Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DarwinPH
New Contributor

Created on ‎02-15-2016 08:06 PM

Accessing Resources on a different VDOM

Greetings!

 

Good day to everyone! Our school is currently setting up a topology similar to Ken Felix's article on this link - http://socpuppet.blogspot...arent-using-inter.html > Awesome article by the way :)

 

We were able to make the said topology from the article to work but we need to modify it for the setup that we want.

 

Our servers are connected to the Root VDOM through an independent interface. We have another VDOM in transparent mode connected to the Root VDOM through a virtual link. DHCP service is provided through the virtual link. Internet connection is provided by a separate firewall connected to the transparent VDOM.

With the current setup, we didn't have any problems in terms of connecting to the internet. But the challenge would now be accessing the servers. We can't seem to connect to them. Running a traceroute from the LAN shows that the traffic goes out to the internet through the gateway 10.199.199.254.

 

We are still getting accustomed at configuring the Fortigate 300C that we have as well as the concepts behind it. So any feedback and opinions from the community is highly appreciated.

 

Thank you everyone!

 

 

Blessings!

 

Preview file
69 KB
Labels:
4466
0 Kudos
2 Solutions
neonbit
Valued Contributor

Created on ‎02-15-2016 08:34 PM

Few places there can be an issue. Just having a quick look I'm assuming that the users on internal have their default gateway to 10.199.199.254. If this is the case you could look at the routing on the firewall. It needs have a route to point to the servers via the FortiGate. Something like this:

 

Route: 10.10.10.0/24

Interface: Firewall internal interface (the one that's configured with 10.199.199.254)

Gateway: 10.199.199.1

 

vdom-root also needs to have a policy from internal interface > server interface.

 

There may be another problem if your packets are entering the transparent VDOM twice (hard to tell from the diagram) but for now I would recommend having a look at the routing first.

 

p.s: Mr Felix frequents this forum, keep an eye out and you may catch a sight of him! :)

View solution in original post

2590
0 Kudos
emnoc
Esteemed Contributor III
In response to neonbit

Created on ‎02-15-2016 11:40 PM

In your setup, you need to run diag debug flow on the expected traffic. Keep in mind that  you will have 2 fwpolicy ( 1 per vdom )

 

start simple diag debug flow and go from that output

 

e.g

 

diag debug dis

diag debug reset

diag debug flow filter addr 10.199.199.11

diag debug flow show console enable

diag debug en

diag debug flow trace start 40

 

and then kick off some traffic and monitor the session status and attached policies in the output and  thinks for finding my blog, keep in mind stacked vdom are multiple unique firewalls and can make life more complex.

 

 

 

Ken

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
2590
0 Kudos
4 REPLIES 4
neonbit
Valued Contributor

Created on ‎02-15-2016 08:34 PM

Few places there can be an issue. Just having a quick look I'm assuming that the users on internal have their default gateway to 10.199.199.254. If this is the case you could look at the routing on the firewall. It needs have a route to point to the servers via the FortiGate. Something like this:

 

Route: 10.10.10.0/24

Interface: Firewall internal interface (the one that's configured with 10.199.199.254)

Gateway: 10.199.199.1

 

vdom-root also needs to have a policy from internal interface > server interface.

 

There may be another problem if your packets are entering the transparent VDOM twice (hard to tell from the diagram) but for now I would recommend having a look at the routing first.

 

p.s: Mr Felix frequents this forum, keep an eye out and you may catch a sight of him! :)

2591
0 Kudos
emnoc
Esteemed Contributor III
In response to neonbit

Created on ‎02-15-2016 11:40 PM

In your setup, you need to run diag debug flow on the expected traffic. Keep in mind that  you will have 2 fwpolicy ( 1 per vdom )

 

start simple diag debug flow and go from that output

 

e.g

 

diag debug dis

diag debug reset

diag debug flow filter addr 10.199.199.11

diag debug flow show console enable

diag debug en

diag debug flow trace start 40

 

and then kick off some traffic and monitor the session status and attached policies in the output and  thinks for finding my blog, keep in mind stacked vdom are multiple unique firewalls and can make life more complex.

 

 

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2591
0 Kudos
DarwinPH
New Contributor
In response to emnoc

Created on ‎02-18-2016 03:40 PM

Thank you guys for the feedback. Will surely try out your suggestions.

 

Blessings!

2542
0 Kudos
neonbit
Valued Contributor

Created on ‎02-15-2016 08:34 PM

Few places there can be an issue. Just having a quick look I'm assuming that the users on internal have their default gateway to 10.199.199.254. If this is the case you could look at the routing on the firewall. It needs have a route to point to the servers via the FortiGate. Something like this:

 

Route: 10.10.10.0/24

Interface: Firewall internal interface (the one that's configured with 10.199.199.254)

Gateway: 10.199.199.1

 

vdom-root also needs to have a policy from internal interface > server interface.

 

There may be another problem if your packets are entering the transparent VDOM twice (hard to tell from the diagram) but for now I would recommend having a look at the routing first.

2542
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.