Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IrbkOrrum
Contributor

VDOM setup or FortiManager setup

I have a single, 8 hour, professional services support day banked.  I've got a couple of options on how to use it.  I've got a FortiManager license but I've never set it up and never used it.  I would also like to configure my FortiGate that's in my DR site with a VDOM so that I could have a "bubble test" that's segregated from everything else, but uses Corp IPs.  I've also never set up VDOMs or worked with VDOMs.  I'm less than sure I can accomplish both of these tasks in 1 8 hour support day.  
Which one would you consider more complicated and I should use the support day for?

1 Solution
DPadula
Staff
Staff

Hi IrbkOrrum,

 

So you will have 3 vdoms, Primary, Blubble and root. You cannot get rid of root, this is by default. 

 

vdom list.PNG

Then you need to create each vlan interface like the settings below.

VLAN 1001

VLAN_1001.PNG

 

and VLAN 2001

VLAN_2001.PNG

 

Create the other vlans interfaces as your diagram, I have just created two of them, one on each vdom, to show you how it is done.

 

After that, the Network-Interface menu will look like this one:

interfaces.png

The physical interface belong to root (default) but the vlans interfaces belong to Primary or Bubble, according to your configuration. 

 

I hope it helps. 

View solution in original post

15 REPLIES 15
IrbkOrrum

Ok, I finally got fortigate to give me some temp lic so I could play with this in eve-NG and do a more "true to life" setup without needing a bunch of physical equipment.

I remade everything, taking your suggestion into account and made the intervdom links 172.17.17.1-2/20 and 172.17.17.5-6/30.  Created some servers in the correct vlans and verified that, even though servers in different VDOMs share IPs, there isn't any crossover happening.  
Now I'm experimenting with how inbound traffic works.  IE, how do I pass traffic from the Root VDOM to VDOM-A or VDOM-B for a website hosted in either VDOM.  

DPadula

Hi IrbkOrrum,
I am glad to hear that you got a temp license from Fortinet. Use it as much you can to learn and sort out your doubts. If you have further questions we are here to help you out. 
In case you believe my replies have answered your questions please mark it as 'solution' to help other community members finding this topic. 

Regards

DPadula

IrbkOrrum

To anyone else that may be reading this or to myself when I'm looking at this in the future, the routing is pretty goofy.


First, let's look at how you would route web traffic from the "internet" to VDOM-A.  Begin in the Root VDOM by creating a VIP that's going to translate the external IP to the IP of the Inter-VDOM link that's associated with the VDOM-A side.  
i.e. if the Root side of the inter-VDOM link is 172.17.17.2 and the VDOM-A side of the inter-VDOM link is 172.17.17.1, then the VIP would be from the external IP to 172.17.17.1.  If you want to pass only ports 80 and 443, you would turn on the port forwarding and you would create one VIP for port 80 and one VIP for port 443.  If you just want to forward the whole IP to VDOM-A, then you don't need to use port forwarding. 

 

Second, on the Root VDOM you're going to crate a firewall rule that's going to allow traffic from your "outside" interface (incoming interface) to the Root side of the inter-VDOM link (Outgoing interface).  Your source would be 'all' (unless you wanted to restrict the traffic to your webserver) and the destination would be the VIP (or VIPs) that you created in step 1.  The schedule would be whatever you want your schedule set to and the server should be whatever your specific needs are (http, https, or both).  No NAT on the rule and enable it.

 

Third, on the VDOM-A side you are going to create another VIP that's going to take the VDOM-A side of the inter-VDOM link and translate it to the internal IP of your webserver.  IE using our example above (and saying the internal webserver is 10.10.10.5) then the VIP would map 172.17.17.1 to 10.81.10.5.  Again we would create 1 VIP for each port we want to forward internally.

IrbkOrrum

Ok, now let's look at how you might route IPSec VPN traffic into (or out of) a VDOM.  (for our example, we will say it's a remote access IPSec to VDOM-B)
1. Starting again with the Root VDOM, you're going to want to create a VIP that's going to take your external IP and map it to the IP that is the VDOM-B side of the inter-VDOM link.   

2. Then you're going to make a firewall policy (in Root)  allowing traffic from (incoming interface) "outside" to (outgoing interface) Root-VDOM side of the inter-VDOM link.  The 'source' would be all (unless you wanted to restrict this) and the destination is going to be the VIP you created in step 1. Service you could restrict to IKE if you wanted and again, no NAT and enable the rule.

3. Now in VDOM-B You'll want to create the Remote Access VPN almost like you normally would.  The only tricky part here is the 'interface' will be the VDOM-B side of the inter-vdom link and setting up the IPSec VPN is beyond the scope of this post.  I'm not sure but I think that when you create the Remote Access IPSec VPN it's going to create the firewall rules for you. If not, you'll want to create firewall rules that are going to allow the traffic inbound.  The "incoming interface" will be the VPN that you created.  The outgoing interface would be your outgoing vlan.  You source would be all and service could be restricted to IKE (I think), and again no NAT.  You'll want to do this for each of the networks that you want accessible via the remote access VPN.
4. Set up your forticlient IPSec vpn to match the settings you created in step 3 and they should be able to connect.

IrbkOrrum

Last, and most confusing in my perspective, is setting up a point to point IPSec within a VDOM.  Let's say we are going to setup the P2P IPSec VPN to VDom-A.

  1. Starting with Root VDOM, you'll want to create a VIP that's going to be from the external IP you're using for your P2P IPSec VPN tunnels to the VDOM-A side of the inter-vdom link.  Either setup 1 VIP that's going to carry all traffic or setup 2 VIPs, one for port 500 and one for 4500, both map to the same VDOM-A side of the inter-vdom link. 
  2. Create an IP pool that is the External IP you're using for your P2P IPSec VPN tunnels.  Type is 'overload' and the 'external range' would just be the 1 IP.  I also had 'arp reply' turned on. 
  3. Now for the firewall rules (still in Root VDOM).  You will want to create the following rules
    1. Incoming interface = Root side of the inter-vdom link.  Outgoing interface = 'outside'. Source = VDOM-A side of the inter-vdom link. Destination = External IP of your IPSec VPN partner.  Schedule = always.  Service = IKE.  Here you will want to NAT, use dynamic IP Pool and then using the IP Pool you created earlier.  You'll want to manage source port as a 'fixed port' and enable the rule.
    2. Incoming interface = outside.  Outgoing interface = VDom-A side of the inter-vdom link. Source = External IP of your IPSec VPN partner. Destination = the VIPs you set up in step 1 above.  Schedule = Always. Service = IKE.  No NAT and enable the policy.
  4. On the VDOM-A side you'll want to set up an IPSec VPN just like you normally would with the exception being the interface is going to be the VDOM-A side IP of the inter-vdom link. If you use the wizard to setup the IPSec VPN it should create the firewall rules for you.  If you don't you'll need to setup the firewall rules and routing rule as well.
IrbkOrrum

Lastly, just sort of a visual representation to help understand how the traffic is flowing.Screenshot_1.jpg

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors