Hello,
I have purchase a pair of 200D recently but encounter some problem about setting Vdoms. After reading the cookbook and some tutorial video, I try to setup the fortigate with 3 Vdoms which sharing two wan link (as shown in the attached jpg). However after setting the Vdoms, none of them able to reach the internet nor ping the fiewall gateway (x.250), I think I may missing some setting so I have screen capture the global interface page and hope you guys can help me out, thanks!
Regards,
Gary
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
pls take a look, it might shed you some insights reg vdom. thanks
Fortigate Newbie
1st off your diag is beautiful.
2nd have you validate routing in all 4 vdoms
e.g
config vdom
edit vdom-1
get router info routing all
end
edit vdom-2
get router info routing all
end
edit vdom-3
get router info routing all
end
edit vdom-root
get router info routing all
end
The 3 sub-tiered vdom needs a default route over the inter-vdom-link.
check out a typical meshed routed vdom post in my blog.
http://socpuppet.blogspot.com/2014/09/a-stacked-vdom-concept-with-fortigate.html
If routing is good, than it fwpolicy validation and diag debug flow if your still having issues. I would allowaces ping over the intervdom links and ping the vdom-root from sub-tier and work my upwards.
ken
PCNSE
NSE
StrongSwan
Hi Emnoc,
Thanks for the reply, I have try to follow your blog and setup the custA and custB but unfortunately still not working (no matter ping or traceroute to 8.8.8.8) following are the routes & firewall policy of the vdoms:
LKTFW1-FG200DXXXXXXXXX (root) # get router info routing all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default
S* 0.0.0.0/0 [10/0] via 125.215.173.62, wan2 [10/0] via 210.176.62.62, wan1 S 10.100.10.0/24 [10/0] via 192.168.10.2, root2custA0 S 10.200.10.0/24 [10/0] via 192.168.10.6, root2custB0 C x.x.x.x/26 is directly connected, wan2 C 192.168.10.0/30 is directly connected, root2custA0 C 192.168.10.1/32 is directly connected, root2custA0 C 192.168.10.4/30 is directly connected, root2custB0 C 192.168.10.5/32 is directly connected, root2custB0 C 192.168.100.0/24 is directly connected, lan C x.x.x.x/26 is directly connected, wan1
LKTFW1-FG200DXXXXXXXXX (custB) # get router info routing all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default
S* 0.0.0.0/0 [10/0] is directly connected, root2custB1 C 192.168.10.4/30 is directly connected, root2custB1 C 192.168.10.6/32 is directly connected, root2custB1
LKTFW1-FG200DXXXXXXXXXXX (custA) # get router info routing all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default
S* 0.0.0.0/0 [10/0] is directly connected, root2custA1 C 192.168.10.0/30 is directly connected, root2custA1 C 192.168.10.2/32 is directly connected, root2custA1
LKTFW1-FG200DXXXXXXXX (root) # show firewall policy config firewall policy edit 1 set uuid dcf1b82c-ddef-51e6-201c-ad3fdb7d578c set srcintf "lan" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set av-profile "default" set webfilter-profile "default" set application-list "default" set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" set nat enable next edit 2 set uuid a577fb9c-e379-51e6-439e-302e93b2b38c set srcintf "root2custA0" set dstintf "wan1" set srcaddr "custA" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set nat enable next edit 3 set uuid 122e057e-e37a-51e6-381f-800d207c8aba set srcintf "root2custB0" set dstintf "wan1" set srcaddr "custB" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set nat enable next end
LKTFW1-FG200DXXXXXXXXX (custA) # show firewall policy config firewall policy edit 1 set uuid 71e9c3f4-e37a-51e6-4b43-843ba46dc1fb set srcintf "port15" set dstintf "root2custA1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set comments "custA-outbound" next end
LKTFW1-FG200DXXXXXXXXX (custB) # show firewall policy config firewall policy edit 1 set uuid d56b47b8-e37a-51e6-4f66-5d7247dca108 set srcintf "port16" set dstintf "root2custB1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set comments "custB-outbound" next end
Regards,
Gary
Haven't read the complete thread, but I try to answer a few unresolved posts after submitting a post myself ;)
I read your question. Think about creating inter vdom links, assign ip's to the interfaces that are created in these vdom links (makes it easier to tshoot traffic flows)
create firewall policies that allow traffic from your vdom to the intervdom link.
create (static) route i.e. default gateway to the intervdom link interface ip
hope this helps
Ralph
Hi Gary, I can't see the default gateway IP's for custA and custB routing.
Could you please confirm that custA has this route: 0.0.0.0/0 root2five1 10.1.5.2
And custB has this route: 0.0.0.0/0 root2one1 10.1.1.2
OP,
Qs:
from custA or custB or custC can you ping the intervdom link peer address ( ensure set allowaccess ping is enabled )
Did you run diag debug flow from root or any of the customer vdom
PCNSE
NSE
StrongSwan
Thx all for the reply,
Emnoc: I have run the diag from custA and ping to 8.8.8.8, no idea why it go though wan2 instead of wan1, after I have add the policy which allow custA access wan2 but it still return the error "Deniedby forward policy check (policy 0)".
Before:
LKTFW1-FG200DXXXXXXXX (custA) # execute e ping 8.8.8.8
2017-01-27 10:23:51 id=20085 trace_id=31 func=print_pkt_detail line=4742 msg="vd-custA received a packet(proto=1, 192.168.10.2:1536->8.8.8.8:2048) from local. type=8, code=0, id=1536, seq=0." 2017-01-27 10:23:51 id=20085 trace_id=31 func=init_ip_session_common line=4893 msg="allocate a new session-0000358b" 2017-01-27 10:23:51 id=20085 trace_id=32 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.10.2:1536->8.8.8.8:2048) from root2custA0. type=8, code=0, id=1536, seq=0." 2017-01-27 10:23:51 id=20085 trace_id=32 func=init_ip_session_common line=4893 msg="allocate a new session-0000358c" 2017-01-27 10:23:51 id=20085 trace_id=32 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-x.x.x.x via wan2" 2017-01-27 10:23:51 id=20085 trace_id=32 func=fw_forward_handler line=557 msg="Denied by forward policy check (policy 0)"
After:
LKTFW1-FG200DXXXXXXXX(custA) # execute ping 8.8.8.8 2017-01-27 10:28:07 id=20085 trace_id=41 func=print_pkt_detail line=4742 msg="vd-custA received a packet(proto=1, 192.168.10.2:1792->8.8.8.8:2048) from local. type=8, code=0, id=1792, seq=0." 2017-01-27 10:28:07 id=20085 trace_id=41 func=init_ip_session_common line=4893 msg="allocate a new session-000035ee" 2017-01-27 10:28:07 id=20085 trace_id=42 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.10.2:1792->8.8.8.8:2048) from root2custA0. type=8, code=0, id=1792, seq=0." 2017-01-27 10:28:07 id=20085 trace_id=42 func=init_ip_session_common line=4893 msg="allocate a new session-000035ef" 2017-01-27 10:28:07 id=20085 trace_id=42 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw- x.x.x.x via wan2" 2017-01-27 10:28:07 id=20085 trace_id=42 func=fw_forward_handler line=557 msg="Denied by forward policy check (policy 0)"
Regards,
Gary
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.