FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ojacinto
Staff
Staff

Purpose
This article describes how to forward the traffic from one Vdom to another one using the inter VDOM link connection.
Expectations, Requirements
When VDOM feature is enabled on the FortiGate, ensure the communication between both VDOM is working.

Configure the inter VDOM link.
VDOM-links are managed through the web based manager or CLI.
 
In the web based manager, VDOM link interfaces are managed in the network interface list.
Configure the Inter-Vdom link using the web based manager or by CLI:
ScreenHunter_1028 Jan. 03 12.44.jpg

Even when IP addresses are not required for inter VDOM links, define one IP used for each end.

IP addresses are not required for inter VDOM links.

Virtual interfaces is one of the  main difference between inter VDOM links and regular interfaces.
Inter VDOM links do not require IP addresses.

This introduces three possible situations with inter VDOM line:

 
  1) Unnumbered: an inter VDOM link with no IP addresses for either end of the tunnel.

2) Half numbered: an inter VDOM link with one IP address for one end and none for the other end.

3) Full numbered: an inter VDOM link with two IP addresses, one for each end.

An IP address is not required for inter VDOM links because it is an internal connection that can be referred to the interface name in firewall policies, and other system references.
Not using an IP address in the configuration can speed up and simplify the configuration.
Use up all the IP addresses in subnets.

Half or full numbered interfaces are required for NAT, either SNAT or DNAT as an IP number is needed on both ends to translate between.
Use unnumbered interfaces in static routing, by naming the interface and using 0.0.0.0 for the gateway.

Running tracer route will not show the interface in the list of hops.

However the interface is visible when sniffing packets, which is useful for troubleshooting.
 
ScreenHunter_1029 Jan. 03 12.45.jpg


Define the Inter-VDOM routing and firewall policies on each VDOM to allow the traffic.

Internal VDOM:

The default gateway for the Internal VDOM communication will be the External VDOM (VDOM root in this example) .
Configure the static route using the following command:
# config router static
 edit 1
        set gateway 10.10.10.1     >>>> It is necssary to point to the Inter-Vdom link External VDOM Ip
        set device "Root_to_Int1"  >>>> Traffic will be routed over the Inter-VDOM link interface
    next
end

Configure the firewall policy to allow the traffic from the Internal LAN to the Inter-VDOM link using the following command:
# config firewall policy
    edit 1
        set srcintf "internal2"
        set dstintf "Root_to_Int1"
        set srcaddr "LAN_Internal_VDOM"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

External VDOM:

Configure the static route to send back the traffic to the Internal VDOM using the following command:
# config router static
   edit <id>
        set dst 10.254.0.0 255.255.255.0   >>>> Set the Internal VDOM network
        set gateway 10.10.10.2   >>>>>>>  It is necessary to point to the Inter-Vdom link Internal VDOM Ip
        set device "Root_to_Int0"  >>>>>> Traffic will be sent back over the Inter-VDOM link interface
    next
end
And the firewall policy to allow the traffic from the Inter-Vdom Link to the WAN Interface:
# config firewall policy
    edit 6
        set srcintf "Root_to_Int0"
        set dstintf "wan1"
        set srcaddr "LAN_VDOM_Internal"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable 
    next
end

Verification
Validate the connection between the VDOMs using the inter Vdom links IP:

From Internal VDOM:
# execute ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1): 56 data bytes
64 bytes from 10.10.10.1: icmp_seq=0 ttl=255 time=0.3 ms
64 bytes from 10.10.10.1: icmp_seq=1 ttl=255 time=0.2 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=255 time=0.2 ms
64 bytes from 10.10.10.1: icmp_seq=3 ttl=255 time=0.2 ms
64 bytes from 10.10.10.1: icmp_seq=4 ttl=255 time=0.2 ms

--- 10.10.10.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.3 ms

From External VDOM:
# execute ping 10.10.10.2
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=255 time=0.4 ms
64 bytes from 10.10.10.2: icmp_seq=1 ttl=255 time=0.2 ms
64 bytes from 10.10.10.2: icmp_seq=2 ttl=255 time=0.2 ms
64 bytes from 10.10.10.2: icmp_seq=3 ttl=255 time=0.2 ms
64 bytes from 10.10.10.2: icmp_seq=4 ttl=255 time=0.2 ms

--- 10.10.10.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.4 ms
The connection from the Internal LAN (Internal VDOM) to Internet:
 # execute ping-options source 10.254.0.1
(Internal_VD) # execute ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2): 56 data bytes
64 bytes from 4.2.2.2: icmp_seq=0 ttl=55 time=54.3 ms
64 bytes from 4.2.2.2: icmp_seq=1 ttl=55 time=54.1 ms
64 bytes from 4.2.2.2: icmp_seq=2 ttl=55 time=57.0 ms
64 bytes from 4.2.2.2: icmp_seq=3 ttl=55 time=55.2 ms
64 bytes from 4.2.2.2: icmp_seq=4 ttl=55 time=53.5 ms
--- 4.2.2.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 53.5/54.8/57.0 ms
Contributors