Allow my customer to manage his VIP

5q46n2te8jPWJY · ‎05-29-2024

Hello,

We are hosting a client on our infrastructure and have set up VDOMs as follows:

We use FortiManager and have created an ADOM that contains the client's VDOM. The client can manage their firewall rules autonomously.

We have assigned them 10 public IPs and I would like them to be able to manage these autonomously as well. How should we proceed?

Thank you for your help!

pminarik · ‎05-30-2024

Assuming root VDOM is under your control and VDOM1/2 under customer control, then in root you can simply route the 10 public IPs to the customer's VDOM, where they can deal with it however they like (VIP, IP pool, etc.)

[ corrections always welcome ]

View solution in original post

pminarik · ‎05-30-2024

Assuming root VDOM is under your control and VDOM1/2 under customer control, then in root you can simply route the 10 public IPs to the customer's VDOM, where they can deal with it however they like (VIP, IP pool, etc.)

[ corrections always welcome ]

5q46n2te8jPWJY · ‎06-12-2024

Sorry but it doesn't work...

I created a route in my root VDOM to route my public IP (1.2.3.4) to my VDOM1.

config router static
   edit 1
      set dst 1.2.3.4 255.255.255.255
      set gateway 10.0.0.2
      set device "vlnk_VDOM1"
   next
end

and create a VIP

config firewall vip
    edit "FTTO_SAMPLE_WEB_SERVICE_443"
        set extip 1.2.3.4
        set mappedip "192.168.1.1"
        set extintf "vlnk_VDOM0"
        set portforward enable
        set extport 443
        set mappedport 443
    next

and create rules

config firewall policy
    edit 69
        set name "WAN to FTTO_SAMPLE_WEB_SERVICE_443"
        set srcintf "vlnk_VDOM0"
        set dstintf "VLAN_574"
        set action accept
        set srcaddr "all"
        set dstaddr "FTTO_SAMPLE_WEB_SERVICE_443" 
        set schedule "always"
        set service "HTTP" "HTTPS"
    next
end

Can you help me to find what is wrong ?

Toshi_Esumi · ‎06-12-2024

I would just disable the portforward and allow only ALL_ICMP in the policy to just test if routing is working fine with simple ping.
Your gateway IP is different from the diagram, which making me wonder if routing is working for the "1.2.3.4" IP.

Toshi

5q46n2te8jPWJY · ‎06-12-2024

Thank you, yes, I took the diagram in Fortigate's doc.

I disabled port forwarding, and enable ALL_ICMP, I can't ping my ressource from internet. In my network, ping is OK.

Here the full conf

Public IP: 1.2.3.4
Internal resource IP: 5.6.7.8

Inter vdom link :

config global
config system vdom-link
    edit "link_root_to_vdom1"
    next
end
config vdom
edit root
config system interface
    edit "link_root_to_vdom1"
        set ip 192.168.1.1 255.255.255.252
        set vdom "root"
        set type vdom-link
    next
end

edit vdom1
config system interface
    edit "link_root_to_vdom1"
        set ip 192.168.1.2 255.255.255.252
        set vdom "vdom1"
        set type vdom-link
    next
end

Configure routing in root vdom

config vdom
edit root
config router static
    edit 1
        set dst 5.6.7.8 255.255.255.255
        set gateway 192.168.1.2
        set device "link_root_to_vdom1"
    next
end

Add static route in vdom1

config vdom
edit vdom1
config router static
    edit 1
        set dst 0.0.0.0/0
        set gateway 192.168.1.1
        set device "link_root_to_vdom1"
    next
end

Create VIP in vdom1

config vdom
edit vdom1
config firewall vip
    edit "Public_to_Internal"
        set extip 1.2.3.4
        set mappedip 5.6.7.8
        set extintf "link_root_to_vdom1"
    next
end

Configure security policy

config vdom
edit vdom1
config firewall policy
    edit 1
        set srcintf "link_root_to_vdom1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "Public_to_Internal"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

pminarik · ‎06-12-2024

The static route in root is wrong. Root needs to be told how to route to the extip of the VIP in vdom1. (to be clear: it is wrong when talking about the VIP, it may be correct if you want root to talk to the destination's real IP 5.6.7.8 directly)

As always, debug flow and packet sniffer should help clarify what's going on.

[ corrections always welcome ]

5q46n2te8jPWJY · ‎06-13-2024

You can find a diagram of my need

pminarik · ‎06-13-2024

The general layout is understood already.

- What about the static route comment?

- What about the debug flow & sniffer?

+ If there is an IP pool that covers 1.2.3.4 in the root VDOM, you need to edit it or delete it. The VIP won't work in vdom1 if root is already using 1.2.3.4 in an IP pool. (if it is literally just "an IP in a pool" and not an IP pool (the configuration term), then disregard this point)

[ corrections always welcome ]

5q46n2te8jPWJY · ‎06-13-2024

Sorry, I'm not sure I understand correctly. Above, you answered me :

Assuming root VDOM is under your control and VDOM1/2 under customer control, then in root you can simply route the 10 public IPs to the customer's VDOM, where they can deal with it however they like (VIP, IP pool, etc.)

I want my user to be able to use these IPs to create their VIPs. So this is why I try to created this static route. Can you guide me to the right way ?

I haven't IP Pool on root VDOM.

pminarik · ‎06-13-2024

Basic outline

assuming:

public IP of VIP: 1.2.3.4

local IP of the server: 9.8.7.6

root VDOM:

static route:

dst 1.2.3.4/32 via inter-vdom-link

firewall policy:

WAN->inter-vdom-link, allowing 1.2.3.4/32. (no SNAT)

vdom1:

VIP:

extip: 1.2.3.4

mappedip: 9.8.7.6

extintf: inter-vdom-link

firewall policy:

inter-vdom-link-> <interface towards 9.8.7.6>, dstaddr = the VIP. (no SNAT, typically)

static routes:

default route via inter-vdom-link

[ corrections always welcome ]

Allow my customer to manage his VIP

Nominate a Forum Post for Knowledge Article Creation