Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: 100+ VDOM Design Best Practice
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
100+ VDOM Design Best Practice
Hi Everyone,
We have a Fortigate 3950B and 100+ VDOMs on it. Dont have a fortimanager. I want to ban some malicuos IPs (100+) for all VDOMs and these IPs may change every week. Solutions:
1- Go with ACLs on router. (I dont want this solution for some reasons)
2- Define all IPs on all VDOMs and create a firewall deny policy on all VDOMS. (If you dont die before you finish :))
3- Create a VDOM. Define all IPs and create a firewall deny policy on this VDOM. Route all other VDOMs' trafic to this VDOM.
I have not tried 3rd solution yet. Is this a good solution? Why not?
Is there another solution to handle this situation?
Regards
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
5 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes all three proposals will work and I love your comment about the "don't die" if you do a massive fw.policy and in 100+ vdoms fw.policies ;)
Here's a few better options that you should explore and not ignore
1>
If you have a router doing a dynamic protocol and the fgt have a means to learn of these routes , do a route distribute with the /32 netmask and route to a blackhole { null route }. This will allow you to drop the /32 hosts in one single swipe. You can do this static-route on the same ISP-ACL router that you mention b4. OSPF/BGP works great for this or do a static route on internet external WAN1 and enable uRPF
{ cisco } ip route 1.1.1.1 255.255.255.266 null0
2>
Now if you have no access to the router or a different team controls it, you can quickly deploy the address into the fwpolicys across the 100+ vdom with some scripting
3>
or better yet use the restAPI. You could batch job this and upload the configuration into a pre-defined fw.policy.ID ( read more )
In one of my recent rule we have 10 vdoms with public access. We maintain a fwpolicy with object-group. The policy was at that top of our list and used a deny and bidir, the addrgroup is only modified with the bad actor and we place the single ip.addr into the one address.group. In this example it's called ITBLACKLISTS, which comprised of numerous host firewall.address or firewall.addrgrps
NOTE: research the max values in a addrgrp, I believe it 1024 or 1500 entries per group on bigger units , you should be fine in a 3950 unless your blacklist over 1500 addresses. So if you think you might have more than 1500 stack address.groups
e.g
config firewall addrgrp
edit ITBLACKLISTS
set member BHGRP1 BHGRP2 BHGRP3 OCT182018 SEPT32018
end
config firewall policy edit 20 set uuid c5d8882e-5437-51e6-649d-8f30869eac8e set srcintf "PORT1" set dstintf "WAN1" set srcaddr "ITBLACKLISTS set dstaddr "ANY" set action deny set tag SOC PREMITERSECURITY set schedule "always" set service "ALL" set logtraffic all set comments " DROP IT LIKE IT'S HOT " next edit 21 set uuid ab0165a0-1073-51e6-ad98-74a3bcce8032 set dstintf "PORT1" set srcintf "WAN1" set dstaddr "ITBLACKLISTS set srcaddr "ANY" set action deny set schedule "always" set service "ALL" set tag SOC set logtraffic all set comments " DROP IT LIKE IT'S HOT " next fwpolicy.id 20/21 was used in ALL of our vdoms firewall.policies and ITBLACKLISTS is created in all vdoms. So we only needed to modified the ITBLACKLISTS address group. We even crafted new groups and appended them into the parent group and set the name of the group based on DATE or TICKET/CASE to make it easier for auditing or setting some value to know when we free the address out of the "jail" so to speak. Another option is to null route on the firewall lew of routing it to another vdom YMMV pick one and test them all but your option#3 is best or mine null route on the ISP uplinks. That latter keeps the back actor from even touch the firewall, doesn't create a log, or consume a session or uses any cpu. Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you go with option 3 it will add a little more complexity, and it will also mean that all the WAN sessions will be doubled on the firewall as the WAN VDOM will now have keep sessions for each VDOM sending traffic through it.
To be honest I would look at getting a FortiManager if you have the budget for it. You could then create a global header policy and push it to all VDOMs so it will be the first policy on each of them. This way you make a change once on the global level and it will be pushed to all VDOMs.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't answer how to teach you scripting , but you will have to explore your team access knowledge . You can do this with pyhton/perl/pwr-shell/etc...
We ( in past roles ) had a tool teams that would draft up our scripts , and they would do this by setting expect or restAPI calls to add or remove address objects in the fortigate. So we would seed a line by line file of our bad-actors in a text file
e.g ( entries pulled by our SIEM or some other device logs like ; FEYE ,F-Secure,etc.... or you can use a BCL subscription services )
1.1.1.1
2.1.122.2
9.1.1.3
1.2.3.4
This text file would be ran upon events or attacks and if the address didn't exist, the restAI will add the object as an firewall.address and then append this to the firewall.addrgrp for the ITBLACKLIST
I would suggest you test this in a lab or lab-vdom b4 running this in a full production. Once you work out the bugs you can easily update 1k plus entries in a matter of a few seconds and across multiple vdoms. Granted I nevere worked in any appliance with more than 50+ vdoms ;)
e.g ( a restAPI post to add address )
curl -b cookie.txt -H "Content-Type: application/json" -H "X-CSRFTOKEN blablahblah " -d '{ "name"; "$NAME", "subnet" : "$NAME/32" }' -X POST https://x.x.x.x/api/v2/cmdb/firewall/address
We would do "for loop" for the name which == the ipv4.address, this was also added as subnet with the mask 32.
Always make a config backup b4 and after and diff to ensure the changes where as planned. Also last advise , make sure you place safe guards
e.g
[ul]
I like to mention this since I worked a case where a forcepointNGFW user blacklisted his own subnet causing a priority 1 outage and they didn't follow the above 2 rules :)
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to feedback, (you dont like to block on router), I would definetely choose third. I m doing this all the time and works fine (normally i do this during new projects (not during production)). BUT !!!
you need to prepare the vdom links, the firewall rules and last to have ready the new routes for the intervdom routing. Because otherwise you can have a downtime in order to migrate.
Its good also if you could prepare a script to configure all routing at once.
--------------------------------------------
If all else fails, use the force !
--------------------------------------------
If all else fails, use the force !
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
YES !
The solution of having one Aggregation VDOM terminating all wan traffic and then dispatch this traffic through vdomlinks to coresponded VDOM , has the effect of this traffic is passing 2 times.
You need to examine the statistics , cpu, mem, performance inorder to procced to this.
Additionally I would have great concerns for your box which is obsolete (end of sales, end of support, end of FortiOS updates).
So maybe it would be a good time to procced to hardaware change and compute new sizing needs, so that you migrate to an new hardware with agregation vdom in your topology.
--------------------------------------------
If all else fails, use the force !
--------------------------------------------
If all else fails, use the force !
- « Previous
-
- 1
- 2
- Next »
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
YES !
The solution of having one Aggregation VDOM terminating all wan traffic and then dispatch this traffic through vdomlinks to coresponded VDOM , has the effect of this traffic is passing 2 times.
You need to examine the statistics , cpu, mem, performance inorder to procced to this.
Additionally I would have great concerns for your box which is obsolete (end of sales, end of support, end of FortiOS updates).
So maybe it would be a good time to procced to hardaware change and compute new sizing needs, so that you migrate to an new hardware with agregation vdom in your topology.
--------------------------------------------
If all else fails, use the force !
--------------------------------------------
If all else fails, use the force !
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,742 -
FortiClient
1,775 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
476 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
320 -
6.2
251 -
SSL-VPN
248 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
206 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
105 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
80 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
WAN optimization
16 -
FortiDDoS
15 -
FortiSoar
15 -
OSPF
15 -
Automation
15 -
FortiGate v5.0
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1733 | |
| 1106 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.