hi,
i plan to configure SNAT in a FG with multiple VDOMs.
i currently have the "internet VDOM" topology wherein "internet" VDOM act as our internet edge device and all downstream VDOMs will connect/flow through it to go to the public internet.
my question, if i create a FW policy WITH SNAT in "VDOM-1", do i also create FW policy WITHOUT NAT in "internet VDOM" for traffic flow continuity?
Solved! Go to Solution.
You would need a firewall policy in VDOM1, from LAN to vdom-link, allowing the traffic, no NAT.
In INT ( Internet ) VDOM, a firewall policy from vdom-link towards the WAN interface with NAT active.
Since FortiGate it's a stateful firewall, you would not need firewall rules in reverse created.
TLDR;
VDOM1: LAN > vdom-link ( accept, no NAT )
INTERNET: vdom-link > WAN ( accept , NAT )
In that situation, like those VDOM-1, -2 are your customer's VDOMs, those customer VDOMs don't have to have routing protocol set up because the public IP(s) in the VDOM is on the interface. The root VDOM sees it as a "connected" route. And, you SNAT proviate IPs to the public IP on the outgoing policy in the customer VDOM.
iBGP neighboring with your ISP(s) is handled by the root vdom only. But in the root vdom, you have to has a pair of policies without NAT for both directions (inbound and outbound) for each customer vdom. We (an MSP) use a zone for those customer npu-vlink interfaces at our root vdom so that we don't have to create a new set of policies when we add another customer vdom. Just add the npu-vlink to the zone instead.
Toshi
Created on 11-11-2024 04:35 PM Edited on 11-11-2024 04:36 PM
Yes. If that VDOM customer/users need to use just one NAT outside/public IP, that's all you need. However, you have to assign at least /31 public subnet to the npu-vlink interface and each side (root and customer vdom side) takes one IP out of the /31.
Toshi
Hi,
Usually, in VDOM1/2 where the internet links are not directly connected, you would not need to activate NAT.
Assuming you have the correct routes back to VDOM1/2 in the Internet VDOM to the networks, you would only need to activate NAT in that VDOM where the traffic exists to reach the internet, Internet VDOM.
hi,
so i just need to provision FW policy with NAT in the "internet" VDOM only?
then just routing and FW policy in "VDOM-1"?
would i need 2 FW policy, i.e. first FW policy is the vlink (to internet VDOM) to "inside" interface of VDOM-1, second FW policy is the reverse, i.e. "inside" interface of VDOM-1 to vlink?
You would need a firewall policy in VDOM1, from LAN to vdom-link, allowing the traffic, no NAT.
In INT ( Internet ) VDOM, a firewall policy from vdom-link towards the WAN interface with NAT active.
Since FortiGate it's a stateful firewall, you would not need firewall rules in reverse created.
TLDR;
VDOM1: LAN > vdom-link ( accept, no NAT )
INTERNET: vdom-link > WAN ( accept , NAT )
hi,
thanks for your answers! appreciate them.
another question, can i do NAT in "VDOM-1" since it has a private (inside) interface/IP and public (outside) vlink interface/IP?
the "internet" VDOM has vlinks (using public IP) in downstream VDOMs (i.e. VDOM-1, VDOM-2, etc), outside interface using public IP and configured with iBGP with our internet edge router?
what will be the FW policy and NAT would look like in this scenario?
In that situation, like those VDOM-1, -2 are your customer's VDOMs, those customer VDOMs don't have to have routing protocol set up because the public IP(s) in the VDOM is on the interface. The root VDOM sees it as a "connected" route. And, you SNAT proviate IPs to the public IP on the outgoing policy in the customer VDOM.
iBGP neighboring with your ISP(s) is handled by the root vdom only. But in the root vdom, you have to has a pair of policies without NAT for both directions (inbound and outbound) for each customer vdom. We (an MSP) use a zone for those customer npu-vlink interfaces at our root vdom so that we don't have to create a new set of policies when we add another customer vdom. Just add the npu-vlink to the zone instead.
Toshi
hi toshi,
thanks! just as i thought. so just to confirm, i create 2 FW policy (inbound and outbound) in the "root" in this case my "internet" VDOM which is facing the internet edge/ISP router configured with BGP.
then in the "VDOM-1" or downstream customer VDOM, i just create 1 FW policy with NAT? is my understanding correct?
Created on 11-11-2024 04:35 PM Edited on 11-11-2024 04:36 PM
Yes. If that VDOM customer/users need to use just one NAT outside/public IP, that's all you need. However, you have to assign at least /31 public subnet to the npu-vlink interface and each side (root and customer vdom side) takes one IP out of the /31.
Toshi
Separating interfaces into vdoms just to keep them separate is not necessary. A firewall will not allow traffic from one interface to another unless there is a policy or unless they are in a zone or switch together (and even then this isn’t necessarily default behaviour). FortiGates need rules and routes https://tutuapp.uno/ .
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.