I've got the following setup that I want to accomplish:
I've managed to successfully setup this if I use physical (port1, port2 etc) and assign them to the different vdoms, but I'm trying to set this up so that the Wan for the VDOM NAT and the WAN for the ROOT VDOM are software solved and doesn't use the physical ports. I've tried to setup Inter VDom-connections between the transparent vdom and ex the Root vdom, but feel that I lack the virtual wan interface of the root vdom to connecto to the virtual inter-vdom connection between the vdoms.
What am I missing / how do one connect example root vdom to the transparent vdom (that has the internet wan-connection) without physical connections except the wan1 for the transparent vdom to the cisco router, and the lan side of the root vdom?
To make it simple my "internet connection" is a 10.10.10.90/24 with 10.10.90.1 as gateway (cisco router).
Root vdom: 192.168.1.0/24 192.168.1.99 as gateway with NAT
VDOM NAT:
vlan 7 192.168.7.0/24 - 192.168.7.1 GW
vlan 20 192.168.20.0/24 - 192.168.20.1 GW
Firewall: Fortigate 100D with 5.2.1 (if I remember Correct - the newest software-edition)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
For the most part, I believe you have it. What you are not fully realising (and if I am correct) is that different VDOMs are completely different environments. That being said, one VDOM cannot speak to another without physically being connected.
IE:
VDOM (default) has WAN1 > Port 1, 2
VDOM2 has WAN2 > Port 3, 4
VDOM3 has DMZ (WAN3) > Port 5, 6...
To gain connectivity, a separate physical connection must be given to each of the 3 WAN interfaces. This is not the same as creating VLANs and trunks. You are most likely going to have to add a switch between your router and FW.
You may correct me if I am wrong
The way I've understood it is that a VDOM is a isolated firewall. Given that I've got three VDOMs, I've got tree firewalls that each need its own interfaces. In the easy example that is one wan interface and one lan interface.
To connect one VDOM(firewall) to another one setup the Inter-vdom. What I don't understand is how do I define a interface or a switch to the end of the inter-vdom so I have a wan-interface that get the DHCP from the Cisco router.
Edit: Forgot to thank for the replay! Thats great :D
Sorry about the misunderstanding, Have you tried this reference?
It is part of a inter-vdom example.
leif wrote:The way I've understood it is that a VDOM is a isolated firewall. Given that I've got three VDOMs, I've got tree firewalls that each need its own interfaces. In the easy example that is one wan interface and one lan interface.
To connect one VDOM(firewall) to another one setup the Inter-vdom. What I don't understand is how do I define a interface or a switch to the end of the inter-vdom so I have a wan-interface that get the DHCP from the Cisco router.
Edit: Forgot to thank for the replay! Thats great :D
Yes, have read it. Thats why I was posting here... :)
That being said, one VDOM cannot speak to another without physically being connected. IE: VDOM (default) has WAN1 > Port 1, 2 VDOM2 has WAN2 > Port 3, 4 VDOM3 has DMZ (WAN3) > Port 5, 6... To gain connectivity, a separate physical connection must be given to each of the 3 WAN interfaces. This is not the same as creating VLANs and trunks. You are most likely going to have to add a switch between your router and FW.
Not 100% correct. You can use vdom-links beween routed and transparent vdoms which are vritual interfaces.
Op check out my blog post;
http://socpuppet.blogspot.com/2014/09/a-meshed-vdom-transparent-using-inter.html
Now I'm scratching my heads as you have a transparent vdom ( 1 ) and want links to 2 route-vdoms? I never seen or done this in the past, but have you tried to set 2 vdom-links to the 2 routed-nat vdoms?
Typically in a transparent vdom is one outside + inside interfaces ( 2 interfaces total ). I never seen a transparent firewall with 2 internals nor how would you write fwpolicies to achieve filtering? Could you re-design the topology and place the routed-nat vdom at the top of the stack/mesh?
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.