Fortinet FortiGate-800 manual 148, FortiGate unit with two virtual domains

To support VLANs in Transparent mode, you add virtual domains to the FortiGate unit. A virtual domain contains at least 2 VLAN subinterfaces. For VLAN traffic to be able to pass between the FortiGate Internal and external interface you would add a VLAN subinterface to the internal interface and another VLAN subinterface to the external interface. If these VLAN subinterfaces have the same VLAN IDs, the FortiGate unit applies firewall policies to the traffic on this VLAN. If these VLAN subinterfaces have different VLAN IDs, or if you add more than two VLAN subinterfaces to the virtual domain, you can also use firewall policies to control connections between VLANs.

When the FortiGate unit receives a VLAN tagged packet at an interface, the packet is directed to the VLAN subinterface with matching VLAN ID. The VLAN subinterface removes the VLAN tag and assigns a destination interface to the packet based on its destination MAC address. The firewall policies for this source and destination VLAN subinterface pair are applied to the packet. If the packet is accepted by the firewall, the FortiGate unit forwards the packet to the destination VLAN subinterface. The destination VLAN ID is added to the packet and it is sent to the VLAN trunk.

When a packet enters a virtual domain on the FortiGate unit, it is confined to that virtual domain. In a given domain, you can only create firewall policies for connections between VLAN subinterfaces or zones in the virtual domain. The packet never crosses the virtual domain border.

The FortiGate-800 supports 64 virtual domains.

•Virtual domain properties

•Configuring a virtual domain

•Adding firewall policies for virtual domains

•Deleting virtual domains

Figure 31: FortiGate unit with two virtual domains

VLAN3