Does anyone see a problem with placing a non-root-VDOM01 on the public facing side of the FGT?
Is this even possible?
intra-p15(root VDOM)<==>public-p20(vdom01-internet)<==>public router<==>ISP
[align=left]*auto-sig* rb400 << FGT (v6.2.x) [/align]
You can place any vdom any where, but if the management vdom that you define ( btw root or any other ) will need internet access if you want updates from fortiguard services.
B4 you stack vdom, you define 1> what you trying to accomplish 2> the management-vdom 3> possible other issues from routing to fw-policies controls imho
PCNSE
NSE
StrongSwan
emnoc wrote:You can place any vdom any here, but if the management vdom that you define ( btw root or any other ) will need internet access if you want updates from fortiguard services.
B4 you stack vdom, you define 1> what you trying to accomplish 2> the management-vdom 3> possible other issues from routing to fw-policies controls imho
Thanks emnoc
Trying to make changes on production firewall without getting "fired."
I am prepping my FGT to activate BGP in near future. Just today enabled VDOM as first phase.
I have functioning FGT interfaces and policies. Need to create a VDOM01 with asymmetric routing enabled.
Phase 2 goal:
inside-and-dmz<==>FGT-port(vdom-link12)-root-VDOM<==>(vdom-link21)-VDOM01(asymmetric routing)<==>WANport15<==>router public bgp<==>ISP1&2
Phase 3 goal:
inside-and-dmz<==>FGT-port(vdom-link12)-root-VDOM<==>(vdom-link21)-VDOM01(asymmetric routing & BGP)[style="background-color: #ff0000;"][style="background-color: #ffffff;"]<==>WANport15[/style][p[/style][style="background-color: #ff0000;"]ulled[/style][style="background-color: #ff0000;"] public router bgp][/style]<==>ISP1&2
Any thoughts?????
[align=left]*auto-sig* rb400 << FGT (v6.2.x) [/align]
emnoc wrote:You can place any vdom any where, but if the management vdom that you define ( btw root or any other ) will need internet access if you want updates from fortiguard services...."
Sorry if I am "over asking" this concept. Just looking now for best practices.
Is it suggested that the root-vdom be the public (wan) facing vdom or does it not matter from a design and functionality and security perspective (best practices) ?
Thanks.
[align=left]*auto-sig* rb400 << FGT (v6.2.x) [/align]
Yeah why asym-routing and BGP? I've never been a fan of BGP on any firewall unless you think things out. In your case 2x cisco ISR would be much better, and redistributed a default route to a HA act-pass cluster via OSPF would be so simpler and avoids what your trying to do in phase1 or phase2.
You can add one ISR like a 1900/2900 with both BGP peers and later split them into a two ISR at a later date time if budget cost becomes an issue.
This also allows you to add more ( firewall ) in the near future if required & simplify the network topology.
PCNSE
NSE
StrongSwan
emnoc:
A side question for clarification and my primitive understanding, see your helpful blog:
http://socpuppet.blogspot...pt-with-fortigate.html
Note the section found under "topology:"
"Root = [style="background-color: #ffcc99;"]WAN virtual-link[/style], vlinkcustA2root and vlinkcustB2root, custA = PORT1 , vlinkcustA2root custB = PORT2 , vlinkcustB2root"
Is [style="background-color: #ffcc99;"]WAN virtual-link[style="background-color: #ffffff;"] a virtual-link or a WAN physical interface?[/style][/style]
[style="background-color: #ffcc99;"][style="background-color: #ffffff;"]Thanks,[/style][/style]
[align=left]*auto-sig* rb400 << FGT (v6.2.x) [/align]
In that setup "[<font]WAN virtual-link" is a single member that contains a dedicated 3G-modem interface. This is what I used in my home btw. But in productions this would be a similar WAN1+WAN2 interfaces physical or virtual-802dot1 tagged.
The defined management vdom will need public access if you want updates to work and url-filtering lookup,etc......
So this why I stress more on the management vdom which does not ALWAYS have to be "root-vdom".
Ken
PCNSE
NSE
StrongSwan
Security aspect; each VDOM would have alow/deny fwpolicies or allowacess so no matter what, you will need the both
Design aspect; simpler is always best
The managment vdom would need internet access directly or indirectly if you need fortiguard sevices, but outside of that any vdom could be technically the management vdom by default it's root. Once again, think it out as to what you need and try to build the design as simpler as possible from deployment and diagnostics imho, and then have a go at it
PCNSE
NSE
StrongSwan
User | Count |
---|---|
1922 | |
1144 | |
769 | |
447 | |
277 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.