Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- multiple vdoms, including transparent mode, what ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
multiple vdoms, including transparent mode, what is best design?
Hello,
We have to configure a network for one of our customers.
They have 4 vlans for internal use and 2 dmz' s where they want to put their servers in.
The customer wants to use additional firewalls which we have to make virtual, so we configure vdoms. They want the vlans and dmz' s in their unique vdom and then route the traffic to a 3rd firewall (vdom) to reach the internet. This 3rd vdom needs to do all the UTM stuff.
Question is: what will be the best approach? I have added a simple drawing with the vdoms depicted as physical units.
There is one internet feed, how to make this one available for all vdoms?
Thanks for any help,
kind regards,
Ralph
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ralph,
I' ve attached a diagram showing a logical design I' ve used at a couple of deployments. So far the design has worked well for me.
Couple of things to keep in mind regarding the diagram and design :
- VDOM Links has been used to link the VDOMs to the root VDOM. No other linking between VDOMs were done, but can be.
- Every VDOM (other than root) has a default static route 0.0.0.0 with destination interface set as the VDOM Link interface in the VDOM, ie for LANVDOM the static route 0.0.0.0 points to the LAN-VL0 interface.
- Inter VLAN traffic forwarding is disabled and f/w policies allow only specific comms between VLANs
- F/w policies are defined between the VLAN interfaces and the VDOM Link interfaces to allow inbound and outbound traffic into and out of the VDOM.
- In the root VDOM the default static route 0.0.0.0 destination interface is External1 (Zone interface).
- Static routes has been defined for all internal IP ranges to their respective VDOM Link interfaces in the root VDOM, ie 192.168.1.0/24 routes to the LAN-VL1 interface.
- Outbound (internet) policies has NAT enabled in the root VDOM only.
- Other f/w policies has been defined to control inter VDOM traffic (all routed through the root VDOM).
- External2 zone interface was used for policy based routing, ie Execs SSID was routed out through the External2 interface....
- UTM filtering was applied mostly in the root VDOM. Depends on what you have on the network and where the most appropriate place is to filter, ie
To recap, keep routing in mind and which interfaces the traffic traverses. Match the flows with routes and f/w policies. This is not a reference architecture, just an example of what I' ve deployed. There are many ways to skin four legged creatures....
Hope it helps.
Regards
Paul
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Paul,
I will send you a virtual bottle of beer :) This was really helpfull, since there is no real documentation about configuring it this way.
With regards to your drawing, do I understand it right that:
lanvdom0 has gateway lan-vl0
root vdom has a route to each vlan , e.g. vlan 11 via Lan-vl1
the vlans in the vdom e.g. officelan vlan 11 in lanvdom has a default route to lan-vl0?
The policy from vlan 11 to reach the internet is from vlan 11 to lan -vl0 and then Nat enabled?
the last two are not entirely clear for me
With kind regards,
Ralph
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this is for one customer & only one customer, than you are doing a lot or work and vdoms is probably not the right solution.
Crafting multi-vdoms and then mix' ing interface in one vdom with access to services in another , tells me this not the norm and you would be better off with no VDOM deployed and proper firewall architect imho.
btw nice looking diagram :)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the diagram is the only thing that is useful, so be it. :P
This customer in particular has 4 IT companies under the same roof using shared, dedicated infrastructure, hosted public and private services etc . The initial design had 2 VDOMs but quickly became difficult to maintain with all the policies as each company had specific (read paranoid, full of ...., etc) requirements. So broke the whole thing up into logical groupings. You can print out the diagram, take a pencil and draw the traffic flow and then configure the routes and policies to a picture ;) Believe it or not, the diagram is a simplified version of the real configuration :) Lots of IPSec tunnels, a VDOM in transparent mode and other stuff removed, just to show the concept...
- lanvdom0 has gateway lan-vl0
>> VDOM LANVDOM' s default route points to lan-vl0
- root vdom has a route to each vlan , e.g. vlan 11 via Lan-vl1
>> Yes, same goes for the other VDOMs, routes to the VLAN IP range points to the appropriate VLAN interface
- the vlans in the vdom e.g. officelan vlan 11 in lanvdom has a default route to lan-vl0?
>> The default route is configured in the VDOM routing table as :
LANVDOM static routes :
0.0.0.0 -> lan-vl0
192.168.1.0/24 -> OfficeLAN
10.11.51.0/24 -> VMWareLAN1
etc.
Same pattern in each VDOM, including the root VDOM.
- The policy from vlan 11 to reach the internet is from vlan 11 to lan -vl0 and then Nat enabled?
>> You will have two policies for that use case :
1) LANVDOM: From 192.168.1.0/24 (Src int OfficeLAN) to Any (Dest int LAN-VL0), service HTTP, schedule always, NO NAT
2) root VDOM: From 192.168.1.0/24 (Src int LAN-VL1) to Any (Dest int External1), service HTTP, schedule always, UTM enabled, NAT ENabled (using specific interface IP 41.x.x.19 for example)
Less specific policies were used in the LAN/Wifi <-> root comms, and very very specific policies in the DMZ <-> root, other VDOMs and IPSec tunnel comms.
In this case, a multitude of requirements drove the design.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,700 -
FortiClient
1,763 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
432 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.