Category Archives: FortiGate

HA virtual clusters and VDOM links

HA virtual clusters and VDOM links

FortiGate HA is implemented by configuring two or more FortiGate units to operate as an HA cluster. To the network, the HA cluster appears to function as a single FortiGate unit, processing network traffic and providing normal security services such as firewall, VPN, IPS, virus scanning, web filtering, and spam filtering.

Virtual clustering extends HA features to provide failover protection and load balancing for a FortiGate unit operating with virtual domains. A virtual cluster consists of a cluster of two FortiGate units operating with virtual domains. Traffic on different virtual domains can be load balanced between the cluster units.

With virtual clusters (vclusters) configured, inter-VDOM links must be entirely within one vcluster. You cannot create links between vclusters, and you cannot move a VDOM that is linked into another virtual cluster. If your FortiGate units are operating in HA mode, with multiple vclusters when you create the vdom-link, the CLI command  config system vdom-link includes an option to set which vcluster the link will be in.

 

What is virtual clustering?

Virtual clustering is an extension of the FGCP for FortiGate units operating with multiple VDOMS enabled. Virtual clustering operates in active-passive mode to provide failover protection between two instances of a VDOM operating on two different cluster units. You can also operate virtual clustering in active-active mode to use HA load balancing to load balance sessions between cluster units. Alternatively, by distributing VDOM processing between the two cluster units you can also configure virtual clustering to provide load balancing by distributing sessions for different VDOMs to each cluster unit.

 

Virtual clustering and failover protection

Virtual clustering operates on a cluster of two (and only two) FortiGate units with VDOMs enabled. Each VDOM creates a cluster between instances of the VDOMs on the two FortiGate units in the virtual cluster. All traffic to and from the VDOM stays within the VDOM and is processed by the VDOM. One cluster unit is the primary unit for each VDOM and one cluster unit is the subordinate unit for each VDOM. The primary unit processes all traffic for the VDOM. The subordinate unit does not process traffic for the VDOM. If a cluster unit fails, all traffic fails over to the cluster unit that is still operating.

 

Virtual clustering and heartbeat interfaces

The HA heartbeat provides the same HA services in a virtual clustering configuration as in a standard HA configuration. One set of HA heartbeat interfaces provides HA heartbeat services for all of the VDOMs in the cluster. You do not have to add a heartbeat interface for each VDOM.

 

Virtual clustering and HA override

For a virtual cluster configuration, override is enabled by default for both virtual clusters when you:

  • Enable VDOM portioning from the web-based manager by moving virtual domains to virtual cluster 2
  • Enter set vcluster2 enable from the CLI config system ha command to enable virtual cluster 2.

Usually you would enable virtual cluster 2 and expect one cluster unit to be the primary unit for virtual cluster 1 and the other cluster unit to be the primary unit for virtual cluster 2. For this distribution to occur override must be enabled for both virtual clusters. Otherwise you will need to restart the cluster to force it to renegotiate.

 

Virtual clustering and load balancing or VDOM partitioning

There are two ways to configure load balancing for virtual clustering. The first is to set the HA mode to active- active. The second is to configure VDOM partitioning. For virtual clustering, setting the HA Mode to active-active has the same result as active-active HA for a cluster without virtual domains. The primary unit receives all sessions and load balances them among the cluster units according to the load balancing schedule. All cluster units process traffic for all virtual domains.

Note: If override is enabled the cluster may renegotiate too often. You can choose to disable override at any time. If you decide to disable override, for best results, you should disable it for both cluster units.

In a VDOM partitioning virtual clustering configuration, the HA mode is set to active-passive. Even though virtual clustering operates in active-passive mode you can configure a form of load balancing by using VDOM partitioning to distribute traffic between both cluster units. To configure VDOM partitioning you set one cluster unit as the primary unit for some virtual domains and you set the other cluster unit as the primary unit for other virtual domains. All traffic for a virtual domain is processed by the primary unit for that virtual domain. You can control the distribution of traffic between the cluster units by adjusting which cluster unit is the primary unit for each virtual domain.

For example, you could have 4 VDOMs, two of which have a high traffic volume and two of which have a low traffic volume. You can configure each cluster unit to be the primary unit for one of the high volume VDOMs and one of the low volume VDOMs. As a result each cluster unit will be processing traffic for a high volume VDOM and a low volume VDOM, resulting in an even distribution of traffic between the cluster units. You can adjust the distribution at any time. For example, if a low volume VDOM becomes a high volume VDOM you can move it from one cluster unit to another until the best balance is achieved. From the web-based manager you configure VDOM partitioning by setting the HA mode to active-passive and distributing virtual domains between Virtual Cluster 1 and Virtual Cluster 2. You can also configure different device priorities, port monitoring, and remote link failover, for Virtual Cluster 1 and Virtual Cluster 2.

From the CLI you configure VDOM partitioning by setting the HA mode to a-p. Then you configure device priority, port monitoring, and remote link failover and specify the VDOMs to include in virtual cluster 1. You do the same for virtual cluster 2 by entering the config secondary-vcluster command.

Failover protection does not change. If one cluster unit fails, all sessions are processed by the remaining cluster unit. No traffic interruption occurs for the virtual domains for which the still functioning cluster unit was the primary unit. Traffic may be interrupted temporarily for virtual domains for which the failed unit was the primary unit while processing fails over to the still functioning cluster unit. If the failed cluster unit restarts and rejoins the virtual cluster, VDOM partitioning load balancing is restored.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Dynamic routing over inter-VDOM links

Dynamic routing over inter-VDOM links

BGP is supported over inter-VDOM links. Unless otherwise indicated, routing works as expected over inter-VDOM links.

If an inter-VDOM link has no assigned IP addresses to it, it may be difficult to use that interface in dynamic routing configurations. For example BGP requires an IP address to define any BGP router added to the network.

In OSPF, you can configure a router using a router ID and not its IP address. In fact, having no IP address avoids possible confusing between which value is the router ID and which is the IP address. However for that router to become adjacent with another OSPF router it will have to share the same subnet, which is technically impossible without an IP address. For this reason, while you can configure an OSPF router using an IP-less inter-VDOM link, it will likely be of limited value to you.

In RIP the metric used is hop count. If the inter-VDOM link can reach other nodes on the network, such as through a default route, then it may be possible to configure a RIP router on an inter-VDOM link. However, once again it may be of limited value due to limitations.

As stated earlier, BGP requires an IP address to define a router — an IP-less inter-VDOM link will not work with BGP.

In Multicast, you can configure an interface without using an IP address. However that interface will be unable to become an RP candidate. This limits the roles available to such an interface.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring VDOM links

Configuring VDOM links

Once VDOMs are configured on your FortiGate unit, configuring inter-VDOM routing and VDOM-links is very much like creating a VLAN interface. VDOM-links are managed through the web-based manager or CLI. In the web-based manager, VDOM link interfaces are managed in the network interface list.

This section includes the following topics:

  • Creating VDOM links
  • IP addresses and inter-VDOM links
  • Deleting VDOM links
  • NAT to Transparent VDOM links

 

Creating VDOM links

VDOM links connect VDOMs together to allow traffic to pass between VDOMs as per firewall policies. Inter- VDOM links are virtual interfaces that are very similar to VPN tunnel interfaces except inter-VDOM links do not require IP addresses.

To create a VDOM link, you first create the point-to-point interface, and then bind the two interface objects associated with it to the virtual domains.

In creating the point-to-point interface, you also create two additional interface objects by default. They are called vlink10 and vlink11 – the interface name you chose with a 1 or a 0 to designate the two ends of the link.

Once the interface objects are bound, they are treated like normal FortiGate interfaces and need to be configured just like regular interfaces.

The assumptions for this example are as follows:

  • Your FortiGate unit has VDOMs enabled and you have 2 VDOMs called customer1 and customer2 already configured. For more information on configuring VDOMs see Configuring Virtual Domains.
  • You are using a super_admin account.

 

To configure an inter-VDOM link – web-based manager:

1. Go to Global > Network > Interfaces.

2. Select Create New > VDOM link, enter the following information, and select OK.

 

Name                                           vlink1

(The name can be up to 11 characters long. Valid characters are letters, numbers, “-”, and “_”. No spaces are allowed.)

Interface #0

Virtual Domain                  customer1
IP/Netmask                        10.11.12.13/255.255.255.0
Administrative Access    HTTPS, SSL
Interface #1
Virtual Domain                  customer2
IP/Netmask                        172.120.100.13/255.255.255.0
Administrative Access    HTTPS, SSL

 

To configure an inter-VDOM link – CLI:

config global

config system vdom-link edit vlink1

end

config system interface edit vlink10

set vdom customer1 next

edit vlink11

set vdom customer2 end

 

Once you have created and bound the interface ends to VDOMs, configure the appropriate firewall policies and other settings that you require. To confirm the inter-VDOM link was created, find the VDOM link pair and use the expand arrow to view the two VDOM link interfaces. You can select edit to change any information.

 

IP addresses and inter-VDOM links

Besides being virtual interfaces, here is one main difference between inter-VDOM links and regular interfaces— default inter-VDOM links do not require IP addresses. IP addresses are not required by default because an inter- VDOM link is an internal connection that can be referred to by the interface name in firewall policies, and other system references. This introduces three possible situations with inter-VDOM links that are:

  • unnumbered – an inter-VDOM link with no IP addresses for either end of the tunnel
  • half numbered – an inter-VDOM link with one IP address for one end and none for the other end
  • full numbered – an inter-VDOM link with two IP addresses, one for each end.

Not using an IP address in the configuration can speed up and simplify configuration for you. Also you will not use up all the IP addresses in your subnets if you have many inter-VDOM links.

Half or full numbered interfaces are required if you are doing NAT, either SNAT or DNAT as you need an IP number on both ends to translate between.

You can use unnumbered interfaces in static routing, by naming the interface and using 0.0.0.0 for the gateway. Running traceroute will not show the interface in the list of hops. However you can see the interface when you are sniffing packets, which is useful for troubleshooting.

 

Deleting VDOM links

When you delete the VDOM link, the two link objects associated with it will also be deleted. You cannot delete the objects by themselves. The example uses a VDOM routing connection called “vlink1”. Removing vlink1 will also remove its two link objects vlink10 and vlink11.

Before deleting the VDOM link, ensure all policies, firewalls, and other configurations that include the VDOM link are deleted, removed, or changed to no longer include the VDOM link.

 

To remove a VDOM link – web-based manager:

1. Go to Global > Network > Interfaces.

2. Select Delete for the VDOM link vlink1.

 

To remove a VDOM link – CLI:

config global

config system vdom-link delete vlink1

end

 

NAT to Transparent VDOM links

Inter-VDOM links can be created between VDOMs in NAT mode and VDOMs in Transparent mode, but it must be done through the CLI, as the VDOM link type must be changed from the default PPP to Ethernet for the two VDOMs to communicate. The below example assumes one vdom is in NAT mode and one is Transparent.

An IP address must be assigned to the NAT VDOM’s interface, but no IP address should be assigned to the Transparent VDOM’s interface.

 

To configure a NAT to Transparent VDOM link – CLI:

config global

config system vdom-link edit vlink1

set type ethernet end

config system interface edit vlink10

set vdom (interface 1 name)

set ip (interface 1 ip)

next

edit vlink11

set vdom (interface 2 name)

end

 

Ethernet-type is not recommended for standard NAT to NAT inter-VDOM links, as the default PPP-type link does not require the VDOM links to have addresses, while Ethernet-type does. VDOM link addresses are explained in IP addresses and inter-VDOM links.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Inter-VDOM configurations

InterVDOM configurations

By using fewer physical interfaces to inter-connect VDOMs, inter-VDOM links provide you with more configuration options.

None of these configurations use VLANs to reduce the number of physical interfaces. It is generally assumed that an internal or client network will have its own internal interface and an external interface to connect to its ISP and the Internet.

These inter-VDOM configurations can use any FortiGate model with possible limitations based on the number of physical interfaces. VLANs can be used to work around these limitations.

There are four different types of inter-VDOM configurations:

  • Standalone VDOM
  • Independent VDOMs
  • Management VDOM
  • Meshed VDOM

 

Standalone VDOM

The standalone VDOM configuration uses a single VDOM on your FortiGate unit — the root VDOM that all FortiGate units have by default. This is the VDOM configuration you are likely familiar with. It is the default configuration for FortiGate units before you create additional VDOMs.

The configuration shown above has no VDOM inter-connections and requires no special configurations or settings.

The standalone VDOM configuration can be used for simple network configurations that only have one department or one company administering the connections, firewalls and other VDOM-dependent settings.

However, with this configuration, keeping client networks separate requires many interfaces, considerable firewall design and maintenance, and can quickly become time consuming and complex. Also, configuration errors for one client network can easily affect other client networks, causing unnecessary network downtime.

 

Independent VDOMs

The independent VDOMs configuration uses multiple VDOMs that are completely separate from each other. This is another common VDOM configuration.

This configuration has no communication between VDOMs and apart from initially setting up each VDOM, it requires no special configurations or settings. Any communication between VDOMs is treated as if communication is between separate physical devices.

The independent inter-VDOM configuration can be used where more than one department or one company is sharing the FortiGate unit. Each can administer the connections, firewalls and other VDOM-dependent settings for only its own VDOM. To each company or department, it appears as if it has its own FortiGate unit. This configuration reduces the amount of firewall configuration and maintenance required by dividing up the work.

However, this configuration lacks a management VDOM for VDOMs 1, 2, and 3. This is illustrated in Figure 50. This management VDOM would enable an extra level of control for the FortiGate unit administrator, while still allowing each company or department to administer its own VDOM.

 

Management VDOM

In the management VDOM configuration, the root VDOM is the management VDOM. The other VDOMs are connected to the management VDOM with inter-VDOM links. There are no other inter-VDOM connections.

The inter-VDOM links connect the management VDOM to the other VDOMs. This does not require any physical interfaces, and the bandwidth of inter-VDOM links can be faster than physical interfaces, depending on the CPU workload.

Only the management VDOM is connected to the Internet. The other VDOMs are connected to internal networks. All external traffic is routed through the management VDOM using inter-VDOM links and firewall policies between the management VDOM and each VDOM. This ensures the management VDOM has full control over access to the Internet, including what types of traffic are allowed in both directions. There is no communication directly between the non-root VDOMs. Security is greatly increased with only one point of entry and exit. Only the management VDOM needs to be fully managed to ensure network security in this case. Each client network can manage its own configuration without compromising security or bringing down another client network.

The management VDOM configuration is ideally suited for a service provider business. The service provider administers the management VDOM with the other VDOMs as customers. These customers do not require a dedicated IT person to manage their network. The service provider controls the traffic and can prevent the customers from using banned services and prevent Internet connections from initiating those same banned services. One example of a banned service might be Instant Messaging (IM) at a company concerned about intellectual property. Another example could be to limit bandwidth used by file-sharing applications without banning that application completely. Firewall policies control the traffic between the customer VDOM and the management VDOM and can be customized for each customer.

The management VDOM configuration is limited in that the customer VDOMs have no inter-connections. In many situations this limitation is ideal because it maintains proper security. However, some configurations may require customers to communicate with each other, which would be easier if the customer VDOMs were inter- connected.

 

Meshed VDOM

The meshed VDOMs configuration, including partial and full mesh, has VDOMs inter-connected with other VDOMs. There is no special feature to accomplish this—they are just complex VDOM configurations.

Partial mesh means only some VDOMs are inter-connected. In a full mesh configuration, all VDOMs are inter- connected to all other VDOMs. This can be useful when you want to provide full access between VDOMs but handle traffic differently depending on which VDOM it originates from or is going to.

With full access between all VDOMs being possible, it is extra important to ensure proper security. You can achieve this level of security by establishing extensive firewall policies and ensuring secure account access for all administrators and users.

Meshed VDOM configurations can become complex very quickly, with full mesh VDOMs being the most complex. Ensure this is the proper solution for your situation before using this configuration. Generally, these configurations are seen as theoretical and are rarely deployed in the field.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Example configuration: VDOM in Transparent mode

Example configuration: VDOM in Transparent mode

In this example, the FortiGate unit provides network protection to two organizations — Company A and Company B. Each company has different policies for incoming and outgoing traffic, requiring three different security policies and protection profiles.

 

VDOMs are not required for this configuration, but by using VDOMs the profiles and policies can be more easily managed on a per-VDOM basis either by one central administrator or separate administrators for each company. Also future expansion is simply a matter of adding additional VDOMs, whilst not disrupt the existing VDOMs.

For this example, firewalls are only included to deal with web traffic. This is to provide an example without making configuration unnecessarily complicated.

This example includes the following sections:

  • Network topology and assumptions
  • General configuration steps
  • Configuring common items
  • Creating virtual domains
  • Configuring the Company_A VDOM
  • Configuring the Company_B VDOM
  • Configuring the VLAN switch and router
  • Testing the configuration

 

Network topology and assumptions

Each organization’s internal network consists of a different range of IP addresses:

  • 10.11.0.0.0/255.255.0.0 for Company A.
  • 10.12.0.0/255.255.0.0 for Company B.

For the procedures in this section, it is assumed that you have enabled VDOM configuration on your FortiGate unit. For more information, see Virtual Domains Overview.

The VDOM names are similar to the company names for easy recognition. The root VDOM cannot be renamed and is not used in this example.

Interfaces used in this example are port1 and port2. Some FortiGate models may not have interfaces with these names. port1 is an external interface. port2 is an internal interface.

 

General configuration steps

The following steps summarize the configuration for this example. For best results, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Configuring common items

2. Creating virtual domains

3. Configuring the Company_A VDOM

4. Configuring the Company_B VDOM

5. Configuring the VLAN switch and router

6. Testing the configuration

 

Configuring common items

Both VDOMs require you configure security profiles. These will be configured the same way, but need to be configured in both VDOMs.

The relaxed profile allows users to surf websites they are not allowed to visit during normal business hours. Also a quota is in place to restrict users to one hour of access to these websites to ensure employees do not take long and unproductive lunches.

 

To create a strict web filtering profile – web-based manager:

1. Go to the proper VDOM, and select Security Profiles > Web Filter.

2. Select Create New.

3. Enter strict for the Name.

4. Expand FortiGuard Web Filtering, and select block for all Categories except Business Oriented, and Other.

5. Block all Classifications except Cached Content, and Image Search.

6. Ensure FortiGuard Quota for all Categories and Classifications is Disabled.

7. Select OK.

 

To create a strict web filtering profile – CLI:

config vdom

edit <vdom_name>

config webfilter profile edit strict

config ftgd-wf

set allow g07 g08 g21 g22 c01 c03

set deny g01 g02 g03 g04 g05 g06 c02 c04 c05 c06 c07 end

set web-ftgd-err-log enable end

 

To create a relaxed web filtering profile – web-based manager:

1. Go to the proper VDOM, and select Security Profiles > Web Filter.

2. Select Create New.

3. Enter relaxed for the Name.

4. Expand FortiGuard Web Filtering, and select block for Potentially Security Violating Category, and Spam URL Classification.

5. Enable FortiGuard Quotas to allow 1 hour for all allowed Categories and Classifications.

 

Creating virtual domains

The FortiGate unit supports 10 virtual domains. Root is the default VDOM. It cannot be deleted or renamed. The root VDOM is not used in this example. New VDOMs are created for Company A and Company B

 

To create the virtual domains – web-based manager:

1. With VDOMs enabled, select Global > System > VDOM.

2. Select Create New.

3. Enter Company_A for Name, and select OK.

4. Select Create New.

5. Enter Company_B for Name, and select OK.

 

To create the virtual domains – CLI:

config system vdom edit Company_A next

edit Company_B

end

 

Configuring the Company_A VDOM

This section describes how to add VLAN subinterfaces and configure security policies for the Company_A VDOM. This section includes the following topics:

  • Adding VLAN subinterfaces
  • Creating the Lunch schedule
  • Configuring Company_A firewall addresses
  • Creating Company_A security policies

 

Adding VLAN subinterfaces

You need to create a VLAN subinterface on the port2 interface and another one on the port1 interface, both with the same VLAN ID.

 

To add VLAN subinterfaces – web-based manager:

1. Go to Global > Network > Interfaces.

2. Select Create New.

3. Enter the following information and select OK:

Name                                           VLAN_100_int

Interface                                     port2

VLAN ID                                      100

Virtual Domain                          Company_A

4. Select Create New.

5. Enter the following information and select OK:

Name                                           VLAN_100_ext

Interface                                     port1

VLAN ID                                      100

Virtual Domain                          Company_A

 

To add the VLAN subinterfaces – CLI:

config system interface edit VLAN_100_int

set interface port2

set vlanid 100

set vdom Company_A

next

edit VLAN_100_ext

set interface port1 set vlanid 100

set vdom Company_A

end

 

Creating the Lunch schedule

Both organizations have the same lunch schedule, but only Company A has relaxed its security policy to allow employees more freedom in accessing the Internet during lunch. Lunch schedule will be Monday to Friday from 11:45am to 2:00pm (14:00).

 

To create a recurring schedule for lunchtime – web-based manager:

1. In Company_A VDOM, go to Policy & Objects > Schedules.

2. Select Create New.

3. Enter Lunch as the name for the schedule.

4. Select Mon, Tues, Wed, Thu, and Fri.

5. Set the Start time as 11:45 and set the Stop time as 14:00.

6. Select OK.

 

To create a recurring schedule for lunchtime – CLI:

config vdom

edit Company_A

config firewall schedule recurring edit Lunch

set day monday tuesday wednesday thursday friday set start 11:45

set end 14:00 end

 

Configuring Company_A firewall addresses

For Company A, its networks are all on the 10.11.0.0 network, so restricting addresses to that domain provides added security.

 

To configure Company_A firewall addresses – web-based manager:

1. In the Company_A VDOM, go to Policy & Objects > Addresses.

2. Select Create New.

3. Enter CompanyA in the Address Name field.

4. Type 10.11.0.0/255.255.0.0 in the Subnet / IP Range field.

5. Select OK.

 

To configure vdomA firewall addresses – CLI:

config firewall address edit CompanyA

set type ipmask

set subnet 10.11.0.0 255.255.0.0 end

 

Creating Company_A security policies

A security policy can include varying levels of security feature protection. This example only deals with web filtering. The following security policies use the custom security strict and relaxed profiles configured earlier.

For these security policies, we assume that all protocols will be on their standard ports, such as port 80 for http traffic. If the ports are changed, such as using port 8080 for http traffic, you will have to create custom services for protocols with non-standard ports, and assign them different names.

 

The firewalls configured in this section are:

  • internal to external — always allow all, security features – web filtering: strict
  • internal to external — Lunch allow all, security features – web filtering:relaxed

Security policies allow packets to travel between the internal VLAN_100 interface to the external interface subject to the restrictions of the protection profile. Entering the policies in this order means the last one configured is at the top of the policy list, and will be checked first. This is important because the policies are arranged so if one does not apply the next is checked until the end of the list.

 

To configure Company_A security policies – web-based manager:

1. Go to Policy & Objects > IPv4 Policy.

2. Select Create New.

3. Enter the following information and select OK:

Name                                             CompanyA-lunch

Incoming Interface                         VLAN_100_int

Outgoing Interface                         VLAN_100_ext

Source Address                              CompanyA

Destination Address                      all

Schedule                                          Lunch

Service                                             all

Action                                               ACCEPT

Security Features                            enable

Web Filtering               relaxed

This policy provides relaxed protection during lunch hours — going from strict down to scan for protocol options and web filtering. AntiVirus and Email Filtering remain at strict for security — relaxing them would not provide employees additional access to the Internet and it would make the company vulnerable.

1. Select Create New.

2. Enter the following information and select OK:

Name                                         CompanyA-strict

Incoming Interface                     VLAN_100_int

Outgoing Interface                     VLAN_100_ext

Source Address                          CompanyA

Destination Address                  all

Schedule                                     always

Service                                         all

Action                                          ACCEPT

Security Features                       enable

Web Filtering          strict

This policy enforces strict scanning at all times, while allowing all traffic. It ensures company policies are met for network security.

4. Verify that the policy list arranged By Sequence to make sure the CompanyA-lunch policy is located above the CompanyA-strict policy. If necessary, rearrange the policies so that the appropriate policy is applied to outgoing traffic.

 

To configure Company_A security policies – CLI:

config vdom

edit Company_A

config firewall policy edit 1

set name “CompanyA-lunch” set srcintf VLAN_100_int set dstintf VLAN_100_ext set srcaddr all

set dstaddr all set action accept set schedule Lunch

set webfiltering relaxed next

edit 2

set name “CompanyA-strict” set srcintf VLAN_100_int set dstintf VLAN_100_ext set srcaddr all

set dstaddr all set action accept set schedule always

set webfiltering strict end

 

Configuring the Company_B VDOM

This section describes how to add VLAN subinterfaces and configure security policies for the Company B VDOM. This section includes the following topics:

  • Adding VLAN subinterfaces
  • Creating Company_B service groups
  • Configuring Company_B firewall addresses
  • Configuring Company_B security policies

 

Adding VLAN subinterfaces

You need to create a VLAN subinterface on the internal interface and another one on the external interface, both with the same VLAN ID.

 

To add VLAN subinterfaces – web-based manager:

1. Go to Network > Interfaces.

2. Select Create New.

3. Enter the following information and select OK:

Name                                           VLAN_200_int

Interface                                     port2

VLAN ID                                      200

Virtual Domain                          Company_B

4. Select Create New.

5. Enter the following information and select OK:

Name                                           VLAN_200_ext

Interface                                     port1

VLAN ID                                      200

Virtual Domain                          Company_B

 

To add the VLAN subinterfaces – CLI:

config system interface edit VLAN_200_int

set interface internal set vlanid 200

set vdom Company_B

next

edit VLAN_200_ext

set interface external set vlanid 200

set vdom Company_B

end

 

Creating Company_B service groups

Company_B does not want its employees to use any online chat software except NetMeeting, which the company uses for net conferencing. To simplify the creation of a security policy for this purpose, you create a service group that contains all of the services you want to restrict. A security policy can manage only one service or one group.

 

To create a chat service group – web-based manager:

1. Go to Policy & Objects > Services and select Create New > Service Group.

2. Enter Chat in the Group Name field.

3. For each of IRC, AOL, SIP-MSNmessenger and TALK, select the service in the Available Services list and select the right arrow to add it to the Members list.

If a particular service does not appear in the Available Services list, see the list in Policy & Objects > Services. Some services do not appear by default unless edited.

4. Select OK.

 

To create a games and chat service group – CLI:

config firewall service group edit Chat

set member IRC SIP-MSNmessenger AOL TALK

end

 

Configuring Company_B firewall addresses

Company B’s network is all in the 10.12.0.0 network. Security can be improved by only allowing traffic from IP addresses on that network.

To configure Company_B firewall address – web-based manager:

1. In the Company_B VDOM, go to Policy & Objects > Addresses.

2. Select Create New.

3. Enter new in the Address Name field.

4. Type 10.12.0.0/255.255.0.0 in the Subnet / IP Range field.

5. Select OK.

 

To configure Company_B firewall addresses – CLI:

config vdom

edit Company_B

config firewall address edit all

set type ipmask

set subnet 10.12.0.0 255.255.0.0 end

 

Configuring Company_B security policies

Security policies allow packets to travel between the internal and external VLAN_200 interfaces subject to the restrictions of the protection profile.

 

To configure Company_B security policies – web-based manager:

1. Go to Policy & Objects > IPv4 Policy.

2. Select Create New.

3. Enter the following information and select OK:

Name                                        CompanyB-deny-games-chat

Incoming Interface                   VLAN_200_int

Outgoing Interface                   VLAN_200_ext

Source Address                        all

Destination Address                 all

Schedule                                    BusinessDay

Service                                       games-chat

Action                                         DENY

 

This policy prevents the use of network games or chat programs (except NetMeeting) during business hours.

4. Enter the following information and select OK:

Name                                       CompanyB-lunch

Incoming Interface                   VLAN_200_int

Outgoing Interface                   VLAN_200_ext

Source Address                        all

Destination Address                all

Schedule                                    Lunch

Service                                       HTTP, DNS

Action                                        ACCEPT

Security Features                     enable

Web Filter              relaxed

This policy relaxes the web category filtering during lunch hour.

5. Select Create New.

6. Enter the following information and select OK:

Name                                       CompanyB-strict

Incoming Interface                VLAN_200_int

Outgoing Interface                VLAN_200_ext

Source Address                     all

Destination Address             all

Schedule                                 BusinessDay

Service                                    HTTP, DNS

Action                                     ACCEPT

Security Profiles                      enabled

Web Filter          strict

 

This policy provides rather strict web category filtering during business hours.

7. Select Create New.

8. Enter the following information and select OK:

Name                                      CompanyB-after-hours

Incoming Interface                  VLAN_200_int

Outgoing Interface                  VLAN_200_ext

Source Address                       all

Destination Address               all

Schedule                                   always

Service                                      ANY

Action                                       ACCEPT

Security Profiles                      enabled

Web Filter          relaxed

 

Because it is last in the list, this policy applies to the times and services not covered in preceding policies. This means that outside of regular business hours, the Relaxed protection profile applies to email and web browsing, and online chat and games are permitted. Company B needs this policy because its employees sometimes work overtime. The other companies in this example maintain fixed hours and do not want any after-hours Internet access.

 

To configure Company_B security policies – CLI:

config firewall policy edit 1

set name “CompanyB-deny-games-chat” set srcintf VLAN_200_int

set srcaddr all

set dstintf VLAN_200_ext set dstaddr all

set schedule BusinessDay set service Games

set action deny next

edit 2

set name “CompanyB-lunch” set srcintf VLAN_200_int set srcaddr all

set dstintf VLAN_200_ext set dstaddr all

set action accept set schedule Lunch set service HTTP

set profile_status enable set profile Relaxed

next edit 3

set name “CompanyB-strict” set srcintf VLAN_200_int set srcaddr all

set dstintf VLAN_200_ext set dstaddr all

set action accept

set schedule BusinessDay set service HTTP

set profile_status enable set profile BusinessOnly

next edit 4

set name “CompanyB-after-hours” set srcintf VLAN_200_int

set srcaddr all

set dstintf VLAN_200_ext set dstaddr all

set action accept set schedule always set service ANY

set profile_status enable set profile Relaxed

end

 

Configuring the VLAN switch and router

The Cisco switch is the first VLAN device internal passes through, and the Cisco router is the last device before the Internet or ISP.

This section includes the following topics:

  • Configuring the Cisco switch
  • Configuring the Cisco router

 

Configuring the Cisco switch

On the Cisco Catalyst 2900 ethernet switch, you need to define the VLANs 100, 200 and 300 in the VLAN database, and then add configuration files to define the VLAN subinterfaces and the 802.1Q trunk interface. Add this file to Cisco VLAN switch:

!

interface FastEthernet0/1 switchport access vlan 100

!

interface FastEthernet0/5 switchport access vlan 300

!

interface FastEthernet0/6

switchport trunk encapsulation dot1q switchport mode trunk

!

Switch 1 has the following configuration:

Port 0/1                                       VLAN ID 100

Port 0/3                                       VLAN ID 200

Port 0/6                                       802.1Q trunk

 

Configuring the Cisco router

The configuration for the Cisco router in this example is the same as in the basic example, except we add VLAN_300. Each of the three companies has its own subnet assigned to it.

The IP addressees assigned to each VLAN on the router are the gateway addresses for the VLANs. For example, devices on VLAN_100 would have their gateway set to 10.11.0.1/255.255.0.0.

 

!

interface FastEthernet0/0

switchport trunk encapsulation dot1q switchport mode trunk

!

interface FastEthernet0/0.1 encapsulation dot1Q 100

ip address 10.11.0.1 255.255.0.0

!

interface FastEthernet0/0.3 encapsulation dot1Q 200

ip address 10.12.0.1 255.255.0.0

!

The router has the following configuration:

Port 0/0.1                                    VLAN ID 100

Port 0/0.3                                    VLAN ID 200

Port 0/0                                       802.1Q trunk

 

Testing the configuration

Use diagnostic commands, such as tracert, to test traffic routed through the network.

You should test traffic between the internal VLANs as well as from the internal VLANs to the Internet to ensure connectivity.

For additional troubleshooting, see Troubleshooting Virtual Domains. This section includes the following topics:

  • Testing traffic from VLAN_100 to the Internet
  • Testing traffic from VLAN_100 to VLAN_200

 

Testing traffic from VLAN_100 to the Internet

In this example, a route is traced from VLANs to a host on the Internet. The route target is www.example.com. From a host on VLAN_100, access a command prompt and enter this command:

C:\>tracert www.example.com

Tracing route to www.example.com [208.77.188.166]

over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 10.100.0.1

14 172 ms 141 ms 140 ms 208.77.188.166

Trace complete.

The number of steps between the first and the last hop, as well as their IP addresses, will vary depending on your location and ISP. However, all successful tracerts to www.example.com will start and end with these lines.

Repeat the tracert for VLAN_200.

The tracert for each VLAN will include the gateway for that VLAN as the first step. Otherwise, the tracert should be the same for each VLAN.

 

Testing traffic from VLAN_100 to VLAN_200

In this example, a route is traced between two internal networks. The route target is a host on VLAN_200. The Windows traceroute command tracert is used.

From VLAN_100, access a Windows command prompt and enter this command:

C:\>tracert 10.12.0.2

Tracing route to 10.12.0.2 over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 10.100.0.1

2 <10 ms <10 ms <10 ms 10.12.0.2

Trace complete.

You can repeat this for different routes in the topology. In each case the IP addresses will be the gateway for the starting VLAN, and the end point at the ending VLAN.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Using a VDOM in Transparent mode

Using a VDOM in Transparent mode

The essential steps to configure a VDOM in Transparent mode are:

  • Switching to Transparent mode
  • Adding VLAN subinterfaces
  • Creating security policies

You can also configure the security profiles that manage antivirus scanning, web filtering and spam filtering. In Transparent mode, you can access the web-based manager by connecting to an interface configured for administrative access and using HTTPS to access the management IP address. In the following examples, administrative access is enabled by default on the internal interface and the default management IP address is 10.11.0.1.

 

Switching to Transparent mode

A VDOM is in NAT/Route mode by default when it is created. You must switch it to Transparent mode, and add a management IP address so you can access the VDOM from your management computer.

Before applying the change to Transparent mode, ensure the VDOM has admin- istrative access on the selected interface, and that the selected management IP address is reachable on your network.

 

To switch the VDOM to Transparent mode – web-based manager:

1. Go to Global > System > VDOM.

2. Edit the VDOM you wish to use in Transparent mode.

3. Select Operation mode to Transparent.

4. Enter the management IP/Netmask. The IP address must be accessible to the subnet where the management computer is located. For example 10.11.0.99/255.255.255.0 will be able to access the 10.11.0.0 subnet.

5. Select Apply.

When you select Apply, the FortiGate unit will log you out. When you log back in, the VDOM will be in Transparent mode.

 

To switch the VDOM to Transparent mode – CLI:

config vdom edit <name>

config system settings set opmode transparent

set mangeip 10.11.0.99 255.255.255.0 end

end

 

Adding VLAN subinterfaces

There are a few differences when adding VLANs in Transparent mode compared to NAT/Route mode.

In Transparent mode, VLAN traffic is trunked across the VDOM. That means VLAN traffic cannot be routed, changed, or inspected. For this reason when you assign a VLAN to a Transparent mode VDOM, you will see the Addressing Mode section of the interface configuration disappear in from the web-based manager. It is because with no routing, inspection, or any activities able to be performed on VLAN traffic the VDOM simply re- broadcasts the VLAN traffic. This requires no addressing.

Also any routing related features such as dynamic routing or Virtual Router Redundancy Protocol (VRRP) are not available in Transparent mode for any interfaces.

 

Creating security policies

Security policies permit communication between the FortiGate unit’s network interfaces based on source and destination IP addresses. Typically you will also limit communication to desired times and services for additional security.

In Transparent mode, the FortiGate unit performs antivirus and antispam scanning on each packet as it passes through the unit. You need security policies to permit packets to pass from the VLAN interface where they enter the unit to the VLAN interface where they exit the unit. If there are no security policies configured, no packets will be allowed to pass from one interface to another.

For more information, see the Firewall handbook.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Operation mode differences in VDOMs

Operation mode differences in VDOMs

A VDOM, such as root, can have a maximum of 255 interfaces in Network Address Translation (NAT) mode or Transparent mode. This includes VLANs, other virtual interfaces, and physical interfaces. To have more than a total of 255 interfaces configured, you need multiple VDOMs with multiple interfaces on each.

In Transparent mode without VDOMs enabled, all interfaces on the FortiGate unit act as a bridge — all traffic coming in on one interface is sent back out on all the other interfaces. This effectively turns the FortiGate unit into a two interface unit no matter how many physical interfaces it has. When VDOMs are enabled, this allows you to determine how many interfaces to assign to a VDOM running in Transparent mode. If there are reasons for assigning more than two interfaces based on your network topology, you are able to. However, the benefit of VDOMs in this case is that you have the functionality of Transparent mode, but you can use interfaces for NAT/Route traffic as well.

You can add more VDOMs to separate groups of VLAN subinterfaces. When using a FortiGate unit to serve multiple organizations, this configuration simplifies administration because you see only the security policies and settings for the VDOM you are configuring.

One essential application of VDOMs is to prevent problems caused when a FortiGate unit is connected to a layer-2 switch that has a global MAC table. FortiGate units normally forward ARP requests to all interfaces, including VLAN subinterfaces. It is then possible for the switch to receive duplicate ARP packets on different VLANs. Some layer-2 switches reset when this happens. As ARP requests are only forwarded to interfaces in the same VDOM, you can solve this problem by creating a VDOM for each VLAN.

For more information about Transparent mode, see the Transparent Mode & Internal Segmentation Firewall (ISFW) handbook.\


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Virtual Domains in Transparent mode

Virtual Domains in Transparent mode

A VDOM in Transparent mode is installed between the internal network and the router. In this mode, the VDOM does not make any changes to IP addresses and only applies security scanning to traffic. When a VDOM is added to a network in Transparent mode, no network changes are required, except to provide the VDOM with a management IP address.

Each VDOM on a FortiGate can be configured for NAT/Route mode or Transparent mode, regardless of the operation mode of other VDOMs on the FortiGate. For more information about NAT/Route mode, see “Virtual Domains in NAT/Route mode” on page 2602.

 

This chapter includes the following sections:

  • Transparent Mode Overview
  • Using a VDOM in Transparent mode
  • Virtual Domains in Transparent mode

 

Transparent Mode Overview

In transparent mode, a VDOM becomes a layer-2 IP forwarding bridge. This means that Ethernet frames are forwarded based on destination MAC address, and no other routing is performed. All incoming traffic that is accepted by the firewall, is broadcast out on all interfaces.

In transparent mode the VDOM is a forwarding bridge, not a switch. A switch can develop a port table and associated MAC addresses, so that it can bridge two ports to deliver the traffic instead of broadcasting to all ports. In transparent mode, the VDOM does not following this switch behavior, but instead is the forwarding bridge that broadcasts all packets out over all interfaces, subject to security policies.

 

Differences between NAT/Route and Transparent mode

The differences between NAT/Route mode and Transparent mode include:

 

Differences between NAT/Route and Transparent modes

Features NAT/Route mode Transparent mode
 

Specific Management IP address required

 

No

 

Yes

 

Perform Network Address Translation

(NAT)

 

Yes

 

Yes

 

Stateful packet inspection

 

Yes

 

Yes

 

Layer-2 forwarding

 

Yes

 

Yes

 

Layer-3 routing

 

Yes

 

No

 

Features NAT/Route mode Transparent mode
 

Unicast Routing / Policy Based routing

 

Yes

 

No

 

DHCP server

 

Yes

 

No

 

IPsec VPN

 

Yes

 

Yes

 

PPTP/L2TP VPN

 

Yes

 

No

 

SSL VPN

 

Yes

 

No

 

Security features

 

Yes

 

Yes

 

VLAN support

 

Yes

 

Yes – limited to VLAN trunks.

 

Ping servers (dead gateway detection)

 

Yes

 

No

To provide administrative access to a FortiGate unit or VDOM in Transparent mode, you must define a management IP address and a gateway. This step is not required in NAT/Route mode where you can access the FortiGate unit through the assigned IP address of any interface where administrative access is permitted.

If you incorrectly set the Transparent mode management IP address for your FortiGate unit, you will be unable to access your unit through the web-based manager. In this situation, you will need to connect to the FortiGate unit using the console cable and change the settings so you can access the unit. Alternately, if your unit has an LCD panel, you can change the operation mode and interface information through the LCD panel.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!