Hello Guys,
First of all I want to say that I am glad to participate in this Forum discussions.
I have a question regarding FortiGate VDOMs use cases
I am working for a client which use FortiGates for firewall solution.
With the current setup they split FortGate into Multiple VDOMs.
Usually they are doing this when site have Two Internet service providers.
root VDOM - Internal Netowork
fw1 VDOM - Primary Internet provider
fw2 VDOM - Secondary Internet provider
Inter-vdom links between root-fw1 and root-fw2
two default routes on the root VDOM (towards fw1 and fw2 VDOMs)one with lower priority towards the preferred LINE.
They are utilizing the secondary provider by configuring static routes on root vdom which are pointing to fw2 VDOM (Some kind of a load-sharing).
In NSE self study guide I've learned that usually you would need to split FortiGate box when you are managed security service provider and you want assign different VDOMs to different customers.
But why and when you would need to do this when the device is totaly dedicated to one customer.
The guys who made this design are no longer working for the company and there is no one who can give me feasible reason why they did it this way.
In my opinion this setup is just adding more complexity because of the InterVDOM routing.
Moreover there is a project for integrating FortiManager and when you have one box with 3 VDOMs FortiManager license counts 3 devices.
I will be very thankful if someone can explain me what can be achieved with this setup which cannot be without VDOMs.
Thanks.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I am just starting to learn about SDN-LAN and SDN-WAN.
However, would two VDOMs provide more flexibility in topology and route table? I currently have to manage 8 IPv4 full /24 blocks and a full /48 IPv6 space and been thinking how I could do this better.
When do you know that you need SDN-WAN? What are use case scenarios that you have faced? I have read the documentation and horse-and-pony shows... however, I cannot translate those items to real-world use cases.
If you set up SD-WAN with VPN that Fortinet suggests, like below, with static routes you shouldn't have problems with one(root) vdom.
https://kb.fortinet.com/k....do?externalID=FD41297
Or both sides have the same pair of circuits in SD-WAN with the same rules, that's more common way, so that both sides fail-over in the same way at the same time.
The problem lobstercreed and I was talking about was when you have multiple paths to get to the final destination and use routing-protocol like BGP to choose one of circuits dynamically to go out but receive returning packets from the destination on a different circuit, the FGT would block the traffic due to "asymmetric paths". Unless you eanble asym-routing, which would shut off most of FW features because FGT doesn't do "stateful inspection" or session based FW. A solution is to have a routing vdom (asym-enabled) and a FW vdom (asim-disabled) sitting behind it.
So I never intend to say you can't do SD-WAN with VPNs, but need to be conscious about paths on both ends when you set up VPNs over SD-WAN aggregated interface.
If you set up SD-WAN with VPN that Fortinet suggests, like below, with static routes you shouldn't have problems with one(root) vdom.
https://kb.fortinet.com/k....do?externalID=FD41297
Or both sides have the same pair of circuits in SD-WAN with the same rules, that's more common way, so that both sides fail-over in the same way at the same time.
The problem lobstercreed and I was talking about was when you have multiple paths to get to the final destination and use routing-protocol like BGP to choose one of circuits dynamically to go out but receive returning packets from the destination on a different circuit, the FGT would block the traffic due to "asymmetric paths". Unless you eanble asym-routing, which would shut off most of FW features because FGT doesn't do "stateful inspection" or session based FW. A solution is to have a routing vdom (asym-enabled) and a FW vdom (asim-disabled) sitting behind it.
So I never intend to say you can't do SD-WAN with VPNs, but need to be conscious about paths on both ends when you set up VPNs over SD-WAN aggregated interface.
Thank you very much for the great explanation.
Know I see when exactly you would need to split physical appliance into VDOMs
The most common needs for muti-vdom is, as you found in FTNT docs, when one FGT needs to accommodate multiple customers/tenants, who shouldn't share routing tables and be connected each other. Then "root" vdom is to connect them to the internet sharing the same circuit(s) while each would be in separate vdoms like "cust1", "cust2".
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.