Skip to main content
Jones6565
Jones6565
New Member
June 19, 2019
Question

Creating Multiple VDOMS to match security zones

  • June 19, 2019
  • 1 reply
  • 4039 views

Hi Guys,

Today i have a topology where i have a nexus 7K, where there are multiple VRFs that terminate on 500-Es in active/standby.

One or more VRF is part of a zone on the fortigate. the fortigate doesnt have any VRF. Policies are used to control access to the different zones.

Like I have zones Like this to name a few:

Engineering

Corporate

Dev

Requirements from security consultants wants us to have multiple vdoms for each of these zones. Still the VRFs will terminate on those different vdoms.

I am a bit confused on how to go about creating those vdoms, today i have for example port 1 in zone engineering for example and port 2 for dev and 3 for Corporate etc... and i have port 5 for external traffic that talks to an external firewall.

how would i go to create those vdoms to match what i have currently? 

Any help would for sure be highly appreciated.

Thanks

Jones

 

    1 reply

    hubertzw
    hubertzw
    New Member
    June 19, 2019

    1) create vdoms

    2) create vlans

    3) allocate vlans to particular vdoms

    4) create policies, routing, etc.

    Jones6565
    Jones6565Author
    New Member
    June 19, 2019

    That was not my question. I know how to create vdoms.

    My question was i have different zones on the fortigate that talk to each other.

    Now i will create vdoms, and each zone will be under 1 vdom.

    i will have one interface connected to the core switch, where a vrf will drop into one vdom.

    what other interface should i have on this vdom. Since i will have another vdom hosting another zone.

    The question is more about design here, not how to create vdoms.

    Thanks

    Jones

     

    hubertzw
    hubertzw
    New Member
    June 20, 2019

    If you need to send traffic between VDOMs/VRFs you should use inter-vdom link:

     

    Engineering VRF -> VDOM Engineering ->inter-vdom link->VDOM Corporate -> Corporate VRF

     

    You treat inter-vdom link as a normal interface, with routing, firewall policies, security profiles, etc. in place

     

    https://cookbook.fortinet.com/inter-vdom-communication-with-static-routing-56/

     

    Usually you don't need SNAT in policies between VDOMs, it simplifies routing. Packet from Engineering VRF will appear with its real source IP, not IP of the link between VDOMs. Hosts in all VRF don't need to know what is the IP between VDOMs.

    Terms & ConditionsAccessibility statement