Virtual local area network (VLAN) retagging allows you to selectively screen traffic between VLANs. To do this, you place a security device outside the direct path of incoming and outgoing traffic and configure your Layer 2 switch to redirect to the security device only traffic from VLANs you want to screen. Traffic to and from your other VLANs meanwhile passes directly though the switch. In this way you can screen only the traffic that is potentially threatening to your network while avoiding any impact to throughput that might be caused by passing all VLAN traffic through the security device. Retagged traffic must be from VLANs with different IDs: for example, you cannot retag VLAN traffic from VLAN 10 to another VLAN that has the same ID.
You configure VLAN retagging on the security device by creating a bi-directional VLAN retagging object and specifying the two VLANs for which you want the object to screen traffic. The security device then stores the retagging pair in a hash table, which it references when it receives traffic from either of those VLANs. After you create a retagging object, you must bind it to a port and create a policy.
In the Name text box, enter a name for the VLAN retagging pair.
In the From VLAN text box, enter a VLAN ID for the source VLAN.
In the To VLAN text box, enter a VLAN ID for the destination VLAN.
Click OK.