Example configuration: VDOM in Transparent mode

Example configuration: VDOM in Transparent mode

In this example, the FortiGate unit provides network protection to two organizations — Company A and Company B. Each company has different policies for incoming and outgoing traffic, requiring three different security policies and protection profiles.

 

VDOMs are not required for this configuration, but by using VDOMs the profiles and policies can be more easily managed on a per-VDOM basis either by one central administrator or separate administrators for each company. Also future expansion is simply a matter of adding additional VDOMs, whilst not disrupt the existing VDOMs.

For this example, firewalls are only included to deal with web traffic. This is to provide an example without making configuration unnecessarily complicated.

This example includes the following sections:

  • Network topology and assumptions
  • General configuration steps
  • Configuring common items
  • Creating virtual domains
  • Configuring the Company_A VDOM
  • Configuring the Company_B VDOM
  • Configuring the VLAN switch and router
  • Testing the configuration

 

Network topology and assumptions

Each organization’s internal network consists of a different range of IP addresses:

  • 10.11.0.0.0/255.255.0.0 for Company A.
  • 10.12.0.0/255.255.0.0 for Company B.

For the procedures in this section, it is assumed that you have enabled VDOM configuration on your FortiGate unit. For more information, see Virtual Domains Overview.

The VDOM names are similar to the company names for easy recognition. The root VDOM cannot be renamed and is not used in this example.

Interfaces used in this example are port1 and port2. Some FortiGate models may not have interfaces with these names. port1 is an external interface. port2 is an internal interface.

 

General configuration steps

The following steps summarize the configuration for this example. For best results, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Configuring common items

2. Creating virtual domains

3. Configuring the Company_A VDOM

4. Configuring the Company_B VDOM

5. Configuring the VLAN switch and router

6. Testing the configuration

 

Configuring common items

Both VDOMs require you configure security profiles. These will be configured the same way, but need to be configured in both VDOMs.

The relaxed profile allows users to surf websites they are not allowed to visit during normal business hours. Also a quota is in place to restrict users to one hour of access to these websites to ensure employees do not take long and unproductive lunches.

 

To create a strict web filtering profile – web-based manager:

1. Go to the proper VDOM, and select Security Profiles > Web Filter.

2. Select Create New.

3. Enter strict for the Name.

4. Expand FortiGuard Web Filtering, and select block for all Categories except Business Oriented, and Other.

5. Block all Classifications except Cached Content, and Image Search.

6. Ensure FortiGuard Quota for all Categories and Classifications is Disabled.

7. Select OK.

 

To create a strict web filtering profile – CLI:

config vdom

edit <vdom_name>

config webfilter profile edit strict

config ftgd-wf

set allow g07 g08 g21 g22 c01 c03

set deny g01 g02 g03 g04 g05 g06 c02 c04 c05 c06 c07 end

set web-ftgd-err-log enable end

 

To create a relaxed web filtering profile – web-based manager:

1. Go to the proper VDOM, and select Security Profiles > Web Filter.

2. Select Create New.

3. Enter relaxed for the Name.

4. Expand FortiGuard Web Filtering, and select block for Potentially Security Violating Category, and Spam URL Classification.

5. Enable FortiGuard Quotas to allow 1 hour for all allowed Categories and Classifications.

 

Creating virtual domains

The FortiGate unit supports 10 virtual domains. Root is the default VDOM. It cannot be deleted or renamed. The root VDOM is not used in this example. New VDOMs are created for Company A and Company B

 

To create the virtual domains – web-based manager:

1. With VDOMs enabled, select Global > System > VDOM.

2. Select Create New.

3. Enter Company_A for Name, and select OK.

4. Select Create New.

5. Enter Company_B for Name, and select OK.

 

To create the virtual domains – CLI:

config system vdom edit Company_A next

edit Company_B

end

 

Configuring the Company_A VDOM

This section describes how to add VLAN subinterfaces and configure security policies for the Company_A VDOM. This section includes the following topics:

  • Adding VLAN subinterfaces
  • Creating the Lunch schedule
  • Configuring Company_A firewall addresses
  • Creating Company_A security policies

 

Adding VLAN subinterfaces

You need to create a VLAN subinterface on the port2 interface and another one on the port1 interface, both with the same VLAN ID.

 

To add VLAN subinterfaces – web-based manager:

1. Go to Global > Network > Interfaces.

2. Select Create New.

3. Enter the following information and select OK:

Name                                           VLAN_100_int

Interface                                     port2

VLAN ID                                      100

Virtual Domain                          Company_A

4. Select Create New.

5. Enter the following information and select OK:

Name                                           VLAN_100_ext

Interface                                     port1

VLAN ID                                      100

Virtual Domain                          Company_A

 

To add the VLAN subinterfaces – CLI:

config system interface edit VLAN_100_int

set interface port2

set vlanid 100

set vdom Company_A

next

edit VLAN_100_ext

set interface port1 set vlanid 100

set vdom Company_A

end

 

Creating the Lunch schedule

Both organizations have the same lunch schedule, but only Company A has relaxed its security policy to allow employees more freedom in accessing the Internet during lunch. Lunch schedule will be Monday to Friday from 11:45am to 2:00pm (14:00).

 

To create a recurring schedule for lunchtime – web-based manager:

1. In Company_A VDOM, go to Policy & Objects > Schedules.

2. Select Create New.

3. Enter Lunch as the name for the schedule.

4. Select Mon, Tues, Wed, Thu, and Fri.

5. Set the Start time as 11:45 and set the Stop time as 14:00.

6. Select OK.

 

To create a recurring schedule for lunchtime – CLI:

config vdom

edit Company_A

config firewall schedule recurring edit Lunch

set day monday tuesday wednesday thursday friday set start 11:45

set end 14:00 end

 

Configuring Company_A firewall addresses

For Company A, its networks are all on the 10.11.0.0 network, so restricting addresses to that domain provides added security.

 

To configure Company_A firewall addresses – web-based manager:

1. In the Company_A VDOM, go to Policy & Objects > Addresses.

2. Select Create New.

3. Enter CompanyA in the Address Name field.

4. Type 10.11.0.0/255.255.0.0 in the Subnet / IP Range field.

5. Select OK.

 

To configure vdomA firewall addresses – CLI:

config firewall address edit CompanyA

set type ipmask

set subnet 10.11.0.0 255.255.0.0 end

 

Creating Company_A security policies

A security policy can include varying levels of security feature protection. This example only deals with web filtering. The following security policies use the custom security strict and relaxed profiles configured earlier.

For these security policies, we assume that all protocols will be on their standard ports, such as port 80 for http traffic. If the ports are changed, such as using port 8080 for http traffic, you will have to create custom services for protocols with non-standard ports, and assign them different names.

 

The firewalls configured in this section are:

  • internal to external — always allow all, security features – web filtering: strict
  • internal to external — Lunch allow all, security features – web filtering:relaxed

Security policies allow packets to travel between the internal VLAN_100 interface to the external interface subject to the restrictions of the protection profile. Entering the policies in this order means the last one configured is at the top of the policy list, and will be checked first. This is important because the policies are arranged so if one does not apply the next is checked until the end of the list.

 

To configure Company_A security policies – web-based manager:

1. Go to Policy & Objects > IPv4 Policy.

2. Select Create New.

3. Enter the following information and select OK:

Name                                             CompanyA-lunch

Incoming Interface                         VLAN_100_int

Outgoing Interface                         VLAN_100_ext

Source Address                              CompanyA

Destination Address                      all

Schedule                                          Lunch

Service                                             all

Action                                               ACCEPT

Security Features                            enable

Web Filtering               relaxed

This policy provides relaxed protection during lunch hours — going from strict down to scan for protocol options and web filtering. AntiVirus and Email Filtering remain at strict for security — relaxing them would not provide employees additional access to the Internet and it would make the company vulnerable.

1. Select Create New.

2. Enter the following information and select OK:

Name                                         CompanyA-strict

Incoming Interface                     VLAN_100_int

Outgoing Interface                     VLAN_100_ext

Source Address                          CompanyA

Destination Address                  all

Schedule                                     always

Service                                         all

Action                                          ACCEPT

Security Features                       enable

Web Filtering          strict

This policy enforces strict scanning at all times, while allowing all traffic. It ensures company policies are met for network security.

4. Verify that the policy list arranged By Sequence to make sure the CompanyA-lunch policy is located above the CompanyA-strict policy. If necessary, rearrange the policies so that the appropriate policy is applied to outgoing traffic.

 

To configure Company_A security policies – CLI:

config vdom

edit Company_A

config firewall policy edit 1

set name “CompanyA-lunch” set srcintf VLAN_100_int set dstintf VLAN_100_ext set srcaddr all

set dstaddr all set action accept set schedule Lunch

set webfiltering relaxed next

edit 2

set name “CompanyA-strict” set srcintf VLAN_100_int set dstintf VLAN_100_ext set srcaddr all

set dstaddr all set action accept set schedule always

set webfiltering strict end

 

Configuring the Company_B VDOM

This section describes how to add VLAN subinterfaces and configure security policies for the Company B VDOM. This section includes the following topics:

  • Adding VLAN subinterfaces
  • Creating Company_B service groups
  • Configuring Company_B firewall addresses
  • Configuring Company_B security policies

 

Adding VLAN subinterfaces

You need to create a VLAN subinterface on the internal interface and another one on the external interface, both with the same VLAN ID.

 

To add VLAN subinterfaces – web-based manager:

1. Go to Network > Interfaces.

2. Select Create New.

3. Enter the following information and select OK:

Name                                           VLAN_200_int

Interface                                     port2

VLAN ID                                      200

Virtual Domain                          Company_B

4. Select Create New.

5. Enter the following information and select OK:

Name                                           VLAN_200_ext

Interface                                     port1

VLAN ID                                      200

Virtual Domain                          Company_B

 

To add the VLAN subinterfaces – CLI:

config system interface edit VLAN_200_int

set interface internal set vlanid 200

set vdom Company_B

next

edit VLAN_200_ext

set interface external set vlanid 200

set vdom Company_B

end

 

Creating Company_B service groups

Company_B does not want its employees to use any online chat software except NetMeeting, which the company uses for net conferencing. To simplify the creation of a security policy for this purpose, you create a service group that contains all of the services you want to restrict. A security policy can manage only one service or one group.

 

To create a chat service group – web-based manager:

1. Go to Policy & Objects > Services and select Create New > Service Group.

2. Enter Chat in the Group Name field.

3. For each of IRC, AOL, SIP-MSNmessenger and TALK, select the service in the Available Services list and select the right arrow to add it to the Members list.

If a particular service does not appear in the Available Services list, see the list in Policy & Objects > Services. Some services do not appear by default unless edited.

4. Select OK.

 

To create a games and chat service group – CLI:

config firewall service group edit Chat

set member IRC SIP-MSNmessenger AOL TALK

end

 

Configuring Company_B firewall addresses

Company B’s network is all in the 10.12.0.0 network. Security can be improved by only allowing traffic from IP addresses on that network.

To configure Company_B firewall address – web-based manager:

1. In the Company_B VDOM, go to Policy & Objects > Addresses.

2. Select Create New.

3. Enter new in the Address Name field.

4. Type 10.12.0.0/255.255.0.0 in the Subnet / IP Range field.

5. Select OK.

 

To configure Company_B firewall addresses – CLI:

config vdom

edit Company_B

config firewall address edit all

set type ipmask

set subnet 10.12.0.0 255.255.0.0 end

 

Configuring Company_B security policies

Security policies allow packets to travel between the internal and external VLAN_200 interfaces subject to the restrictions of the protection profile.

 

To configure Company_B security policies – web-based manager:

1. Go to Policy & Objects > IPv4 Policy.

2. Select Create New.

3. Enter the following information and select OK:

Name                                        CompanyB-deny-games-chat

Incoming Interface                   VLAN_200_int

Outgoing Interface                   VLAN_200_ext

Source Address                        all

Destination Address                 all

Schedule                                    BusinessDay

Service                                       games-chat

Action                                         DENY

 

This policy prevents the use of network games or chat programs (except NetMeeting) during business hours.

4. Enter the following information and select OK:

Name                                       CompanyB-lunch

Incoming Interface                   VLAN_200_int

Outgoing Interface                   VLAN_200_ext

Source Address                        all

Destination Address                all

Schedule                                    Lunch

Service                                       HTTP, DNS

Action                                        ACCEPT

Security Features                     enable

Web Filter              relaxed

This policy relaxes the web category filtering during lunch hour.

5. Select Create New.

6. Enter the following information and select OK:

Name                                       CompanyB-strict

Incoming Interface                VLAN_200_int

Outgoing Interface                VLAN_200_ext

Source Address                     all

Destination Address             all

Schedule                                 BusinessDay

Service                                    HTTP, DNS

Action                                     ACCEPT

Security Profiles                      enabled

Web Filter          strict

 

This policy provides rather strict web category filtering during business hours.

7. Select Create New.

8. Enter the following information and select OK:

Name                                      CompanyB-after-hours

Incoming Interface                  VLAN_200_int

Outgoing Interface                  VLAN_200_ext

Source Address                       all

Destination Address               all

Schedule                                   always

Service                                      ANY

Action                                       ACCEPT

Security Profiles                      enabled

Web Filter          relaxed

 

Because it is last in the list, this policy applies to the times and services not covered in preceding policies. This means that outside of regular business hours, the Relaxed protection profile applies to email and web browsing, and online chat and games are permitted. Company B needs this policy because its employees sometimes work overtime. The other companies in this example maintain fixed hours and do not want any after-hours Internet access.

 

To configure Company_B security policies – CLI:

config firewall policy edit 1

set name “CompanyB-deny-games-chat” set srcintf VLAN_200_int

set srcaddr all

set dstintf VLAN_200_ext set dstaddr all

set schedule BusinessDay set service Games

set action deny next

edit 2

set name “CompanyB-lunch” set srcintf VLAN_200_int set srcaddr all

set dstintf VLAN_200_ext set dstaddr all

set action accept set schedule Lunch set service HTTP

set profile_status enable set profile Relaxed

next edit 3

set name “CompanyB-strict” set srcintf VLAN_200_int set srcaddr all

set dstintf VLAN_200_ext set dstaddr all

set action accept

set schedule BusinessDay set service HTTP

set profile_status enable set profile BusinessOnly

next edit 4

set name “CompanyB-after-hours” set srcintf VLAN_200_int

set srcaddr all

set dstintf VLAN_200_ext set dstaddr all

set action accept set schedule always set service ANY

set profile_status enable set profile Relaxed

end

 

Configuring the VLAN switch and router

The Cisco switch is the first VLAN device internal passes through, and the Cisco router is the last device before the Internet or ISP.

This section includes the following topics:

  • Configuring the Cisco switch
  • Configuring the Cisco router

 

Configuring the Cisco switch

On the Cisco Catalyst 2900 ethernet switch, you need to define the VLANs 100, 200 and 300 in the VLAN database, and then add configuration files to define the VLAN subinterfaces and the 802.1Q trunk interface. Add this file to Cisco VLAN switch:

!

interface FastEthernet0/1 switchport access vlan 100

!

interface FastEthernet0/5 switchport access vlan 300

!

interface FastEthernet0/6

switchport trunk encapsulation dot1q switchport mode trunk

!

Switch 1 has the following configuration:

Port 0/1                                       VLAN ID 100

Port 0/3                                       VLAN ID 200

Port 0/6                                       802.1Q trunk

 

Configuring the Cisco router

The configuration for the Cisco router in this example is the same as in the basic example, except we add VLAN_300. Each of the three companies has its own subnet assigned to it.

The IP addressees assigned to each VLAN on the router are the gateway addresses for the VLANs. For example, devices on VLAN_100 would have their gateway set to 10.11.0.1/255.255.0.0.

 

!

interface FastEthernet0/0

switchport trunk encapsulation dot1q switchport mode trunk

!

interface FastEthernet0/0.1 encapsulation dot1Q 100

ip address 10.11.0.1 255.255.0.0

!

interface FastEthernet0/0.3 encapsulation dot1Q 200

ip address 10.12.0.1 255.255.0.0

!

The router has the following configuration:

Port 0/0.1                                    VLAN ID 100

Port 0/0.3                                    VLAN ID 200

Port 0/0                                       802.1Q trunk

 

Testing the configuration

Use diagnostic commands, such as tracert, to test traffic routed through the network.

You should test traffic between the internal VLANs as well as from the internal VLANs to the Internet to ensure connectivity.

For additional troubleshooting, see Troubleshooting Virtual Domains. This section includes the following topics:

  • Testing traffic from VLAN_100 to the Internet
  • Testing traffic from VLAN_100 to VLAN_200

 

Testing traffic from VLAN_100 to the Internet

In this example, a route is traced from VLANs to a host on the Internet. The route target is www.example.com. From a host on VLAN_100, access a command prompt and enter this command:

C:\>tracert www.example.com

Tracing route to www.example.com [208.77.188.166]

over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 10.100.0.1

14 172 ms 141 ms 140 ms 208.77.188.166

Trace complete.

The number of steps between the first and the last hop, as well as their IP addresses, will vary depending on your location and ISP. However, all successful tracerts to www.example.com will start and end with these lines.

Repeat the tracert for VLAN_200.

The tracert for each VLAN will include the gateway for that VLAN as the first step. Otherwise, the tracert should be the same for each VLAN.

 

Testing traffic from VLAN_100 to VLAN_200

In this example, a route is traced between two internal networks. The route target is a host on VLAN_200. The Windows traceroute command tracert is used.

From VLAN_100, access a Windows command prompt and enter this command:

C:\>tracert 10.12.0.2

Tracing route to 10.12.0.2 over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 10.100.0.1

2 <10 ms <10 ms <10 ms 10.12.0.2

Trace complete.

You can repeat this for different routes in the topology. In each case the IP addresses will be the gateway for the starting VLAN, and the end point at the ending VLAN.

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.