Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kpetrov21
New Contributor

FortiGate VDOM

Hello Guys,

 

First of all I want to say that I am glad to participate in this Forum discussions.

I have a question regarding FortiGate VDOMs use cases

 

I am working for a client which use FortiGates for firewall solution.

With the current setup they split FortGate into Multiple VDOMs.

Usually they are doing this when site have Two Internet service providers.

 

root VDOM - Internal Netowork

fw1 VDOM - Primary Internet provider

fw2 VDOM - Secondary Internet provider

 

Inter-vdom links between root-fw1 and root-fw2

 

two default routes on the root VDOM (towards fw1 and fw2 VDOMs)one with lower priority towards the preferred LINE.

They are utilizing the secondary provider by configuring static routes on root vdom which are pointing to fw2 VDOM (Some kind of a load-sharing).

 

In NSE self study guide I've learned that usually you would need to split FortiGate box when you are managed security service provider and you want assign different VDOMs to different customers.

But why and when you would need to do this when the device is totaly dedicated to one customer.

 

The guys who made this design are no longer working for the company and there is no one who can give me feasible reason why they did it this way.

In my opinion this setup is just adding more complexity because of the InterVDOM routing.

Moreover there is a project for integrating FortiManager and when you have one box with 3 VDOMs FortiManager license counts 3 devices.

 

I will be very thankful if someone can explain me what can be achieved with this setup which cannot be without VDOMs.

 

Thanks.

 

2 Solutions
gradius85

I am just starting to learn about SDN-LAN and SDN-WAN.

 

However, would two VDOMs provide more flexibility in topology and route table? I currently have to manage 8 IPv4 full /24 blocks and a full /48 IPv6 space and been thinking how I could do this better.

 

When do you know that you need SDN-WAN? What are use case scenarios that you have faced? I have read the documentation and horse-and-pony shows... however, I cannot translate those items to real-world use cases.

 

View solution in original post

Toshi_Esumi
Esteemed Contributor III

If you set up SD-WAN with VPN that Fortinet suggests, like below, with static routes you shouldn't have problems with one(root) vdom. 

https://kb.fortinet.com/k....do?externalID=FD41297

Or both sides have the same pair of circuits in SD-WAN with the same rules, that's more common way, so that both sides fail-over in the same way at the same time.

 

The problem lobstercreed and I was talking about was when you have multiple paths to get to the final destination and use routing-protocol like BGP to choose one of circuits dynamically to go out but receive returning packets from the destination on a different circuit, the FGT would block the traffic due to "asymmetric paths". Unless you eanble asym-routing, which would shut off most of FW features because FGT doesn't do "stateful inspection" or session based FW. A solution is to have a routing vdom (asym-enabled) and a FW vdom (asim-disabled) sitting behind it. 

 

So I never intend to say you can't do SD-WAN with VPNs, but need to be conscious about paths on both ends when you set up VPNs over SD-WAN aggregated interface.

View solution in original post

12 REPLIES 12
Toshi_Esumi
Esteemed Contributor III

If you set up SD-WAN with VPN that Fortinet suggests, like below, with static routes you shouldn't have problems with one(root) vdom. 

https://kb.fortinet.com/k....do?externalID=FD41297

Or both sides have the same pair of circuits in SD-WAN with the same rules, that's more common way, so that both sides fail-over in the same way at the same time.

 

The problem lobstercreed and I was talking about was when you have multiple paths to get to the final destination and use routing-protocol like BGP to choose one of circuits dynamically to go out but receive returning packets from the destination on a different circuit, the FGT would block the traffic due to "asymmetric paths". Unless you eanble asym-routing, which would shut off most of FW features because FGT doesn't do "stateful inspection" or session based FW. A solution is to have a routing vdom (asym-enabled) and a FW vdom (asim-disabled) sitting behind it. 

 

So I never intend to say you can't do SD-WAN with VPNs, but need to be conscious about paths on both ends when you set up VPNs over SD-WAN aggregated interface.

kpetrov21

Thank you very much for the great explanation.

Know I see when exactly you would need to split physical appliance into VDOMs

Toshi_Esumi
Esteemed Contributor III

The most common needs for muti-vdom is, as you found in FTNT docs, when one FGT needs to accommodate multiple customers/tenants, who shouldn't share routing tables and be connected each other. Then "root" vdom is to connect them to the internet sharing the same circuit(s) while each would be in separate vdoms like "cust1", "cust2". 

Labels
Top Kudoed Authors