System Configuration – Inter-VDOM Routing – FortiOS 6.2

Inter-VDOM routing

In the past, virtual domains (VDOMs) were separate from each other and there was no internal communication. Any communication between VDOMs involved traffic leaving on a physical interface belonging to one VDOM and re-entering the FortiGate unit on another physical interface belonging to another VDOM to be inspected by firewall policies in both directions.

Inter-VDOM routing changes this. With VDOM links, VDOMs can communicate internally without using additional physical interfaces.

Inter-VDOM routing is the communication between VDOMs. VDOM links are virtual interfaces that connect VDOMs. A VDOM link contains a pair of interfaces, each one connected to a VDOM and forming either end of the inter-VDOM connection.

When VDOMs are configured on your FortiGate unit, configuring inter-VDOM routing and VDOM-links is very much like creating a VLAN interface. VDOM-links are managed through the web-based manager or CLI. In the web-based manager, VDOM link interfaces are managed in the network interface list.

To configure a VDOM link in the GUI:

  1. Go to Network > Interfaces.
  2. Click Create New > VDOM Link.
  3. Configure the fields including the Name, Virtual Domain, IP information, access levels, and other fields.

To configure a VDOM link in the CLI:

config system vdom-link edit “<vdom-link-name>” next

end

config system interface edit “<vdom-link-name0>” set vdom “<VDOM Name>” set type vdom-link

next

end

config system interface edit “<vdom-link-name1>” set vdom “<VDOM Name>” set type vdom-link

next

end

To delete a VDOM link in the GUI:

  1. Go to Network > Interfaces.
  2. Select a VDOM Link and click Delete.

To delete a VDOM link in the CLI:

config system vdom-link delete <VDOM-LINK-Name>

end

Sample configuration: Inter-VDOM routing

This example shows how to configure a FortiGate unit to use inter-VDOM routing.

Two departments of a company, Accounting and Sales, are connected to one FortiGate. The company uses a single ISP to connect to the Internet.

This example includes the following general steps. We recommend following the steps in the order below.

Create the VDOMs

To enable VDOMs and create the Sales and Accounting VDOMs:

config system global set vdom-mode multi-vdom

end

config system vdom edit Accounting

next edit Sales

next end

Configure the physical interfaces

Next, configure the physical interfaces. This example uses three interfaces on the FortiGate unit: port2 (internal), port3 (DMZ), and port1 (external). Port2 and port3 interfaces each have a department’s network connected. Port1 is for all traffic to and from the Internet and uses DHCP to configure its IP address, which is common with many ISPs.

config global config system interface edit port2 set alias AccountingLocal set vdom Accounting set mode static set ip 172.100.1.1 255.255.0.0 set allowaccess https ping ssh

set description “The accounting dept internal interface”

next edit port3 set alias SalesLocal set vdom Sales set mode static set ip 192.168.1.1 255.255.0.0 set allowaccess https ping ssh

set description “The sales dept. internal interface”

next edit port1 set alias ManagementExternal

set vdom root set mode DHCP set distance 5 set gwdetect enable set dns-server-override enable set allowaccess https ssh snmp

set description “The systemwide management interface.”

end end

Configure the VDOM links

To complete the connection between each VDOM and the management VDOM, add the two VDOM links. One pair is the Accounting – management link and the other is the Sales – management link.

When configuring inter-VDOM links, you do not have to assign IP addresses to the links unless you are using advanced features such as dynamic routing that require them. Not assigning IP addresses results in faster configuration and more available IP addresses on your networks.

To configure the Accounting and management VDOM link:

config global config system vdom-link edit AccountVlnk

next end

config system interface edit AccountVlnk0 set vdom Accounting set ip 11.11.11.2 255.255.255.0 set allowaccess https ping ssh

set description “Accounting side of the VDOM link“ next edit AccountVlnk1 set vdom root set ip 11.11.11.1 255.255.255.0 set allowaccess https ping ssh

set description “Management side of the VDOM link“

end

end

To configure the Sales and management VDOM link:

config global config system vdom-link edit SalesVlnk

end

config system interface edit SalesVlnk0 set vdom Accounting set ip 12.12.12.2 255.255.255.0 set allowaccess https ping ssh set description “Sales side of the VDOM link”

next edit SalesVlnk1 set vdom root set ip 12.12.12.1 255.255.255.0 set allowaccess https ping ssh

set description “Management side of the VDOM link”

end end

Configure the firewall and Security Profile

With the VDOMs, physical interfaces, and VDOM links configured, the firewall must now be configured to allow the proper traffic. Firewalls are configured per-VDOM, and firewall objects and routes must be created for each VDOM separately.

To configure the firewall policies from AccountingLocal to Internet:

config vdom edit Accounting config firewall policy edit 1 set name “Accounting-Local-to-Management”

set srcintf port2 set dstintf AccountVlnk set srcaddr all set dstaddr all set action accept set schedule always set service ALL set nat enable

end

end config vdom edit root config firewall policy edit 2 set name “Accounting-VDOM-to-Internet” set srcintf AccountVlnk set dstintf port1 set srcaddr all set dstaddr all set action accept set schedule always set service ALL set nat enable

end

end

To configure the firewall policies from SalesLocal to the Internet:

config vdom edit root config firewall policy edit 6 set name “Sales-local-to-Management”

set srcintf port2 set srcaddr all set dstintf SalesVlnk set dstaddr all set schedule always set service ALL set action accept set logtraffic enable

end

end config vdom edit Sales config firewall policy edit 7 set name “Sales-VDOM-to-Internet” set srcintf SalesVlnk set srcaddr SalesManagement set dstintf external set dstaddr all set schedule always set service OfficeServices set action accept set logtraffic enable end end

Test the configuration

When the inter-VDOM routing has been configured, test the configuration to confirm proper operation.

Testing connectivity ensures that physical networking connections, FortiGate unit interface configurations, and firewall policies are properly configured.

The easiest way to test connectivity is to use the ping and traceroute command to confirm the connectivity of different routes on the network.

Test both from AccountingLocal to Internet and from SalesLocal to Internet.

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.