Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rb400
New Contributor

VDOM (hiearchy placement of the root/management vdom)

Does anyone see a problem with placing a non-root-VDOM01 on the public facing side of the FGT?

 

Is this even possible?

 

intra-p15(root VDOM)<==>public-p20(vdom01-internet)<==>public router<==>ISP

 

 

[align=left]*auto-sig*   rb400 << FGT (v6.2.x) [/align]
[align=left]*auto-sig* rb400 << FGT (v6.2.x) [/align]
7 REPLIES 7
emnoc
Esteemed Contributor III

You can place any vdom any where, but if the management vdom that you define ( btw root or any other ) will need internet access if you want updates  from fortiguard services.

 

B4 you stack vdom, you define  1> what you trying to accomplish 2> the management-vdom 3> possible other issues from routing to fw-policies controls imho

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
rb400
New Contributor

emnoc wrote:

You can place any vdom any here, but if the management vdom that you define ( btw root or any other ) will need internet access if you want updates  from fortiguard services.

 

B4 you stack vdom, you define  1> what you trying to accomplish 2> the management-vdom 3> possible other issues from routing to fw-policies controls imho

 

 

Thanks emnoc

 

Trying to make changes on production firewall without getting "fired."

 

I am prepping my FGT to activate BGP in near future.  Just today enabled VDOM as first phase.

 

I have functioning FGT interfaces and policies.  Need to create a VDOM01 with asymmetric routing enabled.

 

Phase 2 goal:

inside-and-dmz<==>FGT-port(vdom-link12)-root-VDOM<==>(vdom-link21)-VDOM01(asymmetric routing)<==>WANport15<==>router public bgp<==>ISP1&2

 

Phase 3 goal:

inside-and-dmz<==>FGT-port(vdom-link12)-root-VDOM<==>(vdom-link21)-VDOM01(asymmetric routing & BGP)[style="background-color: #ff0000;"][style="background-color: #ffffff;"]<==>WANport15[/style][p[/style][style="background-color: #ff0000;"]ulled[/style][style="background-color: #ff0000;"] public router bgp][/style]<==>ISP1&2

 

Any thoughts?????

 

 

 

[align=left]*auto-sig*   rb400 << FGT (v6.2.x) [/align]
[align=left]*auto-sig* rb400 << FGT (v6.2.x) [/align]
rb400
New Contributor

emnoc wrote:

You can place any vdom any where, but if the management vdom that you define ( btw root or any other ) will need internet access if you want updates  from fortiguard services...."

 

Sorry if I am "over asking" this concept.  Just looking now for best practices.

 

Is it suggested that the root-vdom be the public (wan) facing vdom or does it not matter from a design and functionality and security perspective (best practices) ?

 

Thanks.

 

[align=left]*auto-sig*   rb400 << FGT (v6.2.x) [/align]
[align=left]*auto-sig* rb400 << FGT (v6.2.x) [/align]
emnoc
Esteemed Contributor III

Yeah why  asym-routing and BGP? I've never been a fan of BGP on any firewall unless you think things out. In your case 2x cisco ISR would be much better, and redistributed a default route to a HA act-pass cluster via OSPF would be so simpler and avoids what your trying to do in phase1 or phase2.

 

You can add one ISR like a 1900/2900 with both  BGP peers and later split them into a two ISR at a later date time if budget cost becomes an issue.

 

This also allows you to add more  ( firewall ) in the near future if required & simplify the network topology.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
rb400
New Contributor

emnoc:

 

A side question for clarification and my primitive understanding, see your helpful blog:

http://socpuppet.blogspot...pt-with-fortigate.html

 

Note the section found under "topology:"

 

"Root =   [style="background-color: #ffcc99;"]WAN virtual-link[/style],  vlinkcustA2root and vlinkcustB2root, custA = PORT1 , vlinkcustA2root custB = PORT2 , vlinkcustB2root"

 

Is [style="background-color: #ffcc99;"]WAN virtual-link[style="background-color: #ffffff;"]  a virtual-link or a WAN physical interface?[/style][/style]

 

[style="background-color: #ffcc99;"][style="background-color: #ffffff;"]Thanks,[/style][/style]

 

[align=left]*auto-sig*   rb400 << FGT (v6.2.x) [/align]
[align=left]*auto-sig* rb400 << FGT (v6.2.x) [/align]
emnoc
Esteemed Contributor III

In that setup "[<font]WAN virtual-link" is a single member that contains a dedicated 3G-modem interface. This is what I used in my home btw. But in productions this would be a similar WAN1+WAN2 interfaces physical or  virtual-802dot1 tagged.

 

The defined management vdom will need public access if you want  updates to work and url-filtering lookup,etc......

So this why I stress more on the management vdom which does not ALWAYS have to be "root-vdom".

 

 

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
emnoc
Esteemed Contributor III

 

Security aspect; each VDOM would have  alow/deny fwpolicies or allowacess so no matter what, you will need  the both

 

Design aspect; simpler is always best

 

The managment vdom would need internet access directly or indirectly if you need  fortiguard sevices, but outside of that any vdom could be technically the management vdom by default it's root. Once again, think it out as to what you need and try to  build the design as simpler as possible from deployment and diagnostics imho, and then have a go at it

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors