Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
heljag
Staff
Staff

Created on ‎10-14-2024 09:09 AM

Article Id 349281

Technical Tip: Route traffic between two VDOM from different clusters

Description This article describes the steps to configure routing between a VDOM on a FortiGate cluster to a VDOM from another FortiGate cluster.
Scope FortiGate.
Solution

Topology:

 

KBvdom.drawio.png

 

In this example, a Layer 2 switch is being used to interconnect the machines from both subnets and FortiGate clusters using VLANs.

Since these are in the cluster, it is necessary to interconnect both primary and secondary units (from both clusters) to the Layer 2 switch with the correct VLAN tagging.

 

Configuration:

 

Cluster A:

  • First, configure the VLAN interfaces and IP addresses in the global context:

config global

config system interface
    edit "VLAN100"
        set vdom "A"
        set ip 192.168.100.1 255.255.255.252
        set interface "wan1"
        set vlanid 100
    next
    edit "VLAN150"
        set vdom "A"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping
        set interface "wan1"
        set vlanid 150
    next
end
 
  • Secondly, configure the policies and static routes under the VDOM A context:
config vdom
edit A
config firewall policy
    edit 0
        set name "To Cluster B"
        set srcintf "VLAN150"
        set dstintf "VLAN100"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "From Cluster B"
        set srcintf "VLAN100"
        set dstintf "VLAN150"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
end
config router static
    edit 0
        set dst 10.20.20.0 255.255.255.0
        set gateway 192.168.100.2
        set device "VLAN100"
    next
end
 

Cluster B:

  • Similarly for cluster B, start configuring the VLAN interfaces and IP addresses in the global context:

config global

config system interface
    edit "VLAN100"
        set vdom "B"
        set ip 192.168.100.2 255.255.255.252
        set interface "wan1"
        set vlanid 100
    next
    edit "VLAN250"
        set vdom "B"
        set ip 10.20.20.1 255.255.255.0
        set allowaccess ping
        set interface "wan1"
        set vlanid 250
    next
end
 
  • Secondly, configure the policies and static routes under the VDOM B context
config vdom
edit B
config firewall policy
    edit 0
        set name "To Cluster A"
        set srcintf "VLAN250"
        set dstintf "VLAN100"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set name "From Cluster A"
        set srcintf "VLAN100"
        set dstintf "VLAN250"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
end
config router static
    edit 0
        set dst 10.10.10.0 255.255.255.0
        set gateway 192.168.100.1
        set device "VLAN100"
    next
end
 
Now, when the laptop A (10.10.10.20) tries to reach laptop B (10.20.20.21), traffic will flow to the gateway of laptop A - FortiGate VLAN 150 (10.10.10.1) - FortiGate will check the routing table and will forward the traffic to the next hop - VLAN 100 of FortiGate cluster B IP (192.168.100.2).
279
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.