Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mike_A
New Contributor

Technical design question

Hello!

I have recently come across a question that I cannot seem to find a definite answer for.

The question is in regard to what would be possible to do with SDWAN and VDOMs with Inter VDOM links.

Traditionally, you can use a FG and assign WAN 1 to one VDOM and WAN 2 to another. With that solution you can split a FG to be used by several companies without interfering with routing, security or ipsec tunnels e.t.c.

 

However, if we raise the complexity abit I find it hard to find straight answers.

 

I will setup a new site with dual ISP:s. They will be delivered using 1x Fiber with a link-net each.

They will go into a stacked Edge Switch that will provide 4x Fiber outputs. 2 for each ISP connection.

This in turn will go into a FG cluster running in A/P using SD WAN to load balance and provide failover in case one link goes down. So far, not a problem.

 

My question is in regards to a request to share 1G of this connection to a 3:d company (Company B) in the same physical location. My initial thought was to provide them with a VDOM as that has been the "classic" approach. 

However, I am not sure how this will be handled with SDWAN as well as the possibility to create VPN for example on the back of this.

 

So, now the question:

Will it work to have a VDOM for Company B to administer with an Inter VDOM link from Company A VDOM where the SDWAN originates? Will it work in such a way that Company B can use all the functionality as if they had 1 physical wan interface in regards to VPN, ipsec tunnels, NAT etc.?

I have attached a quick drawing of the thought up setup.

 

I hope you understand my question as well as the problem.

 

Thanks!

 

Ritning1.jpg

 

 

 

 

3 REPLIES 3
Debbie_FTNT
Staff
Staff

Hey Mike,

yes, having company B with an inter-vdom-link is an option, and company B would treat that inter-vdom-link as its WAN interface, with all the attendant NAT, VPN, etc configuration.

Depending on what kind of access you want to allow TOWARDS VDOM B (such as users being able to establish a VPN to VDOM B), you are going to need some port forwarding/VIPs set up in VDOM A to direct the incoming traffic to VDOM B.

If you treat this as two separate FortiGates - you would have FortiGate A handling internet, and behind it an independent FortiGate B that still may need to be accessible *through* FortiGate A.

 

TL;DR: Yes, possible, but would need some setup in VDOM A for transit traffic to/from VDOM B.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Mike_A

Thanks for getting back on this question. Really appreciate it.

The access that I would like to enable for Company B is as close to a dedicated internet connection as possible. That means port forwarding for them if they need it. IPSec VPN, firewall rules with filtering. 

I get that we would need to help out with certain parts in Company A VDOM to enable certain features to work. 

 

 

 

ede_pfau
Esteemed Contributor III

To keep it really separate, you could use one VDOM for each company on the internet-facing FGT, holding the VPN/ISP credentials etc. and only forward decrypted traffic to company B's FGT. This is as far "dedicated" as it gets.

One scenario in which you would need to design it this way is when company B has it's own ISP - there is only one default route per system (a VDOM is a system of it's own).


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Top Kudoed Authors