Technical Tip: Disabled VDOM behavior

Adryan_you · ‎09-19-2023

Description

This article describes one of the behaviors of disabled VDOM.

Scope

FortiGate.

Solution

In general, a firewall policy and correct static route are required for Fortigate to forward the traffic accordingly.

When VDOM is disabled, FortiGate will not match the incoming traffic with the firewall policy.

Example Setup:

When VDOM 33 is enabled, it is possible to ping from 10.150.1.46 to 8.8.8.8. Below is the debug flow output collected in VDOM 33:

id=20085 trace_id=1923 func=print_pkt_detail line=5844 msg="vd-VDOM33:0 received a packet(proto=1, 10.150.1.46:1->8.8.8.8:2048) tun_id=0.0.0.0 from port6. type=8, code=0, id=1, seq=11."
id=20085 trace_id=1923 func=init_ip_session_common line=6023 msg="allocate a new session-011684c4, tun_id=0.0.0.0"
id=20085 trace_id=1923 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-8.8.8.8 via 33Root1"
id=20085 trace_id=1923 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"
id=20085 trace_id=1924 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=1, 10.150.1.46:1->8.8.8.8:2048) tun_id=0.0.0.0 from 33Root0. type=8, code=0, id=1, seq=11."
id=20085 trace_id=1924 func=init_ip_session_common line=6023 msg="allocate a new session-011684c5, tun_id=0.0.0.0"
id=20085 trace_id=1924 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-10.47.15.254 via port1"
id=20085 trace_id=1924 func=get_new_addr line=1221 msg="find SNAT: IP-10.47.2.158(from IPPOOL), port-60417"
id=20085 trace_id=1924 func=fw_forward_handler line=881 msg="Allowed by Policy-2: SNAT"
id=20085 trace_id=1924 func=__ip_session_run_tuple line=3470 msg="SNAT 10.150.1.46->10.47.2.158:60417"

When VDOM 33 is disabled, the computer is not able to ping 8.8.8.8. Debug flow output shows that VDOM 33 does not proceed to match firewall policy and there is no error msg displayed:

id=20085 trace_id=1935 func=print_pkt_detail line=5844 msg="vd-VDOM33:0 received a packet(proto=1, 10.150.1.46:1->8.8.8.8:2048) tun_id=0.0.0.0 from port6. type=8, code=0, id=1, seq=19."
id=20085 trace_id=1935 func=init_ip_session_common line=6023 msg="allocate a new session-01168bda, tun_id=0.0.0.0"
id=20085 trace_id=1935 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-8.8.8.8 via 33Root1"

If it is pinged from the VDOM 33 to the internet, the ping is working fine (local-out traffic from VDOM33):

id=20085 trace_id=1939 func=print_pkt_detail line=5844 msg="vd-VDOM33:0 received a packet(proto=1, 192.168.5.2:1024->8.8.8.8:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=1024, seq=0."
id=20085 trace_id=1939 func=init_ip_session_common line=6023 msg="allocate a new session-011693d0, tun_id=0.0.0.0"
id=20085 trace_id=1940 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=1, 192.168.5.2:1024->8.8.8.8:2048) tun_id=0.0.0.0 from 33Root0. type=8, code=0, id=1024, seq=0."
id=20085 trace_id=1940 func=init_ip_session_common line=6023 msg="allocate a new session-011693d1, tun_id=0.0.0.0"
id=20085 trace_id=1940 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.47.15.254 via port1"
id=20085 trace_id=1940 func=get_new_addr line=1221 msg="find SNAT: IP-10.47.2.158(from IPPOOL), port-61440"
id=20085 trace_id=1940 func=fw_forward_handler line=881 msg="Allowed by Policy-2: SNAT"

In summary, if the computer is unable to reach the internet through VDOM, all the configs (VDOM link, firewall policy, static route etc.) are configured correctly, and the debug flow does not show any error message, then need to check if the VDOM is enabled.

Lotus-kvm24 (VDOM33) # show sys settings
config system settings
set status disable <-----
end