- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNDR
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiScan
- FortiSandbox
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- Customer Service
- Community Groups
- Article Ideas
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Bug in documentation or my wrong? (Inter-VDOM rou...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bug in documentation or my wrong? (Inter-VDOM routing)
I try to understand the Inter-VDOM routing example at https://docs.fortinet.com/document/fortigate/6.2.4/cookbook/335646/inter-vdom-routing
In the example VDOM "Sales" connects to VDOM "root" via vdom-link "SalesVlnk".
The two interfaces are "SalesVlnk0" (on VDOM "Sales" side) and "SalesVlnk1" (on VDOM "root" side).
Nothing fancy here and I understand all of it (perhaps except the p2 and p3 IP addresses as they to not correspond with the picture in the example), until it comes to the policies.
The firewall policies in that example puzzle me. I believe those are wrong. But I might be mistaken? Please help me understand. It seems to me that the policies are completely garbled, though. For example the Sales VDOM related ones (this is from the content of above link):
To configure the firewall policies from SalesLocal to the Internet:
config vdom
edit root <<< should that not be "Sales"?
config firewall policy
edit 6
set name "Sales-local-to-Management"
set srcintf port2 <<< port2 is assigned to other VDOM in example.. correct port would be port 3
set srcaddr all
set dstintf SalesVlnk <<< I can't select this interfac, should that not be "SalesVlnk0" or "SalesVlnk1"?
set dstaddr all
set schedule always
set service ALL
set action accept
set logtraffic enable
next
end
next
edit Sales <<< should be "root" I think
config firewall policy
edit 7
set name "Sales-VDOM-to-Internet" <<< according to this, this policy should be on VDOM root, right?
set srcintf SalesVlnk <<< Can't select this as interface. This is the vdom-link... which is the correct interface?
set srcaddr SalesManagement <<< what address might that be? I'd guess
set dstintf external
set dstaddr all
set schedule always
set service OfficeServices
set action accept
set logtraffic enable
next
end
next
end
This is just an excerpt. Up to the firewall policies, it makes sense.. then, it doesn't.. for me..
I have a FG100F with 6.4.3, but the documentation is based on 6.2.4. I might not be able to do some of that due to version changes, but I frankly believe the example is wrong. I compared to other versions. They are slightly different, but all of them seem incorrect to me.
As I urgently need to understand how this works, would someone please provide me with a correct example?
or.. correct me if I'm wrong?
Thanks
Daniel
Solved! Go to Solution.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yea, virtually everybody needs to experience documentation bugs, especially with cookbooks, one way or the other. Of course, without '0' or '1' it's not even an interface. You need to correct those errors intelligently while you read through any document.
However, if your 100F should suport npu_vlink, which goes through the np6xlite off-loaded from the CPU, and that's what you should be using instead of theose regular vdom links.
Check below architecture doc first:
Then configure like below. It's 6.0.0 doc but this part should be the same.
It would make a significant difference in performance under multi-vdom envitonment.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below is the only thing I could find so far. But it's simple, just a built-in vdom-link and one side is named as npu0_vlink0 and the other side is npu0_vlink1. You should create VLAN interfaces on top of npu-vlink to have muliple links.
https://docs.fortinet.com...r-vdom-link-interfaces
Once you configured a set of VLAN interfaces on both sides, the rest is just regular VDOM/FW/router configuration for routing toward the destinations and set of policies to regulate traffic between ingress and egress interfaces. You already know what VDOM does and have chosen to use them on your new FW. I believe you can figure this out even by yourself.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yea, virtually everybody needs to experience documentation bugs, especially with cookbooks, one way or the other. Of course, without '0' or '1' it's not even an interface. You need to correct those errors intelligently while you read through any document.
However, if your 100F should suport npu_vlink, which goes through the np6xlite off-loaded from the CPU, and that's what you should be using instead of theose regular vdom links.
Check below architecture doc first:
Then configure like below. It's 6.0.0 doc but this part should be the same.
It would make a significant difference in performance under multi-vdom envitonment.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, the reason I go through those examples is to learn.
Most people tell me that I must do a training course. I will, most likely, but for now, I need reliable information on how to do things.
Do you, or somebody else could point me to a reliable example that would show me (a novice) how to do Inter-VDOM routing? Perhaps as detailed as the cookbook?
Thanks
Dan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below is the only thing I could find so far. But it's simple, just a built-in vdom-link and one side is named as npu0_vlink0 and the other side is npu0_vlink1. You should create VLAN interfaces on top of npu-vlink to have muliple links.
https://docs.fortinet.com...r-vdom-link-interfaces
Once you configured a set of VLAN interfaces on both sides, the rest is just regular VDOM/FW/router configuration for routing toward the destinations and set of policies to regulate traffic between ingress and egress interfaces. You already know what VDOM does and have chosen to use them on your new FW. I believe you can figure this out even by yourself.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Daniel,
Thanks for pointing this one out. It has been passed on to the Fortinet documentation team who will review the example and make any necessary corrections.
Regards,
Admin.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Toshi Esumi,
I have checked it out.
Dan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Admin_FTNT wrote:Thanks for pointing this one out. It has been passed on to the Fortinet documentation team who will review the example and make any necessary corrections.
Thanks. I will look forward to the corrections.
Dan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Daniel,
The Inter-VDOM routing example https://docs.fortinet.com/document/fortigate/6.2.4/cookbook/335646/inter-vdom-routing has been updated.
Regards,
Admin.
Related Posts
- Problems with Active-Passive HA deployment 126 Views
- Two IPsec tunnels to the same... 184 Views
- SD WAN with 2 link, and... 1206 Views
- asymmetric routing dilemma 2234 Views
- SDWAN - Region1 Hub to Region2... 937 Views
Labels
-
FortiGate
3,553 -
5.2
801 -
FortiClient
732 -
5.4
639 -
6.0
416 -
FortiManager
363 -
5.6
362 -
6.2
251 -
FortiAnalyzer
231 -
5.0
196 -
FortiAP
178 -
FortiSwitch
169 -
Fortimail
166 -
FortiAuthenticator
138 -
6.4
128 -
FortiClient EMS
106 -
FortiWeb
88 -
4.0MR3
64 -
FortiGuard
58 -
FortiGateCloud
56 -
FortiSIEM
41 -
Customer Service
41 -
FortiCloud Products
41 -
FortiToken
38 -
FortiNAC
37 -
Wireless Controller
30 -
FortiADC
24 -
Fortivoice
23 -
FortiSwitch v6.4
20 -
FortiProxy
19 -
FortiExtender
18 -
FortiSandbox
17 -
FortiEDR
16 -
FortiGate v5.4
16 -
FortiConnect
16 -
FortiDNS
13 -
FortiWAN
12 -
FortiConverter
10 -
FortiSwitch v6.2
9 -
4.0MR2
9 -
FortiCASB
8 -
FortiMonitor
7 -
4.0
7 -
FortiManager v5.0
6 -
FortiSOAR
5 -
RMA Information and Announcements
5 -
FortiGate v5.2
5 -
FortiPortal
5 -
FortiAnalyzer v5.0
5 -
FortiGate v5.0
4 -
FortiCarrier
4 -
3.6
4 -
FortiDirector
3 -
FortiBridge
3 -
FortiRecorder
3 -
FortiDDoS
3 -
FortiInsight
2 -
FortiWeb v5.0
2 -
FortiScan
2 -
FortiDB
2 -
FortiGate v4.0 MR3
2 -
FortiDeceptor
1 -
4.0MR1
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiCache
1 -
FortiManager v4.0
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2023 Fortinet, Inc. All Rights Reserved.