- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Advise on HA setup with multiple VDOMs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Advise on HA setup with multiple VDOMs
Hi guys,
I' m new to Fortigate and am trying to setup a pair of 100D (running 5.00b147) in HA cluster for use in our datacentre. I' m learning about VDOMs, HA, VLANs etc. as I go so if these are basic questions please forgive me!
The goal is to end up with the two 100D firewalls in some form of HA cluster, connected to the datacentre ISP on the WAN side and to a set of VLANed switches on the LAN side.
My plan was to set the 100Ds up in a active/passive HA cluster, create two VDOMs (there are two separate companies sharing the firewalls and switches) and enable VDOM partitioning (virtual clustering) to spread the two VDOMs (and the root) across the two 100Ds. This seemed like the perfect scenario as it allowed us separate the two companies from an admin point-of-view and gave us HA while also utilising the resources of both 100Ds.
I got most of the above configured and tested but then came across two issues -
1. I had assumed I could " share" the WAN interface between the two VDOMs, (they' ll both have their own ranges of public static IP addresses but probably just one WAN uplink port to the ISP). On reading more though I think I need to basically route the traffic through the root VDOM, which seems a bit cumbersome when we don' t really want to do any " control" of the traffic at the root/management level. Am I understanding this correctly or could VLANs be used here in some way?
2. The two customer VDOMs don' t necessarily HAVE to communicate with each other, but it would be good to have the option, so an inter-VDOM-link is required however I read this line in the admin guide " With virtual clusters (vclusters) configured, inter-VDOM links must be entirely within one vcluster" . So if I' m reading this correctly I cannot setup an inter-VDOM link between the two customer VDOMs because I am using VDOM partitioning? Assuming I' m reading that right, I then don' t understand how I will be able to route both of my VDOMs' traffic through the root VDOM given that the root VDOM will be on one vcluster only, so the customer on the other vcluster will not be able to have an inter-VDOM link.
Maybe it' s just too late at night and I' m confusing myself but some guidance would be much appreciated!
Thanks
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' ve slept on it but am still confused :), any help appreciated!
I' ve read some more documentation around issue 2 and am now pretty sure that you cannot do inter-vdom links between VDOMs on different vClusters, so I' m now quite confused how you go about solving problem number 1 if one of my VDOMs is inevitably going to be on a different vCluster to the root VDOM, which it needs to talk through to get to the Internet.
I' m guessing I' m just trying to use features that cannot work together as I had planned so just looking for suggestions how best to proceed given the requirements :).
Any thoughts/suggestion no matter how small are appreciated!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
if you use a vcluster, then vdom-links are very problematic - because you have to run all connected vdoms on one box. And cannot move the vdom onto another cluster!
So you have to connect the vdoms via normal ethernet interfaces or vlan interfaces - as you would have on any other firewall interface!
Just think of your VDOMs as seperate firewalls and connect them with vlan interfaces wherever you need!
You have to take care, that the management vdom has internet access - because it will do all the Fortiguard/AV/IPs download and query!
br,
Roman
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply Roman. Yeah OK thanks that makes sense, I guess the 100D does have an abundance of ports so it is no big deal to use physical ports or VLANs as per your suggestion.
Don' t suppose you have any suggestions about how to manage the WAN interface in this scenario? I could get separate connections from the datacentre ISP but I' d then need one each for the root and two customer VDOMs which seems kinda crazy. I can leave the WAN connection in the root VDOM then maybe have VLANs off this into each customer VDOM but this seems like I will have issues with NATing public IP addresses into the customer VDOMs no? Is routing all customer VDOM traffic through the root VDOM even the way to go here, it seems cumbersome and unnecessary?
Again sorry if these seems like stupid questions, there are just many combinations of ways to do things here and I' d hate to choose one that leads me into trouble down the road as it will be difficult to make big changes like this after deployment.
Thanks again :).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
there are for sure a couple of ways to do this....
I normally don' t use the native Interfaces from the Fortigate for the production traffic, when I have a cluster! I only have one physical managment interface in my root/managment vdom, that has an ip adress!
All other interfaces I use in the whole cluster are VLAN interfaces attached to either a physical interface or an lacp trunk. So all my interfaces have the names I want them to have - It is also easier to migrate one vlan interface to another port, then totally reconfiguring ports - makes upgrading also easier! But there are some ways to Rome :)....
I' d put all Interfaces for VDOM A on to one physical port (or a trunk, if you need he speed!) - and for VDOM B on to another interface. On both of these interfaces you then configure a vlan interface for your internet uplink... But this depends on the possibilities of your switching infrastructure....
br,
Roman
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply Roman,
OK I think I understand what you' re getting at but bear with me here. On the LAN side the FGs are connected to 4 Cisco switches which will have various VLANs on them, so it' s no problem to have the physical LAN ports in the root VDOM and then use VLANs in VDOM_A and VDOM_B, this is actually the way I have it setup and it works well.
So what you' re saying is do the exact same thing on the WAN side? At the moment I only have one physical WAN port per FG connected to the ISP, typically the ISP give us a public IP to put on this interface then they forward all traffic for our other public IP ranges to this one IP and the firewall deals with the traffic appropriately. So you' re suggesting that I continue to use one physical WAN port in the root VDOM but create a VLAN off this port for each VDOM. These two VLANs would need a public IP each (which the ISP can then route public IP ranges to) and this would allow an administrator in say VDOM_A to manage their own routing, NAT, VPNs etc.. I assume I will need to get the ISP to VLAN tag traffic to the WAN port so it can get to the relevant VLAN and hence VDOM, or is there a clever way to avoid having to do this?
Thanks again :).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Roman,
I just thought I' d attach a basic logical diagram so you know what I' m talking about. So WAN1, WAN2 and WAN3 would be actual physical interfaces in each VDOM connected to the ISP and each would have a public IP like 211.6.7.8 etc., the ISP then route subnets of IPs to these IPs. There should be no big deal setting it up this way I think, but it means getting three ports from the ISP and as you say it seems like VLAN interfaces would be cleaner but it seems the ISP would need to be able to VLAN tag, then WAN2 and WAN3 could become VLAN interfaces right?
Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If somebody could comment on how you allow VDOMs to communicate with VLANs as Roman mentioned above that would also be great! I' ve tried doing it a few different ways but am not sure how it is supposed to work. I have inter-VDOM links working, but of course as soon as I turn on VDOM-partitioning these links will cease to work!
Thanks again!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I don' t get the question right, I think.
As I don' t know about your redundancy on the ISP switching side - Which seems one switch and would be some single point of failure. I' d bring the ISPs network into my switching infrastructure as a vlan and have everything there. redundantly...
br,
roman
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help Roman!
It' s actually two switches on the ISP side, one per Fortigate, but as the Fortigates are running in a cluster I simplified that drawing above :). Anyway I contacted the ISP and it turns out they will not VLAN tag traffic to us, so I' ve just requested three ports per switch so we can give one to each of the three VDOMs which solves all my WAN questions!
You mentioned above about using VLANs to allow VDOMs to communicate, can you explain how this is done in a bit more detail please as I' m a bit confused? This would be preferable as it would allow me avoid VDOM_links and hence use VDOM_partitioning!
Thanks again for your help!
Related Posts
- Using FortiSwitch Interfaces in multiple VDOMs 487 Views
- Multiple Fortigate/VDOM SAML MFA Auth (for... 212 Views
- Forticlient EMS deployment on FortiGate virtual... 140 Views
- SSL-VPN - SAML login more groups 478 Views
- Usage of vdoms when migrating from... 442 Views
Labels
-
FortiGate
6,905 -
FortiClient
1,364 -
5.2
801 -
5.4
639 -
FortiManager
597 -
FortiAnalyzer
435 -
6.0
416 -
5.6
362 -
FortiAP
361 -
FortiSwitch
357 -
FortiClient EMS
278 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
120 -
FortiGuard
110 -
IPsec
96 -
FortiGateCloud
91 -
FortiSIEM
91 -
FortiCloud Products
85 -
SSL-VPN
82 -
FortiToken
75 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
FortiEDR
42 -
SD-WAN
41 -
Fortivoice
41 -
FortiDNS
36 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
VLAN
27 -
High Availability
27 -
FortiAuthenticator
26 -
FortiConnect
24 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
SAML
17 -
FortiGate v5.2
17 -
DNS
17 -
LDAP
17 -
Certificate
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
FortiLink
13 -
Routing
13 -
FortiCASB
13 -
FortiDDoS
13 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Fortigate Cloud
9 -
4.0MR2
9 -
SSID
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
WAN optimization
7 -
SNMP
7 -
Web profile
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Traffic shaping policy
6 -
FortiBridge
6 -
Web application firewall profile
6 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 983 | |
| 819 | |
| 446 | |
| 440 | |
| 130 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.