Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johnlloyd_13
Contributor

Created on ‎11-11-2024 12:59 AM

Configuring FW Policy with NAT in an internet VDOM setup

hi,

i plan to configure SNAT in a FG with multiple VDOMs.

i currently have the "internet VDOM" topology wherein "internet" VDOM act as our internet edge device and all downstream VDOMs will connect/flow through it to go to the public internet.

my question, if i create a FW policy WITH SNAT in "VDOM-1", do i also create FW policy WITHOUT NAT in "internet VDOM" for traffic flow continuity?

 

image.png

 

 

Labels:
445
0 Kudos
3 Solutions
funkylicious
SuperUser
SuperUser
In response to johnlloyd_13

Created on ‎11-11-2024 01:34 AM

You would need a firewall policy in VDOM1, from LAN to vdom-link, allowing the traffic, no NAT.

In INT ( Internet ) VDOM, a firewall policy from vdom-link towards the WAN interface with NAT active.

Since FortiGate it's a stateful firewall, you would not need firewall rules in reverse created.


TLDR;

VDOM1: LAN > vdom-link ( accept, no NAT )

INTERNET: vdom-link > WAN ( accept , NAT )

"jack of all trades, master of none"

View solution in original post

"jack of all trades, master of none"
424
Toshi_Esumi
SuperUser
SuperUser
In response to johnlloyd_13

Created on ‎11-11-2024 10:23 AM

In that situation, like those VDOM-1, -2 are your customer's VDOMs, those customer VDOMs don't have to have routing protocol set up because the public IP(s) in the VDOM is on the interface. The root VDOM sees it as a "connected" route. And, you SNAT proviate IPs to the public IP on the outgoing policy in the customer VDOM.

iBGP neighboring with your ISP(s) is handled by the root vdom only. But in the root vdom, you have to has a pair of policies without NAT for both directions (inbound and outbound) for each customer vdom. We (an MSP) use a zone for those customer npu-vlink interfaces at our root vdom so that we don't have to create a new set of policies when we add another customer vdom. Just add the npu-vlink to the zone instead.

 

Toshi

View solution in original post

322
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to johnlloyd_13

Created on ‎11-11-2024 04:35 PM Edited on ‎11-11-2024 04:36 PM

Yes. If that VDOM customer/users need to use just one NAT outside/public IP, that's all you need. However, you have to assign at least /31 public subnet to the npu-vlink interface and each side (root and customer vdom side) takes one IP out of the /31.

Toshi

View solution in original post

276
0 Kudos
8 REPLIES 8
funkylicious
SuperUser
SuperUser

Created on ‎11-11-2024 01:07 AM

Hi,

Usually, in VDOM1/2 where the internet links are not directly connected, you would not need to activate NAT.

Assuming you have the correct routes back to VDOM1/2 in the Internet VDOM to the networks, you would only need to activate NAT in that VDOM where the traffic exists to reach the internet, Internet VDOM.

"jack of all trades, master of none"
"jack of all trades, master of none"
441
johnlloyd_13
Contributor

Created on ‎11-11-2024 01:15 AM

hi,

so i just need to provision FW policy with NAT in the "internet" VDOM only?

then just routing and FW policy in "VDOM-1"?
would i need 2 FW policy, i.e. first FW policy is the vlink (to internet VDOM) to "inside" interface of VDOM-1, second FW policy is the reverse, i.e. "inside" interface of VDOM-1 to vlink?

436
0 Kudos
funkylicious
SuperUser
SuperUser
In response to johnlloyd_13

Created on ‎11-11-2024 01:34 AM

You would need a firewall policy in VDOM1, from LAN to vdom-link, allowing the traffic, no NAT.

In INT ( Internet ) VDOM, a firewall policy from vdom-link towards the WAN interface with NAT active.

Since FortiGate it's a stateful firewall, you would not need firewall rules in reverse created.


TLDR;

VDOM1: LAN > vdom-link ( accept, no NAT )

INTERNET: vdom-link > WAN ( accept , NAT )

"jack of all trades, master of none"
"jack of all trades, master of none"
425
johnlloyd_13
Contributor
In response to funkylicious

Created on ‎11-11-2024 04:43 AM

hi,

thanks for your answers! appreciate them.

another question, can i do NAT in "VDOM-1" since it has a private (inside) interface/IP and public (outside) vlink interface/IP?

the "internet" VDOM has vlinks (using public IP) in downstream VDOMs (i.e. VDOM-1, VDOM-2, etc), outside interface using public IP and configured with iBGP with our internet edge router?

what will be the FW policy and NAT would look like in this scenario?

366
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to johnlloyd_13

Created on ‎11-11-2024 10:23 AM

In that situation, like those VDOM-1, -2 are your customer's VDOMs, those customer VDOMs don't have to have routing protocol set up because the public IP(s) in the VDOM is on the interface. The root VDOM sees it as a "connected" route. And, you SNAT proviate IPs to the public IP on the outgoing policy in the customer VDOM.

iBGP neighboring with your ISP(s) is handled by the root vdom only. But in the root vdom, you have to has a pair of policies without NAT for both directions (inbound and outbound) for each customer vdom. We (an MSP) use a zone for those customer npu-vlink interfaces at our root vdom so that we don't have to create a new set of policies when we add another customer vdom. Just add the npu-vlink to the zone instead.

 

Toshi

323
0 Kudos
johnlloyd_13
Contributor
In response to Toshi_Esumi

Created on ‎11-11-2024 03:47 PM

hi toshi,

thanks! just as i thought. so just to confirm, i create 2 FW policy (inbound and outbound) in the "root" in this case my "internet" VDOM which is facing the internet edge/ISP router configured with BGP.

then in the "VDOM-1" or downstream customer VDOM, i just create 1 FW policy with NAT? is my understanding correct?

287
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to johnlloyd_13

Created on ‎11-11-2024 04:35 PM Edited on ‎11-11-2024 04:36 PM

Yes. If that VDOM customer/users need to use just one NAT outside/public IP, that's all you need. However, you have to assign at least /31 public subnet to the npu-vlink interface and each side (root and customer vdom side) takes one IP out of the /31.

Toshi

277
0 Kudos
joninte2
New Contributor

Created on ‎11-11-2024 03:17 AM Edited on ‎11-21-2024 04:45 AM

Separating interfaces into vdoms just to keep them separate is not necessary. A firewall will not allow traffic from one interface to another unless there is a policy or unless they are in a zone or switch together (and even then this isn’t necessarily default behaviour). FortiGates need rules and routes https://tutuapp.uno/ .

378
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.