Nat/route mode, Transparent mode, Vlans and virtual domains – Fortinet FortiGate 4000 User Manual

18

Fortinet Inc.

VLANs and virtual domains

Introduction

NAT/Route mode

In NAT/Route mode, you can create NAT mode policies and Route mode policies.

• NAT mode policies use network address translation to hide the addresses in a

more secure network from users in a less secure network.

• Route mode policies accept or deny connections between networks without

performing address translation.

Transparent mode

Transparent mode provides the same basic firewall protection as NAT mode. Packets
that the FortiGate unit receives are forwarded or blocked according to firewall policies.
The FortiGate unit can be inserted in the network at any point without having to make
changes to your network or its components. However, VPN and some advanced
firewall features are available only in NAT/Route mode.

VLANs and virtual domains

Fortigate Antivirus Firewalls support IEEE 802.1Q-compliant virtual LAN (VLAN) tags.
Using VLAN technology, a single FortiGate unit can provide security services to, and
control connections between, multiple security domains according to the VLAN IDs
added to VLAN packets. The FortiGate unit can recognize VLAN IDs and apply
security policies to secure network and IPSec VPN traffic between each security
domain. The FortiGate unit can also apply authentication, content filtering, and
antivirus protection to VLAN-tagged network and VPN traffic.

The FortiGate unit supports VLANs in NAT/Route and Transparent mode. In
NAT/Route mode, you enter VLAN subinterfaces to receive and send VLAN packets.
In Transparent mode, you create virtual domains and then add VLAN subinterfaces to
those virtual domains.

Network intrusion detection

The FortiGate Network Intrusion Detection System (NIDS) is a real-time network
intrusion detection sensor that detects and prevents a variety of suspicious network
activity. NIDS uses attack signatures to identify more than 1000 attacks. You can
enable and disable the attacks that the NIDS detects. You can also write user-defined
detection attack signatures.

NIDS prevention detects and prevents many common denial of service and packet-
based attacks. You can enable and disable prevention attack signatures and
customize attack signature thresholds and other parameters.

To notify system administrators of the attack, the NIDS records the attack and any
suspicious traffic to the attack log, and can be configured to send alert emails.

Fortinet updates NIDS attack definitions periodically. You can download and install
updated attack definitions manually or you can configure the FortiGate unit to
automatically check for and download attack definition updates.