Category Archives: FortiOS 5.4 Handbook

The complete handbook for FortiOS 5.4

Inter-VDOM configurations

Inter–VDOM configurations

By using fewer physical interfaces to inter-connect VDOMs, inter-VDOM links provide you with more configuration options.

None of these configurations use VLANs to reduce the number of physical interfaces. It is generally assumed that an internal or client network will have its own internal interface and an external interface to connect to its ISP and the Internet.

These inter-VDOM configurations can use any FortiGate model with possible limitations based on the number of physical interfaces. VLANs can be used to work around these limitations.

There are four different types of inter-VDOM configurations:

Standalone VDOM
Independent VDOMs
Management VDOM
Meshed VDOM

Standalone VDOM

The standalone VDOM configuration uses a single VDOM on your FortiGate unit — the root VDOM that all FortiGate units have by default. This is the VDOM configuration you are likely familiar with. It is the default configuration for FortiGate units before you create additional VDOMs.

The configuration shown above has no VDOM inter-connections and requires no special configurations or settings.

The standalone VDOM configuration can be used for simple network configurations that only have one department or one company administering the connections, firewalls and other VDOM-dependent settings.

However, with this configuration, keeping client networks separate requires many interfaces, considerable firewall design and maintenance, and can quickly become time consuming and complex. Also, configuration errors for one client network can easily affect other client networks, causing unnecessary network downtime.

Independent VDOMs

The independent VDOMs configuration uses multiple VDOMs that are completely separate from each other. This is another common VDOM configuration.

This configuration has no communication between VDOMs and apart from initially setting up each VDOM, it requires no special configurations or settings. Any communication between VDOMs is treated as if communication is between separate physical devices.

The independent inter-VDOM configuration can be used where more than one department or one company is sharing the FortiGate unit. Each can administer the connections, firewalls and other VDOM-dependent settings for only its own VDOM. To each company or department, it appears as if it has its own FortiGate unit. This configuration reduces the amount of firewall configuration and maintenance required by dividing up the work.

However, this configuration lacks a management VDOM for VDOMs 1, 2, and 3. This is illustrated in Figure 50. This management VDOM would enable an extra level of control for the FortiGate unit administrator, while still allowing each company or department to administer its own VDOM.

Management VDOM

In the management VDOM configuration, the root VDOM is the management VDOM. The other VDOMs are connected to the management VDOM with inter-VDOM links. There are no other inter-VDOM connections.

The inter-VDOM links connect the management VDOM to the other VDOMs. This does not require any physical interfaces, and the bandwidth of inter-VDOM links can be faster than physical interfaces, depending on the CPU workload.

Only the management VDOM is connected to the Internet. The other VDOMs are connected to internal networks. All external traffic is routed through the management VDOM using inter-VDOM links and firewall policies between the management VDOM and each VDOM. This ensures the management VDOM has full control over access to the Internet, including what types of traffic are allowed in both directions. There is no communication directly between the non-root VDOMs. Security is greatly increased with only one point of entry and exit. Only the management VDOM needs to be fully managed to ensure network security in this case. Each client network can manage its own configuration without compromising security or bringing down another client network.

The management VDOM configuration is ideally suited for a service provider business. The service provider administers the management VDOM with the other VDOMs as customers. These customers do not require a dedicated IT person to manage their network. The service provider controls the traffic and can prevent the customers from using banned services and prevent Internet connections from initiating those same banned services. One example of a banned service might be Instant Messaging (IM) at a company concerned about intellectual property. Another example could be to limit bandwidth used by file-sharing applications without banning that application completely. Firewall policies control the traffic between the customer VDOM and the management VDOM and can be customized for each customer.

The management VDOM configuration is limited in that the customer VDOMs have no inter-connections. In many situations this limitation is ideal because it maintains proper security. However, some configurations may require customers to communicate with each other, which would be easier if the customer VDOMs were inter- connected.

Meshed VDOM

The meshed VDOMs configuration, including partial and full mesh, has VDOMs inter-connected with other VDOMs. There is no special feature to accomplish this—they are just complex VDOM configurations.

Partial mesh means only some VDOMs are inter-connected. In a full mesh configuration, all VDOMs are inter- connected to all other VDOMs. This can be useful when you want to provide full access between VDOMs but handle traffic differently depending on which VDOM it originates from or is going to.

With full access between all VDOMs being possible, it is extra important to ensure proper security. You can achieve this level of security by establishing extensive firewall policies and ensuring secure account access for all administrators and users.

Meshed VDOM configurations can become complex very quickly, with full mesh VDOMs being the most complex. Ensure this is the proper solution for your situation before using this configuration. Generally, these configurations are seen as theoretical and are rarely deployed in the field.

Inter-VDOM routing

2 Replies

Inter–VDOM routing

Inter-VDOM routing changes this allows VDOMs to communicate internally without using additional physical interfaces, using VDOM links. VDOM links are virtual interfaces that connect VDOMs. A VDOM link contains a pair of interfaces with each one connected to a VDOM, and forming either end of the inter-VDOM connection.

This chapter contains the following sections:

Benefits of inter-VDOM routing
Configuring VDOM links
Inter-VDOM configurations
Dynamic routing over inter-VDOM links
HA virtual clusters and VDOM links
Example configuration: Inter-VDOM routing

Benefits of inter-VDOM routing

Inter-VDOM routing has a number of advantages over independent VDOM routing. These benefits include:

Freed-up physical interfaces
More speed than physical interfaces
Continued support for secure firewall policies
Configuration flexibility

Freed–up physical interfaces

Tying up physical interfaces on the FortiGate unit presents a problem. With a limited number of interfaces available, configuration options for the old style of communication between VDOMs are very limited. VLANs can be an answer to this, but they have some limitations.

For example, the FortiGate-800 has 8 physical ethernet ports. If they are assigned 2 per VDOM (one each for external and internal traffic) there can only be 4 VDOMs at most configured, not the 10 VDOMs the license will allow. Adding even one additional interface per VDOM to be used to communicate between VDOMs leaves only 2 VDOMs for that configuration, since it would required 9 interfaces for 3 VDOMs. Even using one physical interface for both external traffic and inter-VDOM communication would severely lower the available bandwidth for external traffic on that interface.

With the introduction of inter-VDOM routing, traffic can travel between VDOMs internally, freeing up physical interfaces for external traffic. Using the above example we can use the 4 VDOM configuration and all the interfaces will have their full bandwidth.

More speed than physical interfaces

Internal interfaces are faster than physical interfaces. Their speed depends on the FortiGate unit CPU and its load. That means that an inter-VDOM link interface will be faster than a outbound physical interface connected to another inbound physical interface.

Inter-VDOM links are CPU bound, and cannot be part of an accelerated pair of interfaces.

However, while one virtual interface with normal traffic would be considerably faster than on a physical interface, the more traffic and more internal interfaces you configure, the slower they will become until they are slower than the physical interfaces. CPU load can come from other sources such as AV or content scanning. This produces the same effect—internal interfaces such as inter-VDOM links will be slower.

Continued support for secure firewall policies

VDOMs help to separate traffic based on your needs. This is an important step in satisfying regulations that require proof of secure data handling. This is especially important to health, law, accounting, and other businesses that handle sensitive data every day.

By keeping things separate, traffic has to leave the FortiGate unit and re-enter to change VDOMs. This forces traffic to go through the firewall when leaving and enter through another firewall, keeping traffic secure.

With inter-VDOM routing, the need for the physical interfaces is greatly reduced. However, firewall policies still need to be in place for traffic to pass through any interface, physical or virtual, and thus provide the same level of security both internally and externally. Configuration of firewall policies is the same for inter-VDOM links as for any other interface, and your data will continue to have the high level of security.

Configuration flexibility

A typical VDOM uses at least two interfaces, typically physical interfaces, one for internal and one for external traffic. Depending on the configuration, more interfaces may be required. This means that the maximum number of VDOMs configurable on a FortiGate unit using physical interfaces is the number of interfaces available divided by two. VLANs can increase the number by providing multiple virtual interfaces over a single physical interface, but VLANs have some limitations. Using physical interfaces for inter-VDOM communication therefore limits the number of possible configurations on your FortiGate unit.

To overcome this limitation, inter-VDOM links can be created within the FortiGate unit. Using virtual interfaces, inter-VDOM links free up the physical interfaces for external traffic. Using VDOM links on a FortiGate unit with 8 physical interfaces, you can have 4 VDOMs communicating with each other (meshed configuration) and continue to have 2 physical interfaces each for internal and external connections. This configuration would have required 20 physical interfaces without inter-VDOM routing. With inter-VDOM routing it only requires 8 physical interfaces, with the other 12 interfaces being internal VDOM links.

Inter-VDOM routing allows you to make use of standalone VDOMs, Management VDOMs, and Meshed VDOMs without being limited by the number of physical interfaces on your FortiGate unit. For more information about these types of VDOMs, see “Inter-VDOM configurations” on page 2639.

Example configuration: VDOM in Transparent mode

Leave a reply

Example configuration: VDOM in Transparent mode

In this example, the FortiGate unit provides network protection to two organizations — Company A and Company B. Each company has different policies for incoming and outgoing traffic, requiring three different security policies and protection profiles.

VDOMs are not required for this configuration, but by using VDOMs the profiles and policies can be more easily managed on a per-VDOM basis either by one central administrator or separate administrators for each company. Also future expansion is simply a matter of adding additional VDOMs, whilst not disrupt the existing VDOMs.

For this example, firewalls are only included to deal with web traffic. This is to provide an example without making configuration unnecessarily complicated.

This example includes the following sections:

Network topology and assumptions
General configuration steps
Configuring common items
Creating virtual domains
Configuring the Company_A VDOM
Configuring the Company_B VDOM
Configuring the VLAN switch and router
Testing the configuration

Network topology and assumptions

Each organization’s internal network consists of a different range of IP addresses:

10.11.0.0.0/255.255.0.0 for Company A.
10.12.0.0/255.255.0.0 for Company B.

For the procedures in this section, it is assumed that you have enabled VDOM configuration on your FortiGate unit. For more information, see Virtual Domains Overview.

The VDOM names are similar to the company names for easy recognition. The root VDOM cannot be renamed and is not used in this example.

Interfaces used in this example are port1 and port2. Some FortiGate models may not have interfaces with these names. port1 is an external interface. port2 is an internal interface.

General configuration steps

The following steps summarize the configuration for this example. For best results, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Configuring common items

2. Creating virtual domains

3. Configuring the Company_A VDOM

4. Configuring the Company_B VDOM

5. Configuring the VLAN switch and router

6. Testing the configuration

Configuring common items

Both VDOMs require you configure security profiles. These will be configured the same way, but need to be configured in both VDOMs.

The relaxed profile allows users to surf websites they are not allowed to visit during normal business hours. Also a quota is in place to restrict users to one hour of access to these websites to ensure employees do not take long and unproductive lunches.

To create a strict web filtering profile – web-based manager:

1. Go to the proper VDOM, and select Security Profiles > Web Filter.

2. Select Create New.

3. Enter strict for the Name.

4. Expand FortiGuard Web Filtering, and select block for all Categories except Business Oriented, and Other.

5. Block all Classifications except Cached Content, and Image Search.

6. Ensure FortiGuard Quota for all Categories and Classifications is Disabled.

7. Select OK.

To create a strict web filtering profile – CLI:

config vdom

edit <vdom_name>

config webfilter profile edit strict

config ftgd-wf

set allow g07 g08 g21 g22 c01 c03

set deny g01 g02 g03 g04 g05 g06 c02 c04 c05 c06 c07 end

set web-ftgd-err-log enable end

To create a relaxed web filtering profile – web-based manager:

1. Go to the proper VDOM, and select Security Profiles > Web Filter.

2. Select Create New.

3. Enter relaxed for the Name.

4. Expand FortiGuard Web Filtering, and select block for Potentially Security Violating Category, and Spam URL Classification.

5. Enable FortiGuard Quotas to allow 1 hour for all allowed Categories and Classifications.

Creating virtual domains

The FortiGate unit supports 10 virtual domains. Root is the default VDOM. It cannot be deleted or renamed. The root VDOM is not used in this example. New VDOMs are created for Company A and Company B

To create the virtual domains – web-based manager:

1. With VDOMs enabled, select Global > System > VDOM.

2. Select Create New.

3. Enter Company_A for Name, and select OK.

4. Select Create New.

5. Enter Company_B for Name, and select OK.

To create the virtual domains – CLI:

config system vdom edit Company_A next

edit Company_B

end

Configuring the Company_A VDOM

This section describes how to add VLAN subinterfaces and configure security policies for the Company_A VDOM. This section includes the following topics:

Adding VLAN subinterfaces
Creating the Lunch schedule
Configuring Company_A firewall addresses
Creating Company_A security policies

Adding VLAN subinterfaces

You need to create a VLAN subinterface on the port2 interface and another one on the port1 interface, both with the same VLAN ID.

To add VLAN subinterfaces – web-based manager:

1. Go to Global > Network > Interfaces.

2. Select Create New.

3. Enter the following information and select OK:

Name VLAN_100_int

Interface port2

VLAN ID 100

Virtual Domain Company_A

4. Select Create New.

5. Enter the following information and select OK:

Name VLAN_100_ext

Interface port1

VLAN ID 100

Virtual Domain Company_A

To add the VLAN subinterfaces – CLI:

config system interface edit VLAN_100_int

set interface port2

set vlanid 100

set vdom Company_A

edit VLAN_100_ext

set interface port1 set vlanid 100

set vdom Company_A

end

Creating the Lunch schedule

Both organizations have the same lunch schedule, but only Company A has relaxed its security policy to allow employees more freedom in accessing the Internet during lunch. Lunch schedule will be Monday to Friday from 11:45am to 2:00pm (14:00).

To create a recurring schedule for lunchtime – web-based manager:

1. In Company_A VDOM, go to Policy & Objects > Schedules.

2. Select Create New.

3. Enter Lunch as the name for the schedule.

4. Select Mon, Tues, Wed, Thu, and Fri.

5. Set the Start time as 11:45 and set the Stop time as 14:00.

6. Select OK.

To create a recurring schedule for lunchtime – CLI:

config vdom

edit Company_A

config firewall schedule recurring edit Lunch

set day monday tuesday wednesday thursday friday set start 11:45

set end 14:00 end

Configuring Company_A firewall addresses

For Company A, its networks are all on the 10.11.0.0 network, so restricting addresses to that domain provides added security.

To configure Company_A firewall addresses – web-based manager:

1. In the Company_A VDOM, go to Policy & Objects > Addresses.

2. Select Create New.

3. Enter CompanyA in the Address Name field.

4. Type 10.11.0.0/255.255.0.0 in the Subnet / IP Range field.

5. Select OK.

To configure vdomA firewall addresses – CLI:

config firewall address edit CompanyA

set type ipmask

set subnet 10.11.0.0 255.255.0.0 end

Creating Company_A security policies

A security policy can include varying levels of security feature protection. This example only deals with web filtering. The following security policies use the custom security strict and relaxed profiles configured earlier.

For these security policies, we assume that all protocols will be on their standard ports, such as port 80 for http traffic. If the ports are changed, such as using port 8080 for http traffic, you will have to create custom services for protocols with non-standard ports, and assign them different names.

The firewalls configured in this section are:

internal to external — always allow all, security features – web filtering: strict
internal to external — Lunch allow all, security features – web filtering:relaxed

Security policies allow packets to travel between the internal VLAN_100 interface to the external interface subject to the restrictions of the protection profile. Entering the policies in this order means the last one configured is at the top of the policy list, and will be checked first. This is important because the policies are arranged so if one does not apply the next is checked until the end of the list.

To configure Company_A security policies – web-based manager:

1. Go to Policy & Objects > IPv4 Policy.

2. Select Create New.

3. Enter the following information and select OK:

Name CompanyA-lunch

Incoming Interface VLAN_100_int

Outgoing Interface VLAN_100_ext

Source Address CompanyA

Destination Address all

Schedule Lunch

Service all

Action ACCEPT

Security Features enable

Web Filtering relaxed

This policy provides relaxed protection during lunch hours — going from strict down to scan for protocol options and web filtering. AntiVirus and Email Filtering remain at strict for security — relaxing them would not provide employees additional access to the Internet and it would make the company vulnerable.

1. Select Create New.

2. Enter the following information and select OK:

Name CompanyA-strict

Incoming Interface VLAN_100_int

Outgoing Interface VLAN_100_ext

Source Address CompanyA

Destination Address all

Schedule always

Service all

Action ACCEPT

Security Features enable

Web Filtering strict

This policy enforces strict scanning at all times, while allowing all traffic. It ensures company policies are met for network security.

4. Verify that the policy list arranged By Sequence to make sure the CompanyA-lunch policy is located above the CompanyA-strict policy. If necessary, rearrange the policies so that the appropriate policy is applied to outgoing traffic.

To configure Company_A security policies – CLI:

config vdom

edit Company_A

config firewall policy edit 1

set name “CompanyA-lunch” set srcintf VLAN_100_int set dstintf VLAN_100_ext set srcaddr all

set dstaddr all set action accept set schedule Lunch

set webfiltering relaxed next

edit 2

set name “CompanyA-strict” set srcintf VLAN_100_int set dstintf VLAN_100_ext set srcaddr all

set dstaddr all set action accept set schedule always

set webfiltering strict end

Configuring the Company_B VDOM

This section describes how to add VLAN subinterfaces and configure security policies for the Company B VDOM. This section includes the following topics:

Adding VLAN subinterfaces
Creating Company_B service groups
Configuring Company_B firewall addresses
Configuring Company_B security policies

Adding VLAN subinterfaces

You need to create a VLAN subinterface on the internal interface and another one on the external interface, both with the same VLAN ID.

To add VLAN subinterfaces – web-based manager:

1. Go to Network > Interfaces.

2. Select Create New.

3. Enter the following information and select OK:

Name VLAN_200_int

Interface port2

VLAN ID 200

Virtual Domain Company_B

4. Select Create New.

5. Enter the following information and select OK:

Name VLAN_200_ext

Interface port1

VLAN ID 200

Virtual Domain Company_B

To add the VLAN subinterfaces – CLI:

config system interface edit VLAN_200_int

set interface internal set vlanid 200

set vdom Company_B

edit VLAN_200_ext

set interface external set vlanid 200

set vdom Company_B

end

Creating Company_B service groups

Company_B does not want its employees to use any online chat software except NetMeeting, which the company uses for net conferencing. To simplify the creation of a security policy for this purpose, you create a service group that contains all of the services you want to restrict. A security policy can manage only one service or one group.

To create a chat service group – web-based manager:

1. Go to Policy & Objects > Services and select Create New > Service Group.

2. Enter Chat in the Group Name field.

3. For each of IRC, AOL, SIP-MSNmessenger and TALK, select the service in the Available Services list and select the right arrow to add it to the Members list.

If a particular service does not appear in the Available Services list, see the list in Policy & Objects > Services. Some services do not appear by default unless edited.

4. Select OK.

To create a games and chat service group – CLI:

config firewall service group edit Chat

set member IRC SIP-MSNmessenger AOL TALK

end

Configuring Company_B firewall addresses

Company B’s network is all in the 10.12.0.0 network. Security can be improved by only allowing traffic from IP addresses on that network.

To configure Company_B firewall address – web-based manager:

1. In the Company_B VDOM, go to Policy & Objects > Addresses.

2. Select Create New.

3. Enter new in the Address Name field.

4. Type 10.12.0.0/255.255.0.0 in the Subnet / IP Range field.

5. Select OK.

To configure Company_B firewall addresses – CLI:

config vdom

edit Company_B

config firewall address edit all

set type ipmask

set subnet 10.12.0.0 255.255.0.0 end

Configuring Company_B security policies

Security policies allow packets to travel between the internal and external VLAN_200 interfaces subject to the restrictions of the protection profile.

To configure Company_B security policies – web-based manager:

1. Go to Policy & Objects > IPv4 Policy.

2. Select Create New.

3. Enter the following information and select OK:

Name CompanyB-deny-games-chat

Incoming Interface VLAN_200_int

Outgoing Interface VLAN_200_ext

Source Address all

Destination Address all

Schedule BusinessDay

Service games-chat

Action DENY

This policy prevents the use of network games or chat programs (except NetMeeting) during business hours.

4. Enter the following information and select OK:

Name CompanyB-lunch

Incoming Interface VLAN_200_int

Outgoing Interface VLAN_200_ext

Source Address all

Destination Address all

Schedule Lunch

Service HTTP, DNS

Action ACCEPT

Security Features enable

Web Filter relaxed

This policy relaxes the web category filtering during lunch hour.

5. Select Create New.

6. Enter the following information and select OK:

Name CompanyB-strict

Incoming Interface VLAN_200_int

Outgoing Interface VLAN_200_ext

Source Address all

Destination Address all

Schedule BusinessDay

Service HTTP, DNS

Action ACCEPT

Security Profiles enabled

Web Filter strict

This policy provides rather strict web category filtering during business hours.

7. Select Create New.

8. Enter the following information and select OK:

Name CompanyB-after-hours

Incoming Interface VLAN_200_int

Outgoing Interface VLAN_200_ext

Source Address all

Destination Address all

Schedule always

Service ANY

Action ACCEPT

Security Profiles enabled

Web Filter relaxed

Because it is last in the list, this policy applies to the times and services not covered in preceding policies. This means that outside of regular business hours, the Relaxed protection profile applies to email and web browsing, and online chat and games are permitted. Company B needs this policy because its employees sometimes work overtime. The other companies in this example maintain fixed hours and do not want any after-hours Internet access.

To configure Company_B security policies – CLI:

config firewall policy edit 1

set name “CompanyB-deny-games-chat” set srcintf VLAN_200_int

set srcaddr all

set dstintf VLAN_200_ext set dstaddr all

set schedule BusinessDay set service Games

set action deny next

edit 2

set name “CompanyB-lunch” set srcintf VLAN_200_int set srcaddr all

set dstintf VLAN_200_ext set dstaddr all

set action accept set schedule Lunch set service HTTP

set profile_status enable set profile Relaxed

next edit 3

set name “CompanyB-strict” set srcintf VLAN_200_int set srcaddr all

set dstintf VLAN_200_ext set dstaddr all

set action accept

set schedule BusinessDay set service HTTP

set profile_status enable set profile BusinessOnly

next edit 4

set name “CompanyB-after-hours” set srcintf VLAN_200_int

set srcaddr all

set dstintf VLAN_200_ext set dstaddr all

set action accept set schedule always set service ANY

set profile_status enable set profile Relaxed

end

Configuring the VLAN switch and router

The Cisco switch is the first VLAN device internal passes through, and the Cisco router is the last device before the Internet or ISP.

This section includes the following topics:

Configuring the Cisco switch
Configuring the Cisco router

Configuring the Cisco switch

On the Cisco Catalyst 2900 ethernet switch, you need to define the VLANs 100, 200 and 300 in the VLAN database, and then add configuration files to define the VLAN subinterfaces and the 802.1Q trunk interface. Add this file to Cisco VLAN switch:

interface FastEthernet0/1 switchport access vlan 100

interface FastEthernet0/5 switchport access vlan 300

interface FastEthernet0/6

switchport trunk encapsulation dot1q switchport mode trunk

Switch 1 has the following configuration:

Port 0/1 VLAN ID 100

Port 0/3 VLAN ID 200

Port 0/6 802.1Q trunk

Configuring the Cisco router

The configuration for the Cisco router in this example is the same as in the basic example, except we add VLAN_300. Each of the three companies has its own subnet assigned to it.

The IP addressees assigned to each VLAN on the router are the gateway addresses for the VLANs. For example, devices on VLAN_100 would have their gateway set to 10.11.0.1/255.255.0.0.

interface FastEthernet0/0

switchport trunk encapsulation dot1q switchport mode trunk

interface FastEthernet0/0.1 encapsulation dot1Q 100

ip address 10.11.0.1 255.255.0.0

interface FastEthernet0/0.3 encapsulation dot1Q 200

ip address 10.12.0.1 255.255.0.0

The router has the following configuration:

Port 0/0.1 VLAN ID 100

Port 0/0.3 VLAN ID 200

Port 0/0 802.1Q trunk

Testing the configuration

Use diagnostic commands, such as tracert, to test traffic routed through the network.

You should test traffic between the internal VLANs as well as from the internal VLANs to the Internet to ensure connectivity.

For additional troubleshooting, see Troubleshooting Virtual Domains. This section includes the following topics:

Testing traffic from VLAN_100 to the Internet
Testing traffic from VLAN_100 to VLAN_200

Testing traffic from VLAN_100 to the Internet

In this example, a route is traced from VLANs to a host on the Internet. The route target is www.example.com. From a host on VLAN_100, access a command prompt and enter this command:

C:\>tracert www.example.com

Tracing route to www.example.com [208.77.188.166]

over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 10.100.0.1

…

14 172 ms 141 ms 140 ms 208.77.188.166

Trace complete.

The number of steps between the first and the last hop, as well as their IP addresses, will vary depending on your location and ISP. However, all successful tracerts to www.example.com will start and end with these lines.

Repeat the tracert for VLAN_200.

The tracert for each VLAN will include the gateway for that VLAN as the first step. Otherwise, the tracert should be the same for each VLAN.

Testing traffic from VLAN_100 to VLAN_200

In this example, a route is traced between two internal networks. The route target is a host on VLAN_200. The Windows traceroute command tracert is used.

From VLAN_100, access a Windows command prompt and enter this command:

C:\>tracert 10.12.0.2

Tracing route to 10.12.0.2 over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 10.100.0.1

2 <10 ms <10 ms <10 ms 10.12.0.2

Trace complete.

You can repeat this for different routes in the topology. In each case the IP addresses will be the gateway for the starting VLAN, and the end point at the ending VLAN.

Using a VDOM in Transparent mode

Leave a reply

Using a VDOM in Transparent mode

The essential steps to configure a VDOM in Transparent mode are:

Switching to Transparent mode
Adding VLAN subinterfaces
Creating security policies

You can also configure the security profiles that manage antivirus scanning, web filtering and spam filtering. In Transparent mode, you can access the web-based manager by connecting to an interface configured for administrative access and using HTTPS to access the management IP address. In the following examples, administrative access is enabled by default on the internal interface and the default management IP address is 10.11.0.1.

Switching to Transparent mode

A VDOM is in NAT/Route mode by default when it is created. You must switch it to Transparent mode, and add a management IP address so you can access the VDOM from your management computer.

Before applying the change to Transparent mode, ensure the VDOM has admin- istrative access on the selected interface, and that the selected management IP address is reachable on your network.

To switch the VDOM to Transparent mode – web-based manager:

1. Go to Global > System > VDOM.

2. Edit the VDOM you wish to use in Transparent mode.

3. Select Operation mode to Transparent.

4. Enter the management IP/Netmask. The IP address must be accessible to the subnet where the management computer is located. For example 10.11.0.99/255.255.255.0 will be able to access the 10.11.0.0 subnet.

5. Select Apply.

When you select Apply, the FortiGate unit will log you out. When you log back in, the VDOM will be in Transparent mode.

To switch the VDOM to Transparent mode – CLI:

config vdom edit <name>

config system settings set opmode transparent

set mangeip 10.11.0.99 255.255.255.0 end

end

Adding VLAN subinterfaces

There are a few differences when adding VLANs in Transparent mode compared to NAT/Route mode.

In Transparent mode, VLAN traffic is trunked across the VDOM. That means VLAN traffic cannot be routed, changed, or inspected. For this reason when you assign a VLAN to a Transparent mode VDOM, you will see the Addressing Mode section of the interface configuration disappear in from the web-based manager. It is because with no routing, inspection, or any activities able to be performed on VLAN traffic the VDOM simply re- broadcasts the VLAN traffic. This requires no addressing.

Also any routing related features such as dynamic routing or Virtual Router Redundancy Protocol (VRRP) are not available in Transparent mode for any interfaces.

Creating security policies

Security policies permit communication between the FortiGate unit’s network interfaces based on source and destination IP addresses. Typically you will also limit communication to desired times and services for additional security.

In Transparent mode, the FortiGate unit performs antivirus and antispam scanning on each packet as it passes through the unit. You need security policies to permit packets to pass from the VLAN interface where they enter the unit to the VLAN interface where they exit the unit. If there are no security policies configured, no packets will be allowed to pass from one interface to another.

For more information, see the Firewall handbook.

Operation mode differences in VDOMs

Leave a reply

Operation mode differences in VDOMs

A VDOM, such as root, can have a maximum of 255 interfaces in Network Address Translation (NAT) mode or Transparent mode. This includes VLANs, other virtual interfaces, and physical interfaces. To have more than a total of 255 interfaces configured, you need multiple VDOMs with multiple interfaces on each.

In Transparent mode without VDOMs enabled, all interfaces on the FortiGate unit act as a bridge — all traffic coming in on one interface is sent back out on all the other interfaces. This effectively turns the FortiGate unit into a two interface unit no matter how many physical interfaces it has. When VDOMs are enabled, this allows you to determine how many interfaces to assign to a VDOM running in Transparent mode. If there are reasons for assigning more than two interfaces based on your network topology, you are able to. However, the benefit of VDOMs in this case is that you have the functionality of Transparent mode, but you can use interfaces for NAT/Route traffic as well.

You can add more VDOMs to separate groups of VLAN subinterfaces. When using a FortiGate unit to serve multiple organizations, this configuration simplifies administration because you see only the security policies and settings for the VDOM you are configuring.

One essential application of VDOMs is to prevent problems caused when a FortiGate unit is connected to a layer-2 switch that has a global MAC table. FortiGate units normally forward ARP requests to all interfaces, including VLAN subinterfaces. It is then possible for the switch to receive duplicate ARP packets on different VLANs. Some layer-2 switches reset when this happens. As ARP requests are only forwarded to interfaces in the same VDOM, you can solve this problem by creating a VDOM for each VLAN.

For more information about Transparent mode, see the Transparent Mode & Internal Segmentation Firewall (ISFW) handbook.\

Virtual Domains in Transparent mode

Leave a reply

Virtual Domains in Transparent mode

A VDOM in Transparent mode is installed between the internal network and the router. In this mode, the VDOM does not make any changes to IP addresses and only applies security scanning to traffic. When a VDOM is added to a network in Transparent mode, no network changes are required, except to provide the VDOM with a management IP address.

Each VDOM on a FortiGate can be configured for NAT/Route mode or Transparent mode, regardless of the operation mode of other VDOMs on the FortiGate. For more information about NAT/Route mode, see “Virtual Domains in NAT/Route mode” on page 2602.

This chapter includes the following sections:

Transparent Mode Overview
Using a VDOM in Transparent mode
Virtual Domains in Transparent mode

Transparent Mode Overview

In transparent mode, a VDOM becomes a layer-2 IP forwarding bridge. This means that Ethernet frames are forwarded based on destination MAC address, and no other routing is performed. All incoming traffic that is accepted by the firewall, is broadcast out on all interfaces.

In transparent mode the VDOM is a forwarding bridge, not a switch. A switch can develop a port table and associated MAC addresses, so that it can bridge two ports to deliver the traffic instead of broadcasting to all ports. In transparent mode, the VDOM does not following this switch behavior, but instead is the forwarding bridge that broadcasts all packets out over all interfaces, subject to security policies.

Differences between NAT/Route and Transparent mode

The differences between NAT/Route mode and Transparent mode include:

Differences between NAT/Route and Transparent modes

Features

NAT/Route mode

Transparent mode

Specific Management IP address required

Yes

Perform Network Address Translation

(NAT)

Yes

Stateful packet inspection

Yes

Layer-2 forwarding

Yes

Layer-3 routing

Yes

Features

NAT/Route mode

Transparent mode

Unicast Routing / Policy Based routing

Yes

DHCP server

Yes

IPsec VPN

Yes

PPTP/L2TP VPN

Yes

SSL VPN

Yes

Security features

Yes

VLAN support

Yes

Yes – limited to VLAN trunks.

Ping servers (dead gateway detection)

Yes

To provide administrative access to a FortiGate unit or VDOM in Transparent mode, you must define a management IP address and a gateway. This step is not required in NAT/Route mode where you can access the FortiGate unit through the assigned IP address of any interface where administrative access is permitted.

If you incorrectly set the Transparent mode management IP address for your FortiGate unit, you will be unable to access your unit through the web-based manager. In this situation, you will need to connect to the FortiGate unit using the console cable and change the settings so you can access the unit. Alternately, if your unit has an LCD panel, you can change the operation mode and interface information through the LCD panel.

Virtual Domains in NAT/Route mode

Leave a reply

Virtual Domains in NAT/Route mode

By default, a Virtual Domain (VDOM) uses NAT/Route mode. In this mode, the VDOM is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the VDOM to hide the IP addresses of the private network using network address translation (NAT).

Each VDOM on a FortiGate can be configured for NAT/Route mode or Transparent mode, regardless of the operation mode of other VDOMs on the FortiGate. For more information about Transparent mode, see “Virtual Domains in Transparent mode” on page 2621.

This chapter contains the following sections:

Using a VDOM in NAT/Route mode
Example configuration: VDOM in NAT/Route mode

Using a VDOM in NAT/Route mode

Once you have enabled virtual domains and created one or more VDOMs, you need to configure them. Configuring VDOMs on your FortiGate unit includes tasks such as the ones listed here; while you may not require all for your network topology, it is recommended that you perform them in the order given:

Changing the management virtual domain
Configuring interfaces in a NAT/Route VDOM
Configuring VDOM routing
Configuring security policies for NAT/Route VDOMs
Configuring security profiles for NAT/Route VDOMs

Changing the management virtual domain

The management virtual domain is the virtual domain where all the management traffic for the FortiGate unit originates. This management traffic needs access to remote servers, such as FortiGuard services and NTP, to perform its duties. It needs access to the Internet to send and receive this traffic.

Management traffic includes, but is not limited to

DNS lookups
logging to FortiAnalyzer or syslog
FortiGuard service
sending alert emails
Network time protocol traffic (NTP)
Sending SNMP traps
Quarantining suspicious files and email.

By default the management VDOM is the root domain. When other VDOMs are configured on your FortiGate unit, management traffic can be moved to one of these other VDOMs.

Reasons to move the management VDOM include selecting a non-root VDOM to be your administration VDOM, or the root VDOM not having an interface with a connection to the Internet.

You cannot change the management VDOM if any administrators are using RADIUS authentication.

The following procedure will change the management VDOM from the default root to a VDOM named mgmt_ vdom. It is assumed that mgmt_vdom has already been created and has an interface that can access the Internet.

To change the management VDOM – web-based manager:

1. Select Global > System > VDOM.

2. Select the checkbox next to the required VDOM.

3. Select Switch Management.

The current management VDOM is shown in square brackets, “[root]” for example.

To change the management VDOM – CLI:

config global

config system global

set management-vdom mgmt_vdom end

Management traffic will now originate from mgmt_vdom.

Configuring interfaces in a NAT/Route VDOM

A VDOM must contain at least two interfaces to be useful. These can be physical interfaces or VLAN interfaces. By default, all physical interfaces are in the root VDOM. When you create a new VLAN, it is in the root VDOM by default.

When there are VDOMs on the FortiGate unit in both NAT and Transparent operation modes, some interface fields will be displayed as “-” on Network > Interfaces. Only someone with a super_admin account can view all the VDOMs.

When moving an interface to a different VDOM, firewall IP pools and virtual IPs for this interface are deleted. You should manually delete any routes that refer to this inter- face. Once the interface has been moved to the new VDOM, you can add these ser- vices to the interface again.

When configuring VDOMs on FortiGate units with accelerated interfaces you must assign both interfaces in the pair to the same VDOM for those interfaces to retain their acceleration. Otherwise they will become normal interfaces.

This section includes the following topics:

Adding a VLAN to a NAT/Route VDOM
Moving an interface to a VDOM
Deleting an interface
Adding a zone to a VDOM

Adding a VLAN to a NAT/Route VDOM

The following example shows one way that multiple companies can maintain their security when they are using one FortiGate unit with VLANs that share interfaces on the unit.

This procedure will add a VLAN interface called client1-v100 with a VLAN ID of 100 to an existing VDOM called client1 using the physical interface called port2.

The physical interface does not need to belong to the VDOM that the VLAN belongs to.

To add a VLAN subinterface to a VDOM – web-based manager:

1. Go to Global > Network > Interfaces.
2. Select Create New.
3. Enter the following information and select OK:

Name client1-v100

Interface port2

VLAN ID 100

Virtual Domain Client1

Addressing mode Manual

IP/Netmask 172.20.120.110/255.255.255.0

Administrative Access HTTPS, SSH

You will see an expand arrow added to the port2 interface. When the arrow is expanded, the interface shows the client1-v100 VLAN subinterface.

To add a VLAN subinterface to a VDOM – CLI:

config global

config system interface edit client1-v100

set type vlan set vlanid 100 set vdom Client1

set interface port2

set ip 172.20.120.110 255.255.255.0 set allowaccess https ssh

end

Moving an interface to a VDOM

Interfaces belong to the root VDOM by default. Moving an interface is the same procedure no matter if its moving from the root VDOM or a any other VDOM.

If you have an accelerated pair of physical interfaces both interfaces must be in the same VDOM or you will lose their acceleration.

The following procedure will move the port3 interface to the Client2 VDOM. This is a common action when configuring a VDOM. It is assumed that the Client2 VDOM has already been created. It is also assumed that your FortiGate unit has a port3 interface. If you are using a different model, your physical interfaces may not be named port2, external or port3.

To move an existing interface to a different VDOM – web-based manager:

1. Go to Global > Network > Interfaces.

2. Select Edit for the port3 interface.

3. Select Client2 as the new Virtual Domain.

4. Select OK.

To move an existing interface to a different VDOM – CLI:

config global

config system interface edit port3

set vdom Client2 end

Deleting an interface

Before you can delete a virtual interface, or move an interface from one VDOM to another, all references to that interface must be removed. For a list of objects that can refer to an interface see Virtual Domains Overview.

The easiest way to be sure an interface can be deleted is when the Delete icon is no longer greyed out. If it remains greyed out when an interface is selected, that interface still has objects referring to it, or it is a physical interface that cannot be deleted.

To delete a virtual interface – web-based manager:

1. Ensure all objects referring to this interface have been removed.

2. Select Global > Network > Interfaces.

3. Select the interface to delete.

4. Select the delete icon.

Adding a zone to a VDOM

Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. You can configure policies for connections to and from a zone, but not between interfaces in a zone.

Zones are VDOM-specific. A zone cannot be moved to a different VDOM. Any interfaces in a zone cannot be used in another zone. To move a zone to a new VDOM requires deleting the current zone and re-creating a zone in the new VDOM.

The following procedure will create a zone called accounting in the client2 VDOM. It will not allow intra- zone traffic, and both port3 and port2 interfaces belong to this zone. This is a method of grouping and isolating traffic over particular interfaces—it is useful for added security and control within a larger network.

To add a zone to a VDOM – web-based manager:

1. In Virtual Domains, select the client2 VDOM.

2. Go to Network > Interfaces.

3. Select Create New > Zone.

4. Enter the following information and select OK:

Zone Name accounting

Block intra-zone traffic Select

Interface Members port3, port2

To add a zone to a VDOM – CLI:

config vdom

edit client2

config system zone edit accounting

set interface port3 port2 set intrazone deny

end

Configuring VDOM routing

Routing is VDOM-specific. Each VDOM should have a default static route configured as a minimum. Within a VDOM, routing is the same as routing on your FortiGate unit without VDOMs enabled.

When configuring dynamic routing on a VDOM, other VDOMs on the FortiGate unit can be neighbors. The following topics give a brief introduction to the routing protocols, and show specific examples of how to configure dynamic routing for VDOMs. Figures are included to show the FortiGate unit configuration after the successful completion of the routing example.

Default static route for a VDOM

The routing you define applies only to network traffic entering non-ssl interfaces belonging to this VDOM. Set the administrative distance high enough, typically 20, so that automatically configured routes will be preferred to the default.

In the following procedure, it is assumed that a VDOM called “Client2” exists. The procedure will create a default static route for this VDOM. The route has a destination IP of 0.0.0.0, on the port3 interface. It has a gateway of 10.10.10.1, and an administrative distance of 20.

The values used in this procedure are very standard, and this procedure should be part of configuring all VDOMs.

To add a default static route for a VDOM – web-based manager:

1. In Virtual Domains, select the client2 VDOM.

2. Go to Network > Static Routes.

3. Select Create New.

4. Enter the following information and select OK:

Destination IP/Mask 0.0.0.0/0.0.0.0

Device port2

Gateway 10.10.10.1

Distance 20

To add a default static route for a VDOM – CLI:

config vdom

edit client2

config router static edit 4

set device port2

set dst 0.0.0.0 0.0.0.0 set gateway 10.10.10.1 set distance 20

end

Dynamic Routing in VDOMs

Dynamic routing is VDOM-specific, like all other routing. Dynamic routing configuration is the same with VDOMs as with your FortiGate unit without VDOMs enabled, once you are at the routing menu. If you have multiple VDOMs configured, the dynamic routing configuration between them can become quite complex.

VDOMs provide some interesting changes to dynamic routing. Each VDOM can be a neighbor to the other VDOMs. This is useful in simulating a dynamic routing area or AS or network using only your FortiGate unit.

You can separate different types of routing to different VDOMs if required. This allows for easier troubleshooting. This is very useful if your FortiGate unit is on the border of a number of different routing domains.

For more information on dynamic routing in FortiOS, see the Advanced Routing handbook.

Inter-VDOM links must have IP addresses assigned to them if they are part of a dynamic routing configuration. Inter-VDOM links may or may not have IP addresses assigned to them. Without IP addresses, you need to be careful how you configure routing. While the default static route can be assigned an address of 0.0.0.0 and rely instead on the interface, dynamic routing almost always requires an IP address.

RIP

The RIP dynamic routing protocol uses hop count to determine the best route, with a hop count of 1 being directly attached to the interface and a hop count of 16 being unreachable. For example if two VDOMs on the same FortiGate unit are RIP neighbors, they have a hop count of 1.

OSPF

OSPF communicates the status of its network links to adjacent neighbor routers instead of the complete routing table. When compared to RIP, OSPF is more suitable for large networks, it is not limited by hop count, and is more complex to configure. For smaller OSPF configurations its easiest to just use the backbone area, instead of multiple areas.

BGP

BGP is an Internet gateway protocol (IGP) used to connect autonomous systems (ASes) and is used by Internet service providers (ISPs). BGP stores the full path, or path vector, to a destination and its attributes which aid in proper routing.

Configuring security policies for NAT/Route VDOMs

Security policies are VDOM-specific. This means that all firewall settings for a VDOM, such as firewall addresses and security policies, are configured within the VDOM.

In VDOMs, all firewall related objects are configured per-VDOM including addresses, service groups, security profiles, schedules, traffic shaping, and so on. If you want firewall addresses, you will have to create them on each VDOM separately. If you have many addresses, and VDOMs this can be tedious and time consuming. Consider using a FortiManager unit to manage your VDOM configuration — it can get firewall objects from a configured VDOM or FortiGate unit, and push those objects to many other VDOMs or FortiGate units. See the FortiManager Administration Guide.

You can customize the Policy display by including some or all columns, and cus- tomize the column order onscreen. Due to this feature, security policy screenshots may not appear the same as on your screen.

Configuring a security policy for a VDOM

Your security policies can involve only the interfaces, zones, and firewall addresses that are part of the current VDOM, and they are only visible when you are viewing the current VDOM. The security policies of this VDOM filter the network traffic on the interfaces and VLAN subinterfaces in this VDOM.

A firewall service group can be configured to group multiple services into one service group. When a descriptive name is used, service groups make it easier for an administrator to quickly determine what services are allowed by a security policy.

In the following procedure, it is assumed that a VDOM called Client2 exists. The procedure will configure an outgoing security policy. The security policy will allow all HTTPS, SSH, and DNS traffic for the SalesLocal address group on VLAN_200 going to all addresses on port3. This traffic will be scanned and logged.

To configure a security policy for a VDOM – web-based manager:

1. In Virtual Domains, select the client2 VDOM.

2. Go to Policy & Objects > IPv4 Policy.

3. Select Create New.

4. Enter the following information and select OK:

Name Client2-outgoing

Incoming Interface VLAN_200

Outgoing Interface port3

Source Address SalesLocal

Destination Address any

Schedule always

Service HTTPS, SSH, DNS

Action ACCEPT

Log Allowed Traffic enable

To configure a security policy for a VDOM – CLI:

config vdom

edit Client2

config firewall policy edit 12

set srcintf VLAN_200 set srcaddr SalesLocal set dstintf port3(dmz) set dstaddr any

set schedule always set service HTTPS SSH set action accept

set status enable

set logtraffic enable end

end

Configuring security profiles for NAT/Route VDOMs

In NAT/Route VDOMs, security profiles are exactly like regular FortiGate unit operation with one exception. In VDOMs, there are no default security profiles.

If you want security profiles in VDOMs, you must create them yourself. If you have many security profiles to create in each VDOM, you should consider using a FortiManager unit. It can get existing profiles from a VDOM or FortiGate unit, and push those profiles down to multiple other VDOMs or FortiGate units. See the FortiManager Administration Guide.

When VDOMs are enabled, you only need one FortiGuard license for the physical unit, and download FortiGuard updates once for the physical unit. This can result in a large time and money savings over multiple physical units if you have many VDOMs.

Configuring VPNs for a VDOM

Virtual Private Networking (VPN) settings are VDOM-specific, and must be configured within each VDOM. Configurations for IPsec Tunnel, IPsec Interface, PPTP and SSL are VDOM-specific. However, certificates are shared by all VDOMs and are added and configured globally to the FortiGate unit.

Example configuration: VDOM in NAT/Route mode

Company A and Company B each have their own internal networks and their own ISPs. They share a FortiGate unit that is configured with two separate VDOMs, with each VDOM running in NAT/Route mode enabling separate configuration of network protection profiles. Each ISP is connected to a different interface on the FortiGate unit.

This network example was chosen to illustrate one of the most typical VDOM configurations. This example has the following sections:

Network topology and assumptions
General configuration steps
Creating the VDOMs
Configuring the FortiGate interfaces
Configuring the vdomA VDOM
Configuring the vdomB VDOM
Testing the configuration

Network topology and assumptions

Both companies have their own ISPs and their own internal interface, external interface, and VDOM on the FortiGate unit.

For easier configuration, the following IP addressing is used:

all IP addresses on the FortiGate unit end in “.2” such as 10.11.101.2.
all IP addresses for ISPs end in “.7”, such as 172.20.201.7.
all internal networks are 10.*.*.* networks, and sample internal addresses end in “.55”.

The IP address matrix for this example is as follows.

Address

Company A

Company B

ISP

172.20.201.7

192.168.201.7

Internal network

10.11.101.0

10.012.101.0

FortiGate / VDOM

172.20.201.2 (port1)

10.11.101.2 (port4)

192.168.201.2 (port3)

10.012.101.2 (port2)

The Company A internal network is on the 10.11.101.0/255.255.255.0 subnet. The Company B internal network is on the 10.12.101.0/255.255.255.0 subnet.

There are no switches or routers required for this configuration. There are no VLANs in this network topology.

The interfaces used in this example are port1 through port4. Different FortiGate models may have different interface labels. port1 and port3 are used as external interfaces. port2 and port4 are internal interfaces.

The administrator is a super_admin account. If you are a using a non-super_admin account, refer to “Global and per-VDOM settings” to see which parts a non-super_admin account can also configure.

When configuring security policies in the CLI always choose a policy number that is higher than any existing policy numbers, select services before profile-status, and profile-status before profile. If these commands are not entered in that order, they may not be available to enter.

General configuration steps

For best results in this configuration, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Creating the VDOMs

2. Configuring the FortiGate interfaces

3. Configuring the vdomA VDOM, and Configuring the vdomB VDOM

4. Testing the configuration

Creating the VDOMs

In this example, two new VDOMs are created — vdomA for Company A and vdomB for Company B. These VDOMs will keep the traffic for these two companies separate while enabling each company to access its own ISP.

To create two VDOMs – web-based manager:

1. Log in with a super_admin account.

2. Go to Global > System > VDOM, and select Create New.

3. Enter vdomA and select OK.

4. Select OK again to return to the VDOM list.

5. Select Create New.

6. Enter vdomB and select OK.

To create two VDOMs – CLI:

config vdom edit vdomA next

edit vdomB

end

Configuring the FortiGate interfaces

This section configures the interfaces that connect to the companies’ internal networks, and to the companies’ ISPs.

All interfaces on the FortiGate unit will be configured with an IP address ending in “.2” such as 10.11.101.2. This will simplify network administration both for the companies, and for the FortiGate unit global administrator. Also the internal addresses for each company differ in the second octet of their IP address – Company A is 10.11.*, and Company B is 10.12.*.

This section includes the following topics:

Configuring the vdomA interfaces
Configuring the vdomB interfaces

If you cannot change the VDOM of an network interface it is because something is referring to that interface that needs to be deleted. Once all the references are deleted the interface will be available to switch to a different VDOM. For example a common reference to the external interface is the default static route entry. See Example con- figuration: VDOM in NAT/Route mode.

Configuring the vdomA interfaces

The vdomA VDOM includes two FortiGate unit interfaces: port1 and external.

The port4 interface connects the Company A internal network to the FortiGate unit, and shares the internal network subnet of 10.11.101.0/255.255.255.0.

The external interface connects the FortiGate unit to ISP A and the Internet. It shares the ISP A subnet of 172.20.201.0/255.255.255.0.

To configure the vdomA interfaces – web-based manager:

1. Go to Global > Network > Interfaces.

2. Select Edit on the port1 interface.

3. Enter the following information and select OK:

Virtual Domain vdomA

Addressing mode Manual

IP/Netmask 172.20.201.2/255.255.255.0

4. Select Edit on the port4 interface.

5. Enter the following information and select OK:

Virtual Domain vdomA

Addressing mode Manual

IP/Netmask 10.11.101.2/255.255.255.0

To configure the vdomA interfaces – CLI:

config global

config system interface edit port1

set vdom vdomA

set mode static

set ip 172.20.201.2 255.255.255.0 next

edit port4

set vdom ABCDomain set mode static

set ip 10.11.101.2 255.255.255.0 end

Configuring the vdomB interfaces

The vdomB VDOM uses two FortiGate unit interfaces: port2 and port3.

The port2 interface connects the Company B internal network to the FortiGate unit, and shares the internal network subnet of 10.12.101.0/255.255.255.0.

The port3 interface connects the FortiGate unit to ISP B and the Internet. It shares the ISP B subnet of 192.168.201.0/255.255.255.0.

To configure the vdomB interfaces – web-based manager:

1. Go to Global > Network > Interfaces.

2. Select Edit on the port3 interface.

3. Enter the following information and select OK:

Virtual domain vdomB

Addressing mode Manual

IP/Netmask 192.168.201.2/255.255.255.0

4. Select Edit on the port2 interface.

5. Enter the following information and select OK:

Virtual domain vdomB

Addressing mode Manual

IP/Netmask 10.12.101.2/255.255.255.0

To configure the vdomB interfaces – CLI:

config global

config system interface edit port3

set vdom vdomB

set mode static

set ip 192.168.201.2 255.255.255.0 next

edit port2

set vdom vdomB

set mode static

set ip 10.12.101.2 255.255.255.0

end

Configuring the vdomA VDOM

With the VDOMs created and the ISPs connected, the next step is to configure the vdomA VDOM. Configuring the vdomA includes the following:

Adding vdomA firewall addresses
Adding the vdomA security policy
Adding the vdomA default route

Adding vdomA firewall addresses

You need to define the addresses used by Company A’s internal network for use in security policies. This internal network is the 10.11.101.0/255.255.255.0 subnet.

The FortiGate unit provides one default address, “all”, that you can use when a security policy applies to all addresses as the source or destination of a packet.

To add the vdomA firewall addresses – web-based manager:

1. In Virtual Domains, select vdomA.

2. Go to Policy & Objects > Addresses.

3. Select Create New.

4. Enter the following information and select OK:

Address Name Ainternal

Type Subnet / IP Range

Subnet / IP Range 10.11.101.0/255.255.255.0

Interface port4

To add the ABCDomain VDOM firewall addresses – CLI:

config vdom edit vdomA

config firewall address edit Ainternal

set type ipmask

set subnet 10.11.101.0 255.255.255.0

end end

Adding the vdomA security policy

You need to add the vdomA security policy to allow traffic from the internal network to reach the external network, and from the external network to internal as well. You need two policies for this domain.

To add the vdomA security policy – web-based manager:

1. In Virtual Domains, select vdomA.

2. Go to Policy & Objects > IPv4 Policy.

3. Select Create New.

4. Enter the following information and select OK:

Name VDOMA-internal-to-external

Incoming Interface port4

Outgoing Interface port1

Source Address Ainternal

Destination Address all

Schedule Always

Service ANY

Action ACCEPT

5. Select Create New.

6. Enter the following information and select OK:

Name VDOMA-external-to-internal

Incoming Interface port1

Outgoing Interface port4

Source Address all

Destination Address Ainternal

Schedule Always

Service ANY

Action ACCEPT

To add the vdomA security policy – CLI:

config vdom edit vdomA

config firewall policy edit 1

set srcintf port4

set srcaddr Ainternal set dstintf port1

set dstaddr all

set schedule always set service ANY

set action accept set status enable

next edit 2

set srcintf port1 set srcaddr all set dstintf port4

set dstaddr Ainternal set schedule always set service ANY

set action accept set status enable

end

Adding the vdomA default route

You also need to define a default route to direct packets from the Company A internal network to ISP A. Every VDOM needs a default static route, as a minimum, to handle traffic addressed to external networks such as the Internet.

The administrative distance should be set slightly higher than other routes. Lower admin distances will get checked first, and this default route will only be used as a last resort.

To add a default route to the vdomA – web-based manager:

1. For Virtual Domains, select vdomA

2. Go to Network > Static Routes.

3. Select Create New.

4. Enter the following information and select OK:

Destination IP/Mask 0.0.0.0/0.0.0.0

Device port1

Gateway 172.20.201.7

Distance 20

To add a default route to the vdomA – CLI:

config vdom edit vdomA

config router static edit 1

set device port1

set gateway 172.20.201.7 end

Configuring the vdomB VDOM

In this example, the vdomB VDOM is used for Company B. Firewall and routing settings are specific to a single VDOM.

vdomB includes the FortiGate port2 interface to connect to the Company B internal network, and the FortiGate port3 interface to connect to ISP B. Security policies are needed to allow traffic from port2 to external and from external to port2 interfaces.

This section includes the following topics:

Adding the vdomB firewall address
Adding the vdomB security policy
Adding a default route to the vdomB VDOM

Adding the vdomB firewall address

You need to define addresses for use in security policies. In this example, the vdomB VDOM needs an address for the port2 interface and the “all” address.

To add the vdomB firewall address – web-based manager:

1. In Virtual Domains, select vdomB.

2. Go to Policy & Objects > Addresses.

3. Select Create New.

4. Enter the following information and select OK:

Address Name Binternal

Type Subnet / IP Range

Subnet / IP Range 10.12.101.0/255.255.255.0

Interface port2

To add the vdomB firewall address – CLI:

config vdom edit vdomB

config firewall address edit Binternal

set type ipmask

set subnet 10.12.101.0 255.255.255.0 end

end

Adding the vdomB security policy

You also need a security policy for the Company B domain. In this example, the security policy allows all traffic.

To add the vdomB security policy – web-based manager:

1. Log in with a super_admin account.

2. In Virtual Domains, select vdomB.

3. Go to Policy & Objects > IPv4 Policy

4. Select Create New.

5. Enter the following information and select OK:

Name VDOMB-internal-to-external

Incoming Interface port2

Outgoing Interface port3

Source Address Binternal

Destination Address all

Schedule Always

Service ANY

Action ACCEPT

6. Select Create New.

7. Enter the following information and select OK:

Name VDOMB-external-to-internal

Incoming Interface port3

Outgoing Interface port2

Source Address all

Destination Address Binternal

Schedule Always

Service ANY

Action ACCEPT

To add the vdomB security policy – CLI:

config vdom edit vdomB

config firewall policy edit 1

set srcintf port2

end

set dstintf port3

set srcaddr Binternal set dstaddr all

set schedule always set service ANY

set action accept set status enable

edit 1

set srcintf port3 set dstintf port2 set srcaddr all

set dstaddr Binternal set schedule always set service ANY

set action accept set status enable

end

Adding a default route to the vdomB VDOM

You need to define a default route to direct packets to ISP B.

To add a default route to the vdomB VDOM – web-based manager:

1. Log in as the super_admin administrator.

2. In Virtual Domains, select vdomB.

3. Go to Network > Static Routes.

4. Select Create New.

5. Enter the following information and select OK:

Destination IP/Mask 0.0.0.0/0.0.0.0

Device port3

Gateway 192.168.201.7

Distance 20

To add a default route to the vdomB VDOM – CLI:

config vdom edit vdomB

config router static edit 1

set dst 0.0.0.0/0 set device external

set gateway 192.168.201.7 end

end

Testing the configuration

Once you have completed configuration for both company VDOMs, you can use diagnostic commands, such as tracert in Windows, to test traffic routed through the FortiGate unit. Alternately, you can use the traceroute command on a Linux system with similar output.

Possible errors during the traceroute test are:

“* * * Request timed out” – the trace was not able to make the next connection towards the destination fast enough
“Destination host unreachable” – after a number of timed-out responses the trace will give up

Possible reasons for these errors are bad connections or configuration errors. For additional troubleshooting, see Troubleshooting Virtual Domains.

Testing traffic from the internal network to the ISP

In this example, a route is traced from the Company A internal network to ISP A. The test was run on a Windows PC with an IP address of 10.11.101.55.

The output here indicates three hops between the source and destination, the IP address of each hop, and that the trace was successful.

From the Company A internal network, access a command prompt and enter this command:

C:\>tracert 172.20.201.7

Tracing route to 172.20.201.7 over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 10.11.101.2

2 <10 ms <10 ms <10 ms 172.20.201.2

3 <10 ms <10 ms <10 ms 172.20.201.7

Trace complete.

Configuring Virtual Domains

Leave a reply

Configuring Virtual Domains

Only a super_admin administrator account such as the default “admin” account can create, disable, or delete VDOMs. That account can create additional administrators for each VDOM. This section includes:

Creating a Virtual Domain
Disabling a Virtual Domain
Deleting a VDOM
Administrators in Virtual Domains

Creating a Virtual Domain

Once you have enabled Virtual Domains on your FortiGate unit, you can create additional Virtual Domains beyond the default root Virtual Domain.

By default new Virtual Domains are set to NAT/Route operation mode. If you want a Virtual Domain to be in Transparent operation mode, you must manually change it.

You can name new Virtual Domains as you like with the following restrictions:

only letters, numbers, “-”, and “_” are allowed
no more than 11 characters are allowed
no spaces are allowed
VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other VDOMs.

When creating large numbers of VDOMs you should not enable advanced features such as proxies, web filtering, and antivirus due to limited FortiGate unit resources. Also when creating large numbers of VDOMs, you may experience reduced per- formance for the same reason.

To create a VDOM – web-based manager:

1. Log in with a super_admin account.

2. Select Global > System > VDOM.

3. Select Create New.

4. Enter a unique name for your new VDOM.

5. Enter a short and descriptive comment to identify this VDOM.

6. Select OK.

Repeat Steps 3 through 6 to add additional VDOMs.

To create a VDOM – CLI:

config vdom

edit <new_vdom_name>

end

If you want to edit an existing Virtual Domain in the CLI, and mistype the name a new Virtual Domain will be created with this new misspelled name. If you notice expected configuration changes are not visible, this may be the reason. You should periodically check your VDOM list to ensure there are none of these misspelled VDOMs present.

Disabling a Virtual Domain

The status of a VDOM can be Enabled or Disabled.

Active status VDOMs can be configured. Active is the default status when a VDOM is created. The management VDOM must be an Active VDOM.

Disabled status VDOMs are considered “offline”. The configuration remains, but you cannot use the VDOM, and only the super_admin administrator can view it. You cannot delete a disabled VDOM without first enabling it, and removing references to it like usual—there is no Delete icon for disabled status VDOMs. You can assign interfaces to a disabled VDOM.

The following procedures show how to disable a VDOM called “test-vdom”.

To disable a VDOM – web-based manager:

1. Go to Global > System > VDOM.

2. Open the VDOM for editing.

3. Ensure Enable is not selected and then select OK.

The VDOM’s Enable icon in the VDOM list is a grey X.

To disable a VDOM – CLI:

config vdom

edit test-vdom

config system settings set status disable

end

To enable a VDOM – web-based manager:

1. Go to Global > System > VDOM.

2. Open the VDOM for editing.

3. Ensure Enable is selected and then select OK.

The VDOM’s Enable icon in the VDOM list is a green checkmark.

To enable a VDOM – CLI:

config vdom

edit test-vdom

config system settings set status enable

end

Deleting a VDOM

Deleting a VDOM removes it from the FortiGate unit configuration.

Before you can delete a VDOM, all references to it must be removed, including any per-VDOM objects. If there are any references to the VDOM remaining, you will see an error message and not be able to delete the VDOM.

A disabled VDOM cannot be deleted. You can also not delete the root VDOM or the management VDOM.

Before deleting a VDOM, a good practice is to reset any interface referencing that VDOM to its default configuration, with “root” selected as the Virtual Domain.

The following procedures show how to delete the test-vdom VDOM.

To delete a VDOM – web-based manager:

1. Go to Global > System > VDOM.

2. Select the check box for the VDOM and then select the Delete icon.

If the Delete icon is not active, there are still references to the VDOM that must first be removed. The Delete icon is available when all the references to this VDOM are removed.

3. Confirm the deletion.

To delete a VDOM – CLI:

config vdom

delete test-vdom end

Removing references to a VDOM

When you are going to delete a VDOM, all references to that VDOM must first be removed. It can be difficult to find all the references to the VDOM. This section provides a list of common objects that must be removed before a VDOM can be deleted, and a CLI command to help list the dependencies.

Interfaces are an important part of VDOMs. If you can move all the interfaces out of a VDOM, generally you will be able to delete that VDOM.

Common objects that refer to VDOMs

When you are getting ready to delete a VDOM check for, and remove the following objects that refer to that VDOM or its components:

Routing – both static and dynamic routes
Firewall addresses, policies, groups, or other settings
Security Features/Profiles
VPN configuration
Users or user groups
Logging
DHCP servers
Network interfaces, zones, custom DNS servers
VDOM Administrators

Administrators in Virtual Domains

When Virtual Domains are enabled, permissions change for administrators. Administrators are now divided into per-VDOM administrators, and super_admin administrators. Only super_admin administrator accounts can create other administrator accounts and assign them to a VDOM.

Administrator VDOM permissions

Different types of administrator accounts have different permissions within VDOMs. For example, if you are using a super_admin profile account, you can perform all tasks. However, if you are using a regular admin account, the tasks available to you depend on whether you have read only or read/write permissions. The following table shows what tasks can be performed by which administrators.

Administrator VDOM permissions

Tasks

Regular administrator account

Super_admin profile admin-

Read only per-

mission

Read/write per-

mission

istrator account

View global settings yes yes yes

Configure global settings no no yes

Create or delete VDOMs no no yes

Configure multiple VDOMs no no yes

Assign interfaces to a VDOM

Revision Control Backup and Restore

no no yes

Create VLANs no yes – for 1 VDOM yes – for all VDOMs

Assign an administrator to a VDOM

no no yes
Create additional admin accounts

Create and edit protection profiles

no yes – for 1 VDOM yes – for all VDOMs

The only difference in admin accounts when VDOMs are enabled is selecting which VDOM the admin account belongs to. Otherwise, by default the administration accounts are the same as when VDOMs are disabled and closely resemble the super_admin account in their privileges.

Creating administrators for Virtual Domains

Using the admin administrator account, you can create additional administrator accounts and assign them to VDOMs.

The newly-created administrator can access the FortiGate unit only through network interfaces that belong to their assigned VDOM or through the console interface. The network interface must be configured to allow management access, such as HTTPS and SSH. Without these in place, the new administrator will not be able to access the FortiGate unit and will have to contact the super_admin administrator for access.

The following procedure creates a new Local administrator account called admin_sales with a password of fortinet in the sales VDOM using the admin_prof default profile.

To create an administrator for a VDOM – web-based manager:

1. Log in with a super_admin account.

2. Go to System > Administrators.

3. Select Create New.

4. Select Regular for Type, as you are creating a Local administrator account.

5. Enter the necessary information about the administrator: email, password, etc.

6. If this admin will be accessing the VDOM from a particular IP address or subnet, enable Restrict this Admin

Login from Trusted Hosts Only and enter the IP in Trusted Host #1.

7. Select prof_admin for the Admin Profile.

8. Select sales from the list of Virtual Domains.

9. Select OK.

To create administrators for VDOMs – CLI:

config global

config system admin

edit <new_admin_name>

set vdom <vdom_for_this_account>

set password <pwd>

set accprofile <an_admin_profile>

… end

Virtual Domain administrator dashboard display

When administrators logs into their virtual domain, they see a different dashboard than the global administrator will see. The VDOM dashboard displays information only relevant to that VDOM — no global or other VDOM information is displayed.

VDOM dashboard information

Information

per–VDOM

Global

System Information

read-only

yes

License Information

yes

CLI console

yes

Unit Operation

read-only

yes

Alert Message Console

yes

Top Sessions

limited to VDOM sessions

yes

Traffic

limited to VDOM interfaces

yes

Statistics

yes

Fortinet GURU

FortiGate Guides and MORE!

Category Archives: FortiOS 5.4 Handbook

Inter-VDOM configurations

Inter-VDOM routing

Example configuration: VDOM in Transparent mode

Using a VDOM in Transparent mode

Operation mode differences in VDOMs

Virtual Domains in Transparent mode

Virtual Domains in NAT/Route mode

Configuring Virtual Domains