Hello
We're going to be setting up a S2S VPN tunnel between our FG 1100E in our production data center and a Meraki MX firewall at one of our branch sites for sending backups. The FG is in multi-VDOM mode, with the WAN connection being in a transparent vWire configuration. What's best practice in terms of which VDOM to put the S2S VPN tunnel in? Since the WAN VDOM is operating in transparent mode I assume doing any kind of routing there is not an option. Are there any downsides of putting the tunnel in a separate VDOM?
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Why the transparent vdom to begin with? Sounds like youre making it more complex and you surely can't control traffic already encapsulated in IPSEC via the transparent-vdom.
Ken Felix
PCNSE
NSE
StrongSwan
That's a good question. It was set up like this before I got involved so I'm not sure. Does this complicate things a lot? What setup would you recommend?
Will that depends are you doing multiple NAT/routed domains?
Do you really need a stack-multi-vdom where you run other vdom thru a primary vdom?
Ken Felix
PCNSE
NSE
StrongSwan
Likely not, I don't think we have a reason for separating out into different VDOMs. Perhaps we need to take a step back and re-evaluate the bigger picture. We're going to be moving all of our routing off our old firewalls onto these, the transparent mode setup was just a temporary solution for the evaluation and to give us IPS at the perimeter. We want to keep things simple so if a single VDOM is the way to go then we can do that. We have a secondary unit that we can reconfigure rather than messing with the production unit if needed. If there is a way to get the S2S up and running in it's current state though that would be great.
You can run IPS in nat/routed mode fwiw. But yes, you could set a 2nd unit up and deployed. Stack vdom do have purpose but typically you have a need.If you do have a need for emac and sharing a interface within multiple vdom please review this article
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/212317/enhanced-mac-vlans
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.