Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
theG
New Contributor III

Create VDOM to duplicate Live firewall for testing...

Hi Guys,

 

I have a request from a client where they are looking to setup a test environment (firewall) to be able to make changes on before having it applied to their live / production firewall. The catch is, they need to be able to have live data or atleast the same traffic running through their test firewall to be able to see what impact their changes will make / have. The thought of VDOMS came up, but this would mean having two instances of firewalls running....

 

Does anyone have any ideas as to how I could set this up? If it even would be possible?

 

thanks,

theG

4 REPLIES 4
emnoc
Esteemed Contributor III

What's the business case for this? Your adding more work than's required and  the client seems to be leading this. You should review the policy, asset the risk, and have a policy change and backup plan.

 

To try to duplicate the  traffic is just asking for more complexity. If they want to do it right, you would really define a production and non-Production ( sandbox )  sites and QA any changes on the non-Production site b4 implementation into the  prod-network and still maintain  the earlier suggestion ( firewal audit, snapshot, rollback, etc.....)

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Dave_Hall
Honored Contributor

I would just go with using a spare/test unit if your client wants to set up something that mimics the live/production environment -- just section off a department/network and put them on the test unit; it's a bit easier and manageable to deal with the fgt device as a whole than mess around with VDOMS/configuration changes, etc.

 

That being said, if your client is adamant about using VDOMS, they might want to consider putting the fgt into transparent mode and maybe have two VDOMs more-or-less mirroring each other.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
theG
New Contributor III

thanks for your input guys...much appreciated! As I thought...setting something up as they wanted won't really be possible. I'll have to try looking into alternative options.

 

I'll look at using your suggestions somehow...thanks!

Shawn_W

Please let us know what you end up trying.  Thanks.

Labels
Top Kudoed Authors