Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff

Created on ‎11-20-2022 07:00 AM

Article Id 230353

Technical Tip: Get to know vdom-link type ppp

Description

 

This article describes that vdom-link type ppp can be used without IP address.

 

Scope

 

FortiGate v. 6.4.8.

 

Solution

 

Vdom-link is internal interface communication, so the traffic does not need to leave FortiGate in order to communicate between VDOM.

 

There are two types of vdom-link:

1) Vdom-link type ppp (default).

2) Vdom-link type Ethernet <----- Not covered in this article.

 

Diagram:

 

iskandar_lie_0-1668889082355.png

 

Interface vdom-link settings:

 

FGT1 (global) # show system interface vdom_link0

config system interface

    edit "vdom_link0"

        set vdom "root"

        set allowaccess ping https ssh snmp

        set type vdom-link

        set snmp-index 16

    next

end

 

FGT1 (global) # show system interface vdom_link1

config system interface

    edit "vdom_link1"

        set vdom "client_vdom"

        set allowaccess ping https ssh snmp

        set type vdom-link

        set snmp-index 17

    next

end

 

Static route at root VDOM:

 

FGT1 (root) # show router static

config router static

    edit 4

        set gateway 10.191.31.254 <----- Route to internet.

        set device "port2"

    next

    edit 5    

        set dst 192.168.19.0 255.255.255.0 <----- Route to Windows user.

        set device "vdom_link0"

    next

end

 

Firewall policy at root VDOM:

 

FGT1 (root) # show firewall policy

config firewall policy

    edit 4

        set name "internet"

        set uuid 301235ba-683f-51ed-ac4a-ad2b7cd2dd8f

        set srcintf "vdom_link0"     <----- Interface to client_vdom. 

        set dstintf "port2"          <----- Interface to internet.

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set logtraffic-start enable

        set nat enable

    next

 

Static route at client_vdom:

 

FGT1 (client_vdom) # show router static

config router static

    edit 1

        set device "vdom_link1" <----- Default route via vdom_link1.

    next

end

 

Firewall policy at client_vdom:

 

FGT1 (client_vdom) # show firewall policy

config firewall policy

    edit 1

        set name "internet_client_vdom"

        set uuid b3aa3496-683e-51ed-8371-8066bdd0f317

        set srcintf "port7" <----- Interface where windows user is located.

        set dstintf "vdom_link1"    <----- Interface to root VDOM.

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set logtraffic-start enable

    next

end

 

Ping test from user:

 

iskandar_lie_1-1668889315476.png

 

Conclusion:

 

-  vdom-link type ppp does not need IP address to work.

- With this implementation - it is possible to reserve the IP usage.

 

 

Related documents:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/199083/inter-vdom-routing

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/335646/inter-vdom-routing

902
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.