Skip to main content
kpetrov21
kpetrov21
New Member
December 11, 2019
Solved

FortiGate VDOM

  • December 11, 2019
  • 1 reply
  • 15883 views

Hello Guys,

 

First of all I want to say that I am glad to participate in this Forum discussions.

I have a question regarding FortiGate VDOMs use cases

 

I am working for a client which use FortiGates for firewall solution.

With the current setup they split FortGate into Multiple VDOMs.

Usually they are doing this when site have Two Internet service providers.

 

root VDOM - Internal Netowork

fw1 VDOM - Primary Internet provider

fw2 VDOM - Secondary Internet provider

 

Inter-vdom links between root-fw1 and root-fw2

 

two default routes on the root VDOM (towards fw1 and fw2 VDOMs)one with lower priority towards the preferred LINE.

They are utilizing the secondary provider by configuring static routes on root vdom which are pointing to fw2 VDOM (Some kind of a load-sharing).

 

In NSE self study guide I've learned that usually you would need to split FortiGate box when you are managed security service provider and you want assign different VDOMs to different customers.

But why and when you would need to do this when the device is totaly dedicated to one customer.

 

The guys who made this design are no longer working for the company and there is no one who can give me feasible reason why they did it this way.

In my opinion this setup is just adding more complexity because of the InterVDOM routing.

Moreover there is a project for integrating FortiManager and when you have one box with 3 VDOMs FortiManager license counts 3 devices.

 

I will be very thankful if someone can explain me what can be achieved with this setup which cannot be without VDOMs.

 

Thanks.

 

    Best answer by gradius85

    I am just starting to learn about SDN-LAN and SDN-WAN.

     

    However, would two VDOMs provide more flexibility in topology and route table? I currently have to manage 8 IPv4 full /24 blocks and a full /48 IPv6 space and been thinking how I could do this better.

     

    When do you know that you need SDN-WAN? What are use case scenarios that you have faced? I have read the documentation and horse-and-pony shows... however, I cannot translate those items to real-world use cases.

     

    1 reply

    emnoc
    emnoc
    New Member
    December 11, 2019

    if vdom1 fw1.fw2 are internet only, you would be blessed with using virt-wan ( aka SDWAN  ) and eliminate those 2 vdoms , but that's a guess and opinion on what was posted.

     

    Ken Felix

     

    lobstercreed
    lobstercreed
    New Member
    December 11, 2019

    I'm not sure why there would be 2 Internet-only VDOMs, but I've been planning to split my single VDOM into two so that I can enable asymmetric routing in the Internet VDOM. 

     

    We are running BGP and have run into a problem where if I receive traffic from my secondary provider the firewall fails RPF check on the traffic even though the response could go out the primary provider's interface in the same zone.  The only way I know around this is without majorly changing my routing (not currently feasible) is to enable asymmetric routing.  Obviously I don't want to do this on my root VDOM.

    emnoc
    emnoc
    New Member
    December 11, 2019

    SDWAN would still be beneficial in that case. Once you enable asymmetrical routing, stateful checks are pretty much gone or reduced

     

    Ken Felix

    Terms & ConditionsAccessibility statement