Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- VDOM 1 over root SSL VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VDOM 1 over root SSL VPN
hello everybody,
i do some vdom testing in our company lab and i have one problem.
I have 2 Vdom´s Root and VDOM1 they have a Vlink1 with no ip (0.0.0.0)
the WAN and Internal Interfaces are in root Vdom.
On the Internal interface i created a sub interface (Vlan77) for my Vdom to be able to access our lab Lan.
i created static routes for LAN, and WAN (my Wan static root looks like 0.0.0.0 over vlink1)
i created a Win7 VM Maschine and put it in Vlan77.
I Also created the firewall policies properli, so now i am able to connect clients on my lan and i have access to the Internet.
But i dont realy understand how to configure now the SSL VPN for my Vdom?
Virtual interface on root mapping to my vlink1 doesnt work properly...
any ideas?
thank you in advance
NSE 8
NSE 1 - 7
NSE 8
NSE 1 - 7
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
root VDOM:
1.
SSL VPN policy to allow SSL VPN access to the firewall for user/group:
from WAN
to vlink
from all
to VLAN
identity-based-policy:
user/group name
service
ssl-vpn portal
2.
Firewall policy to enable access to VLAN from ssl.root
from ssl.root
to vlink
source all
dst VLAN subnet
service all/x
VLAN vdom:
1. enable access from the other side of the vlink
from vlink
to VLAN
src all
dst VLAN subnet
service all/x
That should do it. As you said, you have static routes in place to point at the vlink in root VDOM to the VLAN and vice versa from VLAN vdom to root for SSL VPN subnet.
Run diagnose sniffer packet any ' host VLAN IP' in root VDOM when you VPN in and ping the VLAN address.
You can do the same in the VLAN vDOM to see the packet flow.
' diagnose debug flow' to check that no policy is blocking the access.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thank you that sounds good. i will try it tommorow.
but what about the IP adress it should acces from the Internet? should i pick a spezific Port number for my Vdom1 ?
because root Vdom allready has a VPN SSL
NSE 8
NSE 1 - 7
NSE 8
NSE 1 - 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hmmm...
the problem is.. i have only 1 public IP Adress. so i must use the Virtual IP on the root Vdom.
but there i need my public Adress with a port the SSL VPN will connect to and an IP that will be mapped in my VDOM1.
But my Vlink1 has an ip of 0.0.0.0 ... how can i solve this problem?
if the Vlink1 had an private IP like 192.168.2.1 i could easely map it. but my vlink1 has no ip....
NSE 8
NSE 1 - 7
NSE 8
NSE 1 - 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure if I understand it correctly, but what I think you have is this:
Public IP - [root vDom] - unnumbered vDom link (root.vlink0) ---- unnumbered vDom link (root.vlink1) - [test vDom] -- private IP on VLANx
What I suggested would work with this configuration.
2 policies on root vDom to enable SSL VPN in and than to enable traffic going to the vDom link from ssl.root.
1 policy in test vDom to enable traffic coming in from vDom link to LAN.
You need static routes in root.vDom to lan subnet pointing at the vDom link (root.vlink0)
And another static root in test vDom pointing at the SSL VPN subnet range via the vDom link (root.vlink1).
If you configured it correctly the SSL VPN user as the minimum should be able to ping the firewall LAN IP address via the 2 vDoms.
SSL VPN configuration only reguired on the vDOM (root in your case) where you configured the public IP so they can connect to it remotely.
VDOM links don' t need to have IPs configured. Have a look at the documentation about the benefit to have/not to have IPs on them.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i allready set all the policies and routes right.
the Problem is.
right now u can accsess the SSL VPN root Vdom over a public ip adress 143.33.22.10:4443 (only an example adress)
now i want to have SSL VPN Adress over 143.33.22.10:4444 (for example)
so actualy i have to use the Virtual IP on root vdomm and mapp the 143.33.22.10:4443 to my Vdom1 over vlink. but i cant, because i have to enter an
IP Adress for mapping public > private. I cant choose an Interface.
So the only way to do it , is to give the vlink´s IP Adresses?
you know what i mean?
NSE 8
NSE 1 - 7
NSE 8
NSE 1 - 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is pretty old, but it took some digging and experimentation to figure this out for my situation, where I wanted each Tenant VDOM to retain control over SSLVPN authentication/settings, so I wanted to leave some crumbs for the next person. Here's what worked for me on FG200D with NAT root VDOM and multiple NAT tenant VDOMs.
1 - Create VDOM link between root and tenant VDOM with IP on each end (e.g. - root=10.10.10.9/30, tenant=10.10.10.10/30).
2 - Create VIP in root for external interface/IP mapped to tenant VLink IP (I also port-forwarded SSLVPN port).
3 - Create policy in root to permit from external interface to VLink interface, from All to VIP object, service=SSLVPN port, with NAT. You do lose visibility of client source address doing this, but that was acceptable for me. Alternatively you can disable NAT, but then you have to create a route to get back to the un-NAT'd source via the root VLink IP in the tenant VDOM, which could be troublesome if you have already have default routes going somewhere else; policy routes might help.
4 - Configure tenant SSLVPN portals and settings as desired, make sure to add tenant VLink interface to "Listen on Interfaces:" list or use "Any".
In my case, I wanted to use only one external IP for all tenant SSLVPN portals, so each tenant has a unique SSLVPN listening port, and each VIP and policy in the root VDOM reflects that.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have the same setup but a different approach
1: we have a sslvpn listener in each tennant & on the intervdom link ( we route the public over this "wan link" )
2: fwpolicies that allow root vdim to that sslvpn listener
3: port 443 is used since each public is a unique address within that vdom
4: a ldap-auth server for that vdom
5: a user local/group for that vdom
6: obviously correct sslvpn policies per-vdom
The vip approach would work just fine also and you can move all vips at wan1 ( for example ) of vdm-root and chew up a ipv4-address at the root-vdom.
In each case "root" vdom is the controlling factor 6 or half-dozen but the same outcome. fwpolicies sessions are in all vdoms that are applicable
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,596 -
FortiClient
1,732 -
5.2
801 -
FortiManager
719 -
5.4
639 -
FortiAnalyzer
551 -
FortiSwitch
467 -
FortiAP
464 -
FortiClient EMS
420 -
6.0
416 -
5.6
362 -
FortiMail
315 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
233 -
Fortiweb
203 -
IPsec
200 -
5.0
196 -
FortiNAC
185 -
FortiGuard
138 -
6.4
128 -
SD-WAN
113 -
FortiGateCloud
102 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiAuthenticator
94 -
FortiToken
89 -
Customer Service
79 -
Firewall policy
78 -
Wireless Controller
77 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
55 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
50 -
ZTNA
48 -
FortiExtender
45 -
FortiSandbox
44 -
Routing
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
NAT
34 -
Certificate
34 -
RADIUS
32 -
SSO
31 -
Interface
31 -
FortiLink
29 -
FortiConnect
28 -
FortiWAN
27 -
VDOM
27 -
Web profile
26 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Automation
14 -
System settings
14 -
IP address management - IPAM
14 -
snmp
13 -
Static route
13 -
FortiCASB
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
FortiManager v4.0
10 -
IPS signature
10 -
Security profile
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Proxy policy
9 -
Intrusion prevention
9 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiGate-VM
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1679 | |
| 1085 | |
| 752 | |
| 446 | |
| 226 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.