Skip to main content
garylor
garylor
New Member
January 25, 2017
Question

Fortigate 200D Vdom setting problem

  • January 25, 2017
  • 1 reply
  • 10810 views

Hello,

 

I have purchase a pair of 200D recently but encounter some problem about setting Vdoms. After reading the cookbook and some tutorial video, I try to setup the fortigate with 3 Vdoms which sharing two wan link (as shown in the attached jpg). However after setting the Vdoms, none of them able to reach the internet nor ping the fiewall gateway (x.250), I think I may missing some setting so I have screen capture the global interface page and hope you guys can help me out, thanks!

 

Regards,

Gary

 

    1 reply

    Fullmoon
    Fullmoon
    New Member
    January 25, 2017

    pls take a look, it might shed you some insights reg vdom. thanks

    emnoc
    emnoc
    New Member
    January 25, 2017

    1st off your  diag is beautiful.

     

    2nd have you validate routing in all 4 vdoms

     

    e.g

     

     

    config vdom

        edit vdom-1

             get router info routing all

        end

        edit vdom-2

             get router info routing all

        end

        edit vdom-3

             get router info routing all

        end

       edit vdom-root

             get router info routing all

        end

     

     

    The 3 sub-tiered vdom needs a default route over the inter-vdom-link.

     

    check out a typical meshed routed vdom  post in my blog.

     

    http://socpuppet.blogspot.com/2014/09/a-stacked-vdom-concept-with-fortigate.html

     

    If routing is good, than it fwpolicy validation and diag debug flow if your still having issues. I would allowaces ping over the intervdom links and ping the vdom-root from sub-tier and work my  upwards.

     

     

    ken

     

     

    garylor
    garylorAuthor
    New Member
    January 26, 2017

    Hi Emnoc,

     

    Thanks for the reply, I have try to follow your blog and setup the custA and custB but unfortunately still not working (no matter ping or traceroute to 8.8.8.8) following are the routes & firewall policy of the vdoms:

     

    LKTFW1-FG200DXXXXXXXXX (root) # get router info routing all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default

    S* 0.0.0.0/0 [10/0] via 125.215.173.62, wan2 [10/0] via 210.176.62.62, wan1 S 10.100.10.0/24 [10/0] via 192.168.10.2, root2custA0 S 10.200.10.0/24 [10/0] via 192.168.10.6, root2custB0 C x.x.x.x/26 is directly connected, wan2 C 192.168.10.0/30 is directly connected, root2custA0 C 192.168.10.1/32 is directly connected, root2custA0 C 192.168.10.4/30 is directly connected, root2custB0 C 192.168.10.5/32 is directly connected, root2custB0 C 192.168.100.0/24 is directly connected, lan C x.x.x.x/26 is directly connected, wan1

    LKTFW1-FG200DXXXXXXXXX (custB) # get router info routing all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default

    S* 0.0.0.0/0 [10/0] is directly connected, root2custB1 C 192.168.10.4/30 is directly connected, root2custB1 C 192.168.10.6/32 is directly connected, root2custB1

    LKTFW1-FG200DXXXXXXXXXXX (custA) # get router info routing all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default

    S* 0.0.0.0/0 [10/0] is directly connected, root2custA1 C 192.168.10.0/30 is directly connected, root2custA1 C 192.168.10.2/32 is directly connected, root2custA1

    LKTFW1-FG200DXXXXXXXX (root) # show firewall policy config firewall policy edit 1 set uuid dcf1b82c-ddef-51e6-201c-ad3fdb7d578c set srcintf "lan" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set av-profile "default" set webfilter-profile "default" set application-list "default" set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" set nat enable next edit 2 set uuid a577fb9c-e379-51e6-439e-302e93b2b38c set srcintf "root2custA0" set dstintf "wan1" set srcaddr "custA" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set nat enable next edit 3 set uuid 122e057e-e37a-51e6-381f-800d207c8aba set srcintf "root2custB0" set dstintf "wan1" set srcaddr "custB" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set nat enable next end

    LKTFW1-FG200DXXXXXXXXX (custA) # show firewall policy config firewall policy edit 1 set uuid 71e9c3f4-e37a-51e6-4b43-843ba46dc1fb set srcintf "port15" set dstintf "root2custA1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set comments "custA-outbound" next end

    LKTFW1-FG200DXXXXXXXXX (custB) # show firewall policy config firewall policy edit 1 set uuid d56b47b8-e37a-51e6-4f66-5d7247dca108 set srcintf "port16" set dstintf "root2custB1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set comments "custB-outbound" next end

     

    Regards,

    Gary

    Terms & ConditionsAccessibility statement