I have a single, 8 hour, professional services support day banked. I've got a couple of options on how to use it. I've got a FortiManager license but I've never set it up and never used it. I would also like to configure my FortiGate that's in my DR site with a VDOM so that I could have a "bubble test" that's segregated from everything else, but uses Corp IPs. I've also never set up VDOMs or worked with VDOMs. I'm less than sure I can accomplish both of these tasks in 1 8 hour support day.
Which one would you consider more complicated and I should use the support day for?
Solved! Go to Solution.
Hi IrbkOrrum,
So you will have 3 vdoms, Primary, Blubble and root. You cannot get rid of root, this is by default.
Then you need to create each vlan interface like the settings below.
VLAN 1001
and VLAN 2001
Create the other vlans interfaces as your diagram, I have just created two of them, one on each vdom, to show you how it is done.
After that, the Network-Interface menu will look like this one:
The physical interface belong to root (default) but the vlans interfaces belong to Primary or Bubble, according to your configuration.
I hope it helps.
Ok, I finally got fortigate to give me some temp lic so I could play with this in eve-NG and do a more "true to life" setup without needing a bunch of physical equipment.
I remade everything, taking your suggestion into account and made the intervdom links 172.17.17.1-2/20 and 172.17.17.5-6/30. Created some servers in the correct vlans and verified that, even though servers in different VDOMs share IPs, there isn't any crossover happening.
Now I'm experimenting with how inbound traffic works. IE, how do I pass traffic from the Root VDOM to VDOM-A or VDOM-B for a website hosted in either VDOM.
Hi IrbkOrrum,
I am glad to hear that you got a temp license from Fortinet. Use it as much you can to learn and sort out your doubts. If you have further questions we are here to help you out.
In case you believe my replies have answered your questions please mark it as 'solution' to help other community members finding this topic.
Regards
DPadula
To anyone else that may be reading this or to myself when I'm looking at this in the future, the routing is pretty goofy.
First, let's look at how you would route web traffic from the "internet" to VDOM-A. Begin in the Root VDOM by creating a VIP that's going to translate the external IP to the IP of the Inter-VDOM link that's associated with the VDOM-A side.
i.e. if the Root side of the inter-VDOM link is 172.17.17.2 and the VDOM-A side of the inter-VDOM link is 172.17.17.1, then the VIP would be from the external IP to 172.17.17.1. If you want to pass only ports 80 and 443, you would turn on the port forwarding and you would create one VIP for port 80 and one VIP for port 443. If you just want to forward the whole IP to VDOM-A, then you don't need to use port forwarding.
Second, on the Root VDOM you're going to crate a firewall rule that's going to allow traffic from your "outside" interface (incoming interface) to the Root side of the inter-VDOM link (Outgoing interface). Your source would be 'all' (unless you wanted to restrict the traffic to your webserver) and the destination would be the VIP (or VIPs) that you created in step 1. The schedule would be whatever you want your schedule set to and the server should be whatever your specific needs are (http, https, or both). No NAT on the rule and enable it.
Third, on the VDOM-A side you are going to create another VIP that's going to take the VDOM-A side of the inter-VDOM link and translate it to the internal IP of your webserver. IE using our example above (and saying the internal webserver is 10.10.10.5) then the VIP would map 172.17.17.1 to 10.81.10.5. Again we would create 1 VIP for each port we want to forward internally.
Ok, now let's look at how you might route IPSec VPN traffic into (or out of) a VDOM. (for our example, we will say it's a remote access IPSec to VDOM-B)
1. Starting again with the Root VDOM, you're going to want to create a VIP that's going to take your external IP and map it to the IP that is the VDOM-B side of the inter-VDOM link.
2. Then you're going to make a firewall policy (in Root) allowing traffic from (incoming interface) "outside" to (outgoing interface) Root-VDOM side of the inter-VDOM link. The 'source' would be all (unless you wanted to restrict this) and the destination is going to be the VIP you created in step 1. Service you could restrict to IKE if you wanted and again, no NAT and enable the rule.
3. Now in VDOM-B You'll want to create the Remote Access VPN almost like you normally would. The only tricky part here is the 'interface' will be the VDOM-B side of the inter-vdom link and setting up the IPSec VPN is beyond the scope of this post. I'm not sure but I think that when you create the Remote Access IPSec VPN it's going to create the firewall rules for you. If not, you'll want to create firewall rules that are going to allow the traffic inbound. The "incoming interface" will be the VPN that you created. The outgoing interface would be your outgoing vlan. You source would be all and service could be restricted to IKE (I think), and again no NAT. You'll want to do this for each of the networks that you want accessible via the remote access VPN.
4. Set up your forticlient IPSec vpn to match the settings you created in step 3 and they should be able to connect.
Last, and most confusing in my perspective, is setting up a point to point IPSec within a VDOM. Let's say we are going to setup the P2P IPSec VPN to VDom-A.
Lastly, just sort of a visual representation to help understand how the traffic is flowing.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.