Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
5q46n2te8jPWJY
Contributor

Created on ‎05-29-2024 11:00 PM

Allow my customer to manage his VIP

Hello,

 

We are hosting a client on our infrastructure and have set up VDOMs as follows:

 

7c05a07157339373ac2647cbf55f0030_Topology_Inter VDOM Routing Ex_Internet access_Updated-01.png

 

We use FortiManager and have created an ADOM that contains the client's VDOM. The client can manage their firewall rules autonomously.

 

We have assigned them 10 public IPs and I would like them to be able to manage these autonomously as well. How should we proceed?

 

Thank you for your help!

Labels:
1489
0 Kudos
1 Solution
pminarik
Staff
Staff

Created on ‎05-30-2024 02:41 AM

Assuming root VDOM is under your control and VDOM1/2 under customer control, then in root you can simply route the 10 public IPs to the customer's VDOM, where they can deal with it however they like (VIP, IP pool, etc.)

[ corrections always welcome ]

View solution in original post

1440
16 REPLIES 16
5q46n2te8jPWJY
Contributor

Created on ‎06-13-2024 02:17 AM Edited on ‎06-13-2024 03:08 AM

Thank you for your help, but unfortunately, it still doesn't work. You mentioned SNAT in your response; my VDOMs do not have "Central SNAT" enabled. Could this be an issue?

 

On my VDOM1, I see incoming packet, but on my source device, ping don't work/

 

HOSTNAME (VDOM1) # diag sniffer packet any 'icmp and src host 92.184.99.183' 4
interfaces=[any]
filters=[icmp and src host 92.184.99.183]
30.048388 VLAN_301 in 92.184.99.183 -> 1.2.3.4: icmp: echo request


 

459
5q46n2te8jPWJY
Contributor

Created on ‎06-13-2024 03:11 AM Edited on ‎06-13-2024 03:40 AM

I missed to tell you about sdwan is enable, maybe there is an impact ?

 

2024-06-13 12_27_32-FortiGate - HYP-ALL-SEC-FGCHG01 et 7 pages de plus - Travail – Microsoft​ Edge.png

In my log view, I see traffic incoming on interface. But in my rules, I can just check SDWan Zone, not interface. So traffic is blocked.

 

How can I do ?

 

452
0 Kudos
pminarik
Staff
Staff
In response to 5q46n2te8jPWJY

Created on ‎06-13-2024 04:31 AM

it looks like you don't have a matching firewall policy in the VDOM that owns VLAN_301 (is it root?).

 

You can run debug flow to check how it is evaluated:

diag debug flow filter clear

diag debug flow filter proto 1

diag debug flow addr <src-ip from which the ping comes>

diag debug enable

diag debug flow trace start 10

=> now try ping again

 

You can also show us the configuration of the policy you expect to be matched in root.

 

> my VDOMs do not have "Central SNAT" enabled. Could this be an issue?

 

Don't bother making changes to SNAT at this point, unless it proves to be required.

[ corrections always welcome ]
442
5q46n2te8jPWJY
Contributor

Created on ‎06-13-2024 05:05 AM Edited on ‎06-13-2024 05:06 AM

Thank you again for your help

 

 

HOSTNAME (root) # id=65308 trace_id=4 func=print_pkt_detail line=5942 msg="vd-root:0 received a packet(proto=1, 92.184.99.180:36996->37.64.138.20:2048) tun_id=0.0.0.0 from VLAN_301. type=8, code=0, id=36996, seq=1."
id=65308 trace_id=4 func=init_ip_session_common line=6127 msg="allocate a new session-00f5c4fb"
id=65308 trace_id=4 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=00000000 gw-10.0.0.2 via vlnk_HYP1"
id=65308 trace_id=4 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=3"
id=65308 trace_id=4 func=fw_forward_handler line=839 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=5 func=print_pkt_detail line=5942 msg="vd-root:0 received a packet(proto=1, 92.184.99.180:50108->37.64.138.20:2048) tun_id=0.0.0.0 from VLAN_301. type=8, code=0, id=50108, seq=1."
id=65308 trace_id=5 func=init_ip_session_common line=6127 msg="allocate a new session-00f5ca0e"
id=65308 trace_id=5 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=00000000 gw-10.0.0.2 via vlnk_HYP1"
id=65308 trace_id=5 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=3"
id=65308 trace_id=5 func=fw_forward_handler line=839 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=6 func=print_pkt_detail line=5942 msg="vd-root:0 received a packet(proto=1, 92.184.99.180:26392->37.64.138.20:2048) tun_id=0.0.0.0 from VLAN_301. type=8, code=0, id=26392, seq=1."
id=65308 trace_id=6 func=init_ip_session_common line=6127 msg="allocate a new session-00f5d200"
id=65308 trace_id=6 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=00000000 gw-10.0.0.2 via vlnk_HYP1"
id=65308 trace_id=6 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=3"
id=65308 trace_id=6 func=fw_forward_handler line=839 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=7 func=print_pkt_detail line=5942 msg="vd-root:0 received a packet(proto=1, 92.184.99.180:42823->37.64.138.20:2048) tun_id=0.0.0.0 from VLAN_301. type=8, code=0, id=42823, seq=1."

 

2024-06-13 14_03_42-Paramètres.png

I missed to tell you about sdwan is enable, maybe there is an impact ?

 

2024-06-13 12_27_32-FortiGate - HYP-ALL-SEC-FGCHG01 et 7 pages de plus - Travail – Microsoft​ Edge.png

 

In my log view, I see traffic incoming on interface. But in my rules, I can just check SDWan Zone, not interface. So traffic is blocked.

437
0 Kudos
pminarik
Staff
Staff
In response to 5q46n2te8jPWJY

Created on ‎06-13-2024 08:12 AM

Debug flow reports this as traffic wanting to go in the direction: VLAN_301 -> vlnk_HYP1.

(the egress interface decided based on the routing table),

 

So you need a policy that covers these two interfaces as srcintf and dstintf, respectively, or zones that contain these interfaces.

Make sure the source/destination address and service (accepted protocols) options are also set to something that matches the traffic.

[ corrections always welcome ]
431
0 Kudos
5q46n2te8jPWJY
Contributor

Created on ‎06-13-2024 08:48 AM

I don't know why, when I want to re-reun diagnose again, I haven't traffic...

 

diag debug flow filter clear

diag debug flow filter proto 1

diag debug flow addr <src-ip from which the ping comes>

diag debug enable

diag debug flow trace start 10

=> now try ping again

 

Do you have an idea why ?

424
0 Kudos
5q46n2te8jPWJY
Contributor

Created on ‎06-13-2024 11:22 AM

All is good ! 

 

I did a mistake, I reversed source and destination in my rules.

 

Thank you for you patience pminarik ! 

413
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.