Skip to main content
pnobels
pnobels
New Member
February 23, 2024
Question

Usage of vdoms when migrating from Checkpoint virtual instances

  • February 23, 2024
  • 2 replies
  • 2494 views

Hi,

 

wanted to check in the community for some feedback on the following.

Currently: Checkpoint VSX environment running four instances : DMZ, Internet, mobile vpn and site-to-site-vpn to Azure. They all have a bunch of vlans, but let's say they have one vlan 100 to communicate to each other. Migrating to Fortigate.

Introducing 2 Fortigate clusters. One for mobile vpn. And one for DMZ, Internet and site-to-site-vpn.

On this last one we're debating around the usage of vdoms or not.

When adding multiple vdoms i see additional complexity, more work to configure and maintain, seperate routing tables on each vdom. And as far as i've found, this means that every vdom needs to use it's own physical interface.  (specially since we have a bunch of public ip's on internet and dmz allowing specific services to the inside network). So tripling the number of physical interfaces we need to use ( so we would need 8 physical interfaces when using laggr (2 dmz, 2 internet, 2 vpn, 2 ha) per fortigate in that specific cluster.

There is no multi tenancy here or seperate admin access needed.

Maybe it's just in our head that we need physical separation using vdoms? Which is a classical network setup.  The fact that if you have a security breach on a single vdom setup means the complete platform is impacted. And when you have multiple vdoms this is limited?

Not sure if there are other pro's and cons?

2 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 23, 2024

You can use VLANs to bind multiple VDOMs' interfaces on to a single port/LAG then separate them at your switch. Think about an MSP who has 100 customer's VDOMs on one big FGT. Do they need 100 physical interfaces? No and it's not practical.

VDOM are technically separate routers/FWs. Untill you build either vdom-link or npu-vlink to connect then together, there is no communication happens between them. You can off course apply any protection profiles to the inter-vdom interfaces, just like physical wired interfaces.

The question is if you really need them separated or not that you should decide including a separate FGT only for remote VPNs based on the total cost v. performance.

Toshi

pnobels
pnobelsAuthor
New Member
February 26, 2024

Hi Toshi,

 

i understand basically what's happening is a trunk (aggregated or not) is created between the switch and the Fortigate.  The trunk carries x number of different vlans.  In a situation with 100 different customers it's clear they all use a different vlan.  But in this situation there would be a need for at least one of the vlans to be used on different vdoms.  So let's say vlan 100 needs to be available on vdom 1, 2 and 3.  Is that possible?  Or does the vlan need to be unique to the vdom?

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 26, 2024

One VLAN can belong to only one VDOM. Same as a physical interface.

 

Toshi

Terms & ConditionsAccessibility statement