Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ehabali
New Contributor

Deny VDOM Sessions duplication

Hi everyone,
I have 4 Vdoms (Internet - local DC servers - Paretener - SSL VPN & IPsec), I have observed that one session is duplicated over every VDOM traffic that passes it. how I can terminate sessions from repeating through other vdoms?
-Example:
SSL users want to connect to the DC server and use the internet, the session will throw (SSL Vodm) then through ( DC srv vdom), and so on.... this causes multiple sessions consuming device resources. any idea to prevent the same sessions over multiple vdoms?

Thanks for all,

6 REPLIES 6
funkylicious
SuperUser
SuperUser

hi,

quickest/simplest way would be to have all resources access/connect to the same vdom, otherwise the traffic flow will respect the routing table and go through all of them and create a session in each one 

"jack of all trades, master of none"
"jack of all trades, master of none"
dingjerry_FTNT

Hi @ehabali ,

 

1) First of all, VDOM is a virtual device actually.  So you must have a session in the session table if the traffic is passing through the VDOM.  If you terminate the session in one VDOM, that means the traffic will be denied due to no session matched in the VDOM.

 

2) Next, what VDOMs the traffic is passing through is based on your routing table and firewall policy.

Regards,

Jerry
ehabali

Thanks, @dingjerry_FTNT  for your interest,
I know that it is logical that sessions are created in every vdom, but I was asking for any workaround to avoid session duplication as it is just passed to the next firewall such as Palo.
—To clarify what I think, I want SSL vdom when asking to access a server that is located under the Palo Alto DC firewall. I want the session to be created just on SSL Vdom, then pass through DC vdom to continue to Palo firewall, reach the actual server, and so on when traffic returns. Just created in one vdom. Is there any way to apply that?

dingjerry_FTNT

Hi @funkylicious ,

 

No, we do not support this feature.

Regards,

Jerry
ehabali

Thanks, @funkylicious   for your interest,
I know that it is logical that sessions are created in every vdom, but I was asking for any workaround to avoid session duplication.

funkylicious

is it session duplication if that is the correct path the traffic should take ?

it's like having multiple devices along the path and the sessions are created on each one.

"jack of all trades, master of none"
"jack of all trades, master of none"
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors