Created on 01-10-2024 01:35 AM Edited on 02-26-2024 03:36 AM By Kate_M
Hi everyone,
Here is my use case :
I set up a Hub'n Spoke topology with Hub in azure and physical appliance in offices.
In one of theses office, we share Internet acces with tenants.
So, I activate multi-vdom on this Fortigate but, I'm stuck on how to configure Internet acces, how to set up this FGW as a spoke.
At this time everything is in the root VDOM.
I want to set up a VDOM for my Company and a VDOM for tenants.
Tenants only need to access Internet.
And Of course My company need to access Internal ressource throgh Hub'n Spoke topology.
So my questions are :
- Where should be may hub'n Spoke logic (Tunnels and SDWan rules) in Root or MyCompany VDOM?
- How do I share Internet access (VDOM Link, VLAN on NPU Vdom Link assigned to each VDOM)?
- What are the best practices for this scenario.
PS.: FortiOS is 7.0.13
Thanks for your help,
Frederic.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Frederic,
I would suggest to use vlans on NPU vlinks to provide internet access for the custom vdoms via the root vdom. The reason is that the regular VDOM links are kernel based links with 1 Gbps line rate and the traffic flowing via these links cannot be offloaded. Regarding the Tunnels and SDWAN configuration, suggest to do it on the Company Vdom and terminate VPN tunnel on the NPU vlink.
We don't require any DNAT to be done on the root(Internet Vdom) for the tunnel establishment as it is a spoke and tunnel is always initiated from the spoke.
I would suggest to upgrade the firmware to FortiOS 7.2.7(expected to be released during the last of Feb, 2024) as it contains couple of improvements for IPSEC tunnels bound on NPU vlinks.
Cheers,
Hello Frederic,
I would suggest to use vlans on NPU vlinks to provide internet access for the custom vdoms via the root vdom. The reason is that the regular VDOM links are kernel based links with 1 Gbps line rate and the traffic flowing via these links cannot be offloaded. Regarding the Tunnels and SDWAN configuration, suggest to do it on the Company Vdom and terminate VPN tunnel on the NPU vlink.
We don't require any DNAT to be done on the root(Internet Vdom) for the tunnel establishment as it is a spoke and tunnel is always initiated from the spoke.
I would suggest to upgrade the firmware to FortiOS 7.2.7(expected to be released during the last of Feb, 2024) as it contains couple of improvements for IPSEC tunnels bound on NPU vlinks.
Cheers,
Hi Rarumugam,
Thanks a lot for your help. even if I didn't choose this solution, it makes me go on the right way (I think).
In stead of using NPU vLink, I create EMAC VLAN in VDOMs on my Wan Interface and, everything is working as expected.
Best regards,
Frederic
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1717 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.