Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kpetrov21
New Contributor

FortiGate VDOM

Hello Guys,

 

First of all I want to say that I am glad to participate in this Forum discussions.

I have a question regarding FortiGate VDOMs use cases

 

I am working for a client which use FortiGates for firewall solution.

With the current setup they split FortGate into Multiple VDOMs.

Usually they are doing this when site have Two Internet service providers.

 

root VDOM - Internal Netowork

fw1 VDOM - Primary Internet provider

fw2 VDOM - Secondary Internet provider

 

Inter-vdom links between root-fw1 and root-fw2

 

two default routes on the root VDOM (towards fw1 and fw2 VDOMs)one with lower priority towards the preferred LINE.

They are utilizing the secondary provider by configuring static routes on root vdom which are pointing to fw2 VDOM (Some kind of a load-sharing).

 

In NSE self study guide I've learned that usually you would need to split FortiGate box when you are managed security service provider and you want assign different VDOMs to different customers.

But why and when you would need to do this when the device is totaly dedicated to one customer.

 

The guys who made this design are no longer working for the company and there is no one who can give me feasible reason why they did it this way.

In my opinion this setup is just adding more complexity because of the InterVDOM routing.

Moreover there is a project for integrating FortiManager and when you have one box with 3 VDOMs FortiManager license counts 3 devices.

 

I will be very thankful if someone can explain me what can be achieved with this setup which cannot be without VDOMs.

 

Thanks.

 

2 Solutions
gradius85

I am just starting to learn about SDN-LAN and SDN-WAN.

 

However, would two VDOMs provide more flexibility in topology and route table? I currently have to manage 8 IPv4 full /24 blocks and a full /48 IPv6 space and been thinking how I could do this better.

 

When do you know that you need SDN-WAN? What are use case scenarios that you have faced? I have read the documentation and horse-and-pony shows... however, I cannot translate those items to real-world use cases.

 

View solution in original post

Toshi_Esumi

If you set up SD-WAN with VPN that Fortinet suggests, like below, with static routes you shouldn't have problems with one(root) vdom. 

https://kb.fortinet.com/k....do?externalID=FD41297

Or both sides have the same pair of circuits in SD-WAN with the same rules, that's more common way, so that both sides fail-over in the same way at the same time.

 

The problem lobstercreed and I was talking about was when you have multiple paths to get to the final destination and use routing-protocol like BGP to choose one of circuits dynamically to go out but receive returning packets from the destination on a different circuit, the FGT would block the traffic due to "asymmetric paths". Unless you eanble asym-routing, which would shut off most of FW features because FGT doesn't do "stateful inspection" or session based FW. A solution is to have a routing vdom (asym-enabled) and a FW vdom (asim-disabled) sitting behind it. 

 

So I never intend to say you can't do SD-WAN with VPNs, but need to be conscious about paths on both ends when you set up VPNs over SD-WAN aggregated interface.

View solution in original post

12 REPLIES 12
emnoc
Esteemed Contributor III

if vdom1 fw1.fw2 are internet only, you would be blessed with using virt-wan ( aka SDWAN  ) and eliminate those 2 vdoms , but that's a guess and opinion on what was posted.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
lobstercreed
Valued Contributor

I'm not sure why there would be 2 Internet-only VDOMs, but I've been planning to split my single VDOM into two so that I can enable asymmetric routing in the Internet VDOM. 

 

We are running BGP and have run into a problem where if I receive traffic from my secondary provider the firewall fails RPF check on the traffic even though the response could go out the primary provider's interface in the same zone.  The only way I know around this is without majorly changing my routing (not currently feasible) is to enable asymmetric routing.  Obviously I don't want to do this on my root VDOM.

emnoc
Esteemed Contributor III

SDWAN would still be beneficial in that case. Once you enable asymmetrical routing, stateful checks are pretty much gone or reduced

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Toshi_Esumi

I agreed to lobstercreed's point. When I was testing SD-WAN myself I found it's difficult to split two (or multiple) VPNs, members of SD-WAN (FGT can have only one instance of "SD-WAN" instance), to different nodes and do split-tunnel on each interface, causing asym-routing. A solution is to separate the routing domain from the FWing domain by two vdoms. I still need to test it though.

gradius85

I am just starting to learn about SDN-LAN and SDN-WAN.

 

However, would two VDOMs provide more flexibility in topology and route table? I currently have to manage 8 IPv4 full /24 blocks and a full /48 IPv6 space and been thinking how I could do this better.

 

When do you know that you need SDN-WAN? What are use case scenarios that you have faced? I have read the documentation and horse-and-pony shows... however, I cannot translate those items to real-world use cases.

 

Toshi_Esumi

I started writing a long version of my answer but scratched that. Instead, I just second Ken's suggestion if you just need to utilize two internet circuits and not site-to-site VPNs to worry about you can use SD-WAN for redundancy. And I wouldn't split VDOMs, which would complicate routing without any added benefit.

emnoc
Esteemed Contributor III

Adding more vdom adds more route-domains. So this means the routing topology is more complex. Why do you think you need 3 vdoms ( internal and two internet ) ? What can you not do with SDWAN vs multi-vdoms?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
kpetrov21

I can't see any reason why they are using VDOMs except adding more complexity.

I am thinking about offering redesign to our client.

another common example in the existing setup:

 

root VDOM - connected to MPLS provider. and another link for user_lan

 

fw1 VDOM - local breakout ISP

 

Production VDOM - for some productive networks.

 

Maybe they tried to make some kind of separation without realizing the consequences.(difficult to support from operations is one example)

Lets say I need to add this device to FortiManager then I would need 3 policy packs for each VDOM.

We have a lot of devices with this setup which means if I add them all to the central management then it will become a mess.

 

 

gradius85

toshiesumi wrote:

I agreed to lobstercreed's point. When I was testing SD-WAN myself I found it's difficult to split two (or multiple) VPNs, members of SD-WAN (FGT can have only one instance of "SD-WAN" instance), to different nodes and do split-tunnel on each interface, causing asym-routing. A solution is to separate the routing domain from the FWing domain by two vdoms. I still need to test it though.

If you had site-to-site vpns - would you peer them to a different vdom? I was thinking about doing that; however, after design and mapping I didn't think it would buy me anything.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors