Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Frederic-Chaussee
New Contributor

Created on ‎01-10-2024 01:35 AM Edited on ‎02-26-2024 03:36 AM By Community Manager

Fortigate Multi-VDOM/Hub'n Spoke/SDWAN

Hi everyone,

 

Here is my use case :

 

I set up a Hub'n Spoke topology with Hub in azure and physical appliance in offices.

In one of theses office, we share Internet acces with tenants.

 

So, I activate multi-vdom on this Fortigate but, I'm stuck on how to configure Internet acces, how to set up this FGW as a spoke.

 

At this time everything is in the root VDOM.

I want to set up a VDOM for my Company and a VDOM for tenants.

Tenants only need to access Internet.

And Of course My company need to access Internal ressource throgh Hub'n Spoke topology.

 
 

image.png

 

So my questions are :

- Where should be may hub'n Spoke logic (Tunnels and SDWan rules) in Root or MyCompany VDOM?

- How do I share Internet access (VDOM Link, VLAN on NPU Vdom Link assigned to each VDOM)?

- What are the best practices for this scenario.

 

PS.: FortiOS is 7.0.13

 

Thanks for your help,

Frederic.

Labels:
1621
1 Solution
rarumugam
Staff
Staff

Created on ‎01-10-2024 02:38 AM

Hello Frederic,

I would suggest to use vlans on NPU vlinks to provide internet access for the custom vdoms via the root vdom. The reason is that the regular VDOM links are kernel based links with 1 Gbps line rate and the traffic flowing via these links cannot be offloaded. Regarding the Tunnels and SDWAN configuration, suggest to do it on the Company Vdom and terminate VPN tunnel on the NPU vlink.
We don't require any DNAT to be done on the root(Internet Vdom) for the tunnel establishment as it is a spoke and tunnel is always initiated from the spoke.

I would suggest to upgrade the firmware to FortiOS 7.2.7(expected to be released during the last of Feb, 2024) as it contains couple of improvements for IPSEC tunnels bound on NPU vlinks.

 

Cheers,

Rambharathi Arumugam

View solution in original post

1597
2 REPLIES 2
rarumugam
Staff
Staff

Created on ‎01-10-2024 02:38 AM

Hello Frederic,

I would suggest to use vlans on NPU vlinks to provide internet access for the custom vdoms via the root vdom. The reason is that the regular VDOM links are kernel based links with 1 Gbps line rate and the traffic flowing via these links cannot be offloaded. Regarding the Tunnels and SDWAN configuration, suggest to do it on the Company Vdom and terminate VPN tunnel on the NPU vlink.
We don't require any DNAT to be done on the root(Internet Vdom) for the tunnel establishment as it is a spoke and tunnel is always initiated from the spoke.

I would suggest to upgrade the firmware to FortiOS 7.2.7(expected to be released during the last of Feb, 2024) as it contains couple of improvements for IPSEC tunnels bound on NPU vlinks.

 

Cheers,

Rambharathi Arumugam
1598
Frederic-Chaussee
New Contributor

Created on ‎01-14-2024 11:57 PM

Hi Rarumugam,

Thanks a lot for your help. even if I didn't choose this solution, it makes me go on the right way (I think).

 

In stead of using NPU vLink, I create EMAC VLAN in VDOMs on my Wan Interface and, everything is working as expected.

 

Best regards,

Frederic

1543
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.