Skip to main content
Nailed
Nailed
New Member
June 15, 2017
Question

Vdom issue

  • June 15, 2017
  • 1 reply
  • 16397 views

Hi all,

 

I'm having an issue with my routing and policy's on the fortigate 800D. We are migrating from Juniper(screenOs) to the fortigate 800D. In the Juniper firewall we've created multiple virtual routers to make multiple routing instances for other company's connected to our infrastructure. We are not connected to the internet just to a couple third-party’s. Because the fortigate doesn't support virtual routers we are using Vdoms. Well there is our problem i cant find a way to setup my policy’s and routing through multiple vdoms. For example: 

 

We have hosts in the root-vdom that need to connect to hosts in Vdom-a. There are some policy’s applying to that as well. I have used the forticonverter software to convert the complete rule base of the Juniper firewall to fortigate CLI commands. If i want to import the rules i receive an error because there are rules from an interface within the root-vdom to vdom-a but i cant select an interface that is used in another vdom. 

 

I have tried to create a vlink but that doesn’t seem to fix my problem either, or i misconfigured that one. 

 

Do you guys have some idea's how to make a static route between vdom's and setup cross-vdom policy's? 

 

Thanks in advance 

1 reply

emnoc
emnoc
New Member
June 15, 2017

You need to look at inter-vdom links or physical links ( the former reduce waste of ports ). Check out a post I did a few years back just about this

 

http://socpuppet.blogspot.com/2014/09/a-meshed-vdom-transparent-using-inter.html

 

ken

Nailed
NailedAuthor
New Member
June 19, 2017

Thanks Ken, i found your post very helpful. I still have one issue with the configuration.

 

In V-domA i have subnet 10.x.x.x/30 

In V-domB i have subnet 213.x.x.x/28 

 

On the Vlink between both Vdoms i assigned 172.16.1.10 for vdomA and 172.16.1.50 for vdomB.

 

Afterwards i created in both vdom a static route for the subnets above mentioned and point the gateway to the vlink interface of the other Vdom. So VdomA has a route with gateway 172.16.1.50 and VdomB points to 172.16.1.10.

 

When i do a traceroute i have no issues with reaching both gateway addresses from both vdoms, if i try to reach 213.x.x.x network he doesn’t even pass the 172.16.1.50 interface... All addresses are listed in my routing table so at this point I have no clue why ping or traceroute doesn’t work (its enabled on all interfaces and even allowed trough a policy.) 

 

You guys have any clue what could be the issue?

 

Thanks in advance

 

emnoc
emnoc
New Member
June 19, 2017

What I would look at?

 

1:the cli  diag debug flow did you enable and diagnostic trace

 

2: fwpolicy correct ( again #1 will show you what firewallpolicy your hitting or not ) and the fwpolic would look like this

 

 

config firewall policy

    edit 0

       set srcintf  LAN_NETWORK

       set dstintf  VdomA-link

       set srcadr  LAN_NETWORK

       set dstaddr  REMOTE_NETWORK

       set action  accept

       set scehdule always

       set services  BLAH BLAH BLAH

  end

 

repeat at the other vdom

 

3: check duplicate routes entries for the remote-subnets

 

 

 

Terms & ConditionsAccessibility statement