Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
garylor
New Contributor

Fortigate 200D Vdom setting problem

Hello,

 

I have purchase a pair of 200D recently but encounter some problem about setting Vdoms. After reading the cookbook and some tutorial video, I try to setup the fortigate with 3 Vdoms which sharing two wan link (as shown in the attached jpg). However after setting the Vdoms, none of them able to reach the internet nor ping the fiewall gateway (x.250), I think I may missing some setting so I have screen capture the global interface page and hope you guys can help me out, thanks!

 

Regards,

Gary

 

7 REPLIES 7
Fullmoon
Contributor III

pls take a look, it might shed you some insights reg vdom. thanks

Fortigate Newbie

Fortigate Newbie
emnoc
Esteemed Contributor III

1st off your  diag is beautiful.

 

2nd have you validate routing in all 4 vdoms

 

e.g

 

 

config vdom

    edit vdom-1

         get router info routing all

    end

    edit vdom-2

         get router info routing all

    end

    edit vdom-3

         get router info routing all

    end

   edit vdom-root

         get router info routing all

    end

 

 

The 3 sub-tiered vdom needs a default route over the inter-vdom-link.

 

check out a typical meshed routed vdom  post in my blog.

 

http://socpuppet.blogspot.com/2014/09/a-stacked-vdom-concept-with-fortigate.html

 

If routing is good, than it fwpolicy validation and diag debug flow if your still having issues. I would allowaces ping over the intervdom links and ping the vdom-root from sub-tier and work my  upwards.

 

 

ken

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
garylor
New Contributor

Hi Emnoc,

 

Thanks for the reply, I have try to follow your blog and setup the custA and custB but unfortunately still not working (no matter ping or traceroute to 8.8.8.8) following are the routes & firewall policy of the vdoms:

 

LKTFW1-FG200DXXXXXXXXX (root) # get router info routing all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default

S* 0.0.0.0/0 [10/0] via 125.215.173.62, wan2 [10/0] via 210.176.62.62, wan1 S 10.100.10.0/24 [10/0] via 192.168.10.2, root2custA0 S 10.200.10.0/24 [10/0] via 192.168.10.6, root2custB0 C x.x.x.x/26 is directly connected, wan2 C 192.168.10.0/30 is directly connected, root2custA0 C 192.168.10.1/32 is directly connected, root2custA0 C 192.168.10.4/30 is directly connected, root2custB0 C 192.168.10.5/32 is directly connected, root2custB0 C 192.168.100.0/24 is directly connected, lan C x.x.x.x/26 is directly connected, wan1

LKTFW1-FG200DXXXXXXXXX (custB) # get router info routing all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default

S* 0.0.0.0/0 [10/0] is directly connected, root2custB1 C 192.168.10.4/30 is directly connected, root2custB1 C 192.168.10.6/32 is directly connected, root2custB1

LKTFW1-FG200DXXXXXXXXXXX (custA) # get router info routing all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default

S* 0.0.0.0/0 [10/0] is directly connected, root2custA1 C 192.168.10.0/30 is directly connected, root2custA1 C 192.168.10.2/32 is directly connected, root2custA1

LKTFW1-FG200DXXXXXXXX (root) # show firewall policy config firewall policy edit 1 set uuid dcf1b82c-ddef-51e6-201c-ad3fdb7d578c set srcintf "lan" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set av-profile "default" set webfilter-profile "default" set application-list "default" set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" set nat enable next edit 2 set uuid a577fb9c-e379-51e6-439e-302e93b2b38c set srcintf "root2custA0" set dstintf "wan1" set srcaddr "custA" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set nat enable next edit 3 set uuid 122e057e-e37a-51e6-381f-800d207c8aba set srcintf "root2custB0" set dstintf "wan1" set srcaddr "custB" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set nat enable next end

LKTFW1-FG200DXXXXXXXXX (custA) # show firewall policy config firewall policy edit 1 set uuid 71e9c3f4-e37a-51e6-4b43-843ba46dc1fb set srcintf "port15" set dstintf "root2custA1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set comments "custA-outbound" next end

LKTFW1-FG200DXXXXXXXXX (custB) # show firewall policy config firewall policy edit 1 set uuid d56b47b8-e37a-51e6-4f66-5d7247dca108 set srcintf "port16" set dstintf "root2custB1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set comments "custB-outbound" next end

 

Regards,

Gary

Ralph1973

Haven't read the complete thread, but I try to answer a few unresolved posts after submitting a post myself ;)

 

I read your question. Think about creating inter vdom links, assign ip's to the interfaces that are created in these vdom links (makes it easier to tshoot traffic flows)

create firewall policies that allow traffic from your vdom to the intervdom link.

create (static) route i.e. default gateway to the intervdom link interface ip

 

hope this helps

 

Ralph

neonbit
Valued Contributor

Hi Gary, I can't see the default gateway IP's for custA and custB routing.

 

Could you please confirm that custA has this route: 0.0.0.0/0 root2five1 10.1.5.2

 

And custB has this route: 0.0.0.0/0 root2one1 10.1.1.2

emnoc
Esteemed Contributor III

OP,

 

Qs:

 

from  custA or custB or custC can you  ping  the intervdom link peer address ( ensure set allowaccess ping  is enabled )

 

 

Did you run  diag debug flow  from root or any of the customer vdom

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
garylor
New Contributor

Thx all for the reply,

 

Emnoc: I have run the diag from custA and ping to 8.8.8.8, no idea why it go though wan2 instead of wan1, after I have add the policy which allow custA access wan2 but it still return the error "Deniedby forward policy check (policy 0)". 

 

Before:

LKTFW1-FG200DXXXXXXXX (custA) # execute e ping 8.8.8.8

2017-01-27 10:23:51 id=20085 trace_id=31 func=print_pkt_detail line=4742 msg="vd-custA received a packet(proto=1, 192.168.10.2:1536->8.8.8.8:2048) from local. type=8, code=0, id=1536, seq=0." 2017-01-27 10:23:51 id=20085 trace_id=31 func=init_ip_session_common line=4893 msg="allocate a new session-0000358b" 2017-01-27 10:23:51 id=20085 trace_id=32 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.10.2:1536->8.8.8.8:2048) from root2custA0. type=8, code=0, id=1536, seq=0." 2017-01-27 10:23:51 id=20085 trace_id=32 func=init_ip_session_common line=4893 msg="allocate a new session-0000358c" 2017-01-27 10:23:51 id=20085 trace_id=32 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-x.x.x.x via wan2" 2017-01-27 10:23:51 id=20085 trace_id=32 func=fw_forward_handler line=557 msg="Denied by forward policy check (policy 0)"

 

After:

LKTFW1-FG200DXXXXXXXX(custA) # execute ping 8.8.8.8 2017-01-27 10:28:07 id=20085 trace_id=41 func=print_pkt_detail line=4742 msg="vd-custA received a packet(proto=1, 192.168.10.2:1792->8.8.8.8:2048) from local. type=8, code=0, id=1792, seq=0." 2017-01-27 10:28:07 id=20085 trace_id=41 func=init_ip_session_common line=4893 msg="allocate a new session-000035ee" 2017-01-27 10:28:07 id=20085 trace_id=42 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.10.2:1792->8.8.8.8:2048) from root2custA0. type=8, code=0, id=1792, seq=0." 2017-01-27 10:28:07 id=20085 trace_id=42 func=init_ip_session_common line=4893 msg="allocate a new session-000035ef" 2017-01-27 10:28:07 id=20085 trace_id=42 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw- x.x.x.x via wan2" 2017-01-27 10:28:07 id=20085 trace_id=42 func=fw_forward_handler line=557 msg="Denied by forward policy check (policy 0)"

 

Regards,

Gary

Labels
Top Kudoed Authors