Skip to main content
DarwinPH
DarwinPH
New Member
February 16, 2016
Solved

Accessing Resources on a different VDOM

  • February 16, 2016
  • 2 replies
  • 5762 views

Greetings!

 

Good day to everyone! Our school is currently setting up a topology similar to Ken Felix's article on this link - http://socpuppet.blogspot...arent-using-inter.html > Awesome article by the way :)

 

We were able to make the said topology from the article to work but we need to modify it for the setup that we want.

 

Our servers are connected to the Root VDOM through an independent interface. We have another VDOM in transparent mode connected to the Root VDOM through a virtual link. DHCP service is provided through the virtual link. Internet connection is provided by a separate firewall connected to the transparent VDOM.

With the current setup, we didn't have any problems in terms of connecting to the internet. But the challenge would now be accessing the servers. We can't seem to connect to them. Running a traceroute from the LAN shows that the traffic goes out to the internet through the gateway 10.199.199.254.

 

We are still getting accustomed at configuring the Fortigate 300C that we have as well as the concepts behind it. So any feedback and opinions from the community is highly appreciated.

 

Thank you everyone!

 

 

Blessings!

 

Best answer by emnoc

In your setup, you need to run diag debug flow on the expected traffic. Keep in mind that  you will have 2 fwpolicy ( 1 per vdom )

 

start simple diag debug flow and go from that output

 

e.g

 

diag debug dis

diag debug reset

diag debug flow filter addr 10.199.199.11

diag debug flow show console enable

diag debug en

diag debug flow trace start 40

 

and then kick off some traffic and monitor the session status and attached policies in the output and  thinks for finding my blog, keep in mind stacked vdom are multiple unique firewalls and can make life more complex.

 

 

 

Ken

2 replies

neonbit
neonbit
New Member
February 16, 2016

Few places there can be an issue. Just having a quick look I'm assuming that the users on internal have their default gateway to 10.199.199.254. If this is the case you could look at the routing on the firewall. It needs have a route to point to the servers via the FortiGate. Something like this:

 

Route: 10.10.10.0/24

Interface: Firewall internal interface (the one that's configured with 10.199.199.254)

Gateway: 10.199.199.1

 

vdom-root also needs to have a policy from internal interface > server interface.

 

There may be another problem if your packets are entering the transparent VDOM twice (hard to tell from the diagram) but for now I would recommend having a look at the routing first.

 

p.s: Mr Felix frequents this forum, keep an eye out and you may catch a sight of him! :)

emnoc
emnocAnswer
New Member
February 16, 2016

In your setup, you need to run diag debug flow on the expected traffic. Keep in mind that  you will have 2 fwpolicy ( 1 per vdom )

 

start simple diag debug flow and go from that output

 

e.g

 

diag debug dis

diag debug reset

diag debug flow filter addr 10.199.199.11

diag debug flow show console enable

diag debug en

diag debug flow trace start 40

 

and then kick off some traffic and monitor the session status and attached policies in the output and  thinks for finding my blog, keep in mind stacked vdom are multiple unique firewalls and can make life more complex.

 

 

 

Ken

DarwinPH
DarwinPHAuthor
New Member
February 18, 2016

Thank you guys for the feedback. Will surely try out your suggestions.

 

Blessings!

neonbit
neonbit
New Member
February 16, 2016

Few places there can be an issue. Just having a quick look I'm assuming that the users on internal have their default gateway to 10.199.199.254. If this is the case you could look at the routing on the firewall. It needs have a route to point to the servers via the FortiGate. Something like this:

 

Route: 10.10.10.0/24

Interface: Firewall internal interface (the one that's configured with 10.199.199.254)

Gateway: 10.199.199.1

 

vdom-root also needs to have a policy from internal interface > server interface.

 

There may be another problem if your packets are entering the transparent VDOM twice (hard to tell from the diagram) but for now I would recommend having a look at the routing first.

Terms & ConditionsAccessibility statement