Fortinet fortigate-200a Betriebsanweisung

In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3 
routers or firewalls add VLAN tags to packets. Packets passing between devices in 
the same VLAN can be handled by layer 2 switches. Packets passing between 
devices in different VLANs must be handled by a layer 3 device such as router, 
firewall, or layer 3 switch.

Using VLANs, a single FortiGate unit can provide security services and control 
connections between multiple security domains. Traffic from each security domain is 
given a different VLAN ID. The FortiGate unit can recognize VLAN IDs and apply 
security policies to secure network and IPSec VPN traffic between security domains. 
The FortiGate unit can also apply authentication, protection profiles, and other firewall 
policy features for network and VPN traffic that is allowed to pass between security 
domains.

Operating in NAT/Route mode, the FortiGate unit functions as a layer 3 device to 
control the flow of packets between VLANs. The FortiGate unit can also remove VLAN 
tags from incoming VLAN packets and forward untagged packets to other networks, 
such as the Internet.