your network. A FortiGate can operate in two different modes: transparent operation mode or NAT operation mode. In transparent mode, a FortiGate acts as a bridge where all physical interfaces act like one interface. A FortiGate broadcasts traffic that arrives through any interface out through all interfaces.

In transparent mode, you install a FortiGate between your internal network and your router. The FortiGate doesn’t make any changes to IP addresses and applies only security scanning to traffic. When you add a FortiGate to a network in transparent mode, you don’t have to make any network changes except configuring the FortiGate with a management IP address. You usually use transparent mode when you want to increase your network protection but it’s impractical to change your network configuration.

When you configure routing in transparent mode on a FortiGate, all interfaces must be connected to the same subnet. This means all traffic comes from and leaves on the same subnet. This is important because it limits the static routing options to only gateways that are attached to this subnet. For example, if you have only one router that connects your network to the Internet, all static routing on the FortiGate uses this gateway. For this reason, static routing on a FortiGate in transparent mode may be a bit different, but it’s not as complex as routing in NAT mode.

To view the routing table in transparent mode, go to Network > Static Routes. When you view entries for static routes in transparent mode, you’ll see the following settings:

Field

Description

Destination

When Subnet is selected, shows the IP address and netmask of the destination of the traffic being routed. 0.0.0.0 is the default route and matches all traffic destinations.

Gateway

Specifies the IP address of the next hop for traffic. This is usually the IP address of a router on the edge of your network.

Priority

The FortiGate uses the priority if there’s more than one match for a route. This allows you to use multiple routes, but configure preferred routes.

Routes with a larger value have a lower priority. If the preferred route isn’t available, another route is used instead. If there is more than one match for a route, and the routes have the same priority, the FortiGate uses Equal Cost Multiple Path (ECMP) to share traffic between the routes.

The possible values are 0 to 4294967295. This setting only applies to static routes. The priority for routes that are dynamically learned from routing protocols is 0.

For more information about configuring a FortiGate in transparent mode, see the FortiOS Transparent Mode Handbook.

Source prefixes for static routes in transparent mode

If a FortiGate has more than one management IP address and default route, packets can’t differentiate between them and may reach the wrong management IP address. To avoid this, you can configure a source prefix that allows the FortiGate to differentiate between multiple default routes. This is necessary only for static routes in transparent mode.

To configure source prefixes - CLI:

config router static

edit <sequence-number>

set gateway <IP-address>

set src <source-prefix>

next

edit <sequence-number>

set gateway <IP-address>

set src <source-prefix>

next

end

This command is only available in transparent mode.