FortiGate VLANs and VDOMs Guide 01-30002-0091-20060718

USER GUIDE
FortiGate VLANs and VDOMs

Version 3.0
www.fortinet.com
FortiGate VLANs and VDOMs User Guide

Version 3.0
18 July 2006
01-30002-0091-20060718
Copyright 2006 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuardAntivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS,
FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are
trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies
and products mentioned herein may be the trademarks of their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
Caution: If you install a battery that is not the correct type, it could
explode. Dispose of used batteries according to local regulations.
Contents
Contents
Introduction ........................................................................................ 9
About FortiGate VLANs and VDOMs ............................................................... 9
About this document......................................................................................... 9
Document conventions.................................................................................. 9
Typographic conventions...................................................................... 10
FortiGate documentation ................................................................................ 10
Related documentation ................................................................................... 11
FortiManager documentation ......................................................................
FortiClient documentation ...........................................................................
FortiMail documentation ..............................................................................
FortiAnalyzer documentation ......................................................................
Fortinet Knowledge Center .........................................................................
Comments on Fortinet technical documentation .........................................
11
11
12
12
12
12
Customer service and technical support ...................................................... 12
Introduction to VLANs and VDOMs................................................ 15

Overview of VLAN technology ....................................................................... 15
VLAN layer-2 switching ...............................................................................
Layer-2 VLAN example.........................................................................
VLAN layer-3 routing ...................................................................................
Layer-3 VLAN Example ........................................................................
Rules for VLAN IDs .....................................................................................
16
16
18
18
19
Overview of Virtual Domains .......................................................................... 19

Maximum number of VDOMs ......................................................................
Inter-VDOM routing .....................................................................................
Management VDOM ...................................................................................
Administration of virtual domains ................................................................
Global and virtual domain settings ..............................................................
For more information ...................................................................................
20
20
20
20
21
23
Using VLANs in NAT/Route mode .................................................. 25

Overview........................................................................................................... 25
Configuring FortiGate units in NAT/Route mode ......................................... 25
Adding VLAN subinterfaces ........................................................................ 26
Creating firewall policies ............................................................................. 26
Configuring routing...................................................................................... 27
Example configuration NAT/Route mode (simple) ....................................... 27
General configuration steps ........................................................................
Configuring the FortiGate-800 unit ..............................................................
Configuring the external interface.........................................................
Adding VLAN subinterfaces..................................................................
Adding the firewall addresses...............................................................
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30002-0091-20060718
28
29
29
29
31
Contents
Adding the firewall policies ...................................................................

Configuring the Cisco switch to support VLAN tags ...................................
Testing the configuration.............................................................................
Testing traffic from VLAN 100 to VLAN 200 .........................................
Testing traffic from VLAN 100 to the external network .........................
31
34
35
35
35
Example configuration NAT/Route mode (complex).................................... 36

Configuring the FortiGate-800 unit..............................................................
Adding the VLAN subinterfaces............................................................
Adding a default route .........................................................................
Configuring the FortiGate-800 IPSec VPN tunnel and encrypt policy.........
Configuring the VPN gateway ..............................................................
Configuring the VPN tunnel ..................................................................
Defining the VPN user IP address........................................................
Adding the encrypt policy .....................................................................
Configuring the VPN client..........................................................................
Creating a new VPN connection...........................................................
Configuring the internal Cisco switch ..........................................................
Configuring the VLAN subinterfaces and the trunk interfaces..............
Configuring the external Cisco switch .........................................................
Configuring the VLAN subinterfaces and the trunk interfaces..............
Testing the configuration.............................................................................
Testing traffic from VLAN 20 to VLAN 10 .............................................
Testing traffic from VLAN 10 to the external network ...........................
37
37
38
39
40
41
44
44
45
46
47
48
48
49
49
50
50
50
51
51
Using VDOMs in NAT/Route mode................................................. 53

Overview........................................................................................................... 53
Getting started with VDOMs ........................................................................... 53
Enabling virtual domain configuration .........................................................
Creating virtual domains .............................................................................
Creating administrators for virtual domains ................................................
Accessing virtual domains to configure them..............................................
53
54
54
55
Configuring virtual domains........................................................................... 56

Changing the management VDOM .............................................................
Adding interfaces and VLAN subinterfaces to a virtual domain ..................
Configuring routing for a virtual domain ......................................................
Configuring firewall policies for a virtual domain .........................................
Configuring VPNs for a virtual domain ........................................................
56
57
58
58
59
Example VDOM configuration in NAT/Route mode (simple)....................... 59

General configuration steps ........................................................................ 60
Creating the virtual domains ....................................................................... 61
Configuring the FortiGate-800 external and DMZ interfaces ...................... 61
Start the FortiGate web-based manager to configure the FortiGate-800

01-30002-0091-20060718
Contents
unit. Select Global Configuration. This section configures the interfaces

for each company and their connections to the Internet. Configuring the
external interface................................................................................ 61
Configuring the DMZ interface.............................................................. 62
Configuring the ABCdomain VDOM ............................................................ 62
Adding the VLAN subinterface.............................................................. 63
Selecting the ABCdomain VDOM ......................................................... 63
Adding ABCdomain firewall addresses................................................. 64
Adding the ABCdomain firewall policy .................................................. 64
Adding a default route........................................................................... 65
Configuring the DEFdomain VDOM ............................................................ 66
Adding the VLAN 200 subinterface....................................................... 66
Selecting the DEFdomain VDOM ......................................................... 67
Adding the DEFdomain firewall address............................................... 67
Adding the DEFdomain firewall policy .................................................. 68
Adding a default route........................................................................... 69
Configuring the Cisco switch ....................................................................... 70
Configuring the VLAN subinterfaces and the trunk interfaces .............. 70
Testing the configuration ............................................................................. 70
Testing traffic from VLAN 100 to the external network ......................... 70
Testing traffic from VLAN 200 to the DMZ network .............................. 71
Example VDOM configuration in NAT/Route mode (complex).................... 72
Creating the virtual domains .......................................................................
Configuring the ABCdomain VDOM ............................................................
Selecting the ABCdomain virtual domain .............................................
Adding a default route...........................................................................
Configuring the Commercial VDOM ............................................................
Selecting the Commercial VDOM .........................................................
Adding a default route...........................................................................
Configuring the Cisco switch .......................................................................
Configuring the VLAN subinterfaces and the trunk interfaces ..............
Testing the configuration .............................................................................
Testing traffic from instructors network to student network ..................
Other tests ............................................................................................
74
74
75
75
75
76
77
78
80
80
81
83
83
84
89
89
90
90
91
Using VLANs and VDOMs in Transparent mode........................... 93

Overview........................................................................................................... 93
VLANs and virtual domains......................................................................... 93

01-30002-0091-20060718
Contents
Configuring the FortiGate unit in Transparent mode................................... 94

Adding VLAN subinterfaces ........................................................................ 94
Creating firewall policies ............................................................................. 95
Example configuration Transparent mode (simple)..................................... 96
General configuration steps ........................................................................ 97
Configuring the FortiGate-800 unit.............................................................. 97
Adding VLAN subinterfaces.................................................................. 97
Adding the firewall policies ................................................................... 99
Configuring the Cisco switch..................................................................... 102
Configuring the VLAN subinterfaces and the trunk interfaces............ 102
Configuring the Cisco router ..................................................................... 102
Configuring the VLAN subinterfaces and the trunk interfaces............ 102
Testing the configuration........................................................................... 104
Testing traffic from VLAN 100 to VLAN 200 ....................................... 104
Example configuration Transparent mode (multiple virtual domains)..... 105
Configuring global items ...........................................................................
Creating schedules.............................................................................
Creating protection profiles.................................................................
Creating virtual domains ...........................................................................
Configuring the ABCdomain .....................................................................
Adding VLAN subinterfaces................................................................
Selecting the ABCdomain VDOM.......................................................
Creating service groups......................................................................
Configuring ABCdomain firewall addresses .......................................
Configuring ABCdomain firewall policies............................................
Configuring the DEFdomain......................................................................
Selecting the DEFdomain VDOM .......................................................
Configuring DEFdomain firewall addresses .......................................
Configuring DEFdomain firewall policies ............................................
Configuring the XYZdomain ......................................................................
Selecting the XYZdomain VDOM .......................................................
Configuring XYZdomain firewall addresses........................................
Configuring XYZdomain firewall policies ............................................
Configuring the Cisco switch.....................................................................
Configuring switch 1 ...........................................................................
Configuring switch 2 ...........................................................................
Testing the configuration...........................................................................
Testing traffic from VLAN 100 to the Internet .....................................
105
105
106
108
109
109
110
110
111
111
113
113
114
115
115
116
118
118
120
120
121
121
123
123
123
124
124
Inter-VDOM routing........................................................................ 125

Overview......................................................................................................... 125

01-30002-0091-20060718
Contents
Benefits of inter-VDOM routing .................................................................... 125

Freeing up physical interfaces .................................................................. 125
Continuing to use secure firewall policies ................................................. 126
More flexible configurations ...................................................................... 126
Getting started with inter-VDOM routing..................................................... 126
Available inter-VDOM configurations .......................................................... 127
Stand-alone VDOM ...................................................................................
Independent VDOMs.................................................................................
Management VDOM .................................................................................
Meshed VDOMs ........................................................................................
128
128
128
129
FortiManager and inter-VDOMs.................................................................... 129

Configuring inter-VDOMs with FortiManager...................................... 129
Inter-VDOM planning ..................................................................................... 130
Complexity .......................................................................................... 130
Making changes.................................................................................. 130
Avoiding Problems with VLANs ................................................... 131

Overview......................................................................................................... 131
Asymmetric routing....................................................................................... 131
Layer 2 traffic ................................................................................................. 131
ARP traffic ................................................................................................. 132
Multiple VDOMs solution .................................................................... 132
Forward-domain solution .................................................................... 132
NetBIOS .......................................................................................................... 133
STP forwarding .............................................................................................. 133
Index................................................................................................ 135

01-30002-0091-20060718
Contents

01-30002-0091-20060718
Introduction
About FortiGate VLANs and VDOMs
Introduction
This chapter introduces you to FortiGate VLANs and VDOMs and the following
topics:
About this document
FortiGate documentation
Related documentation
Customer service and technical support

Virtual Local Area Networks (VLANs) and Virtual Domains (VDOMs) multiply the
capabilities of your FortiGate unit. VLANs increase the number of network
interfaces beyond the physical connections on the unit. VDOMs enable the unit to
function as multiple independent units with common administration.
About this document

This document describes how to implement IEEE 802.1Q VLAN technology on
FortiGate units operating in both NAT/Route and Transparent mode. It also
describes how to use FortiGate VDOMs to provide separate network protection,
routing and VPN configurations for multiple organizations.
This document contains the following chapters:
Introduction to VLANs and VDOMs
Using VLANs in NAT/Route mode
Using VDOMs in NAT/Route mode
Using VLANs and VDOMs in Transparent mode
Inter-VDOM routing
Avoiding Problems with VLANs
Each of the Using sections contains detailed example configurations.
Document conventions
The following document conventions are used in this guide:
In the examples, private IP addresses are used for both private and public IP
addresses.
Notes and Cautions are used to provide important information:
Note: Highlights useful additional information.

01-30002-0091-20060718
Introduction
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Typographic conventions
FortiGate documentation uses the following typographical conventions:
Convention
Example
Keyboard input
In the Gateway Name field, type a name for the remote VPN
peer or client (for example, Central_Office_1).
Code examples
config sys global

set ips-open enable
end
CLI command syntax
config firewall policy

edit id_integer
set http_retry_count <retry_integer>
set natip <address_ipv4mask>
end
Document names
FortiGate Administration Guide
File content
<HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Menu commands
Go to VPN > IPSEC > Phase 1 and select Create New.
Program output
Welcome!
Variables
<address_ipv4>
Information about FortiGate products is available from the following guides:
FortiGate QuickStart Guide

Provides basic information about connecting and installing a FortiGate unit.
FortiGate Installation Guide

Describes how to install a FortiGate unit. Includes a hardware reference,
default configuration information, installation procedures, connection
procedures, and basic configuration procedures. Choose the guide for your
product model number.
FortiGate Administration Guide

Provides basic information about how to configure a FortiGate unit, including
how to define FortiGate protection profiles and firewall policies; how to apply
intrusion prevention, antivirus protection, web content filtering, and spam
filtering; and how to configure a VPN.
FortiGate online help

Provides a context-sensitive and searchable version of the Administration
Guide in HTML format. You can access online help from the web-based
manager as you work.
10

01-30002-0091-20060718
Introduction
FortiGate CLI Reference

Describes how to use the FortiGate CLI and contains a reference to all
FortiGate CLI commands.
FortiGate Log Message Reference

Describes the structure of FortiGate log messages and provides information
about the log messages that are generated by FortiGate units.
FortiGate High Availability User Guide

Contains in-depth information about the FortiGate high availability feature and
the FortiGate clustering protocol.
FortiGate IPS User Guide

Describes how to configure the FortiGate Intrusion Prevention System settings
and how the FortiGate IPS deals with some common attacks.
FortiGate IPSec VPN User Guide

Provides step-by-step instructions for configuring IPSec VPNs using the webbased manager.
FortiGate PPTP VPN User Guide

Explains how to configure a PPTP VPN using the web-based manager.
FortiGate Certificate Management User Guide

Contains procedures for managing digital certificates including generating
certificate requests, installing signed certificates, importing CA root certificates
and certificate revocation lists, and backing up and restoring installed
certificates and private keys.
Additional information about Fortinet products is available from the following
related documentation.
FortiManager documentation
FortiManager QuickStart Guide

Explains how to install the FortiManager Console, set up the FortiManager
Server, and configure basic settings.
FortiManager System Administration Guide
FortiManager System online help
Describes how to use the FortiManager System to manage FortiGate devices.

Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the FortiManager Console as you work.
FortiClient documentation
FortiClient Host Security User Guide

Describes how to use FortiClient Host Security software to set up a VPN
connection from your computer to remote networks, scan your computer for
viruses, and restrict access to your computer and applications by setting up
firewall policies.

01-30002-0091-20060718
11
Introduction
FortiClient Host Security online help

Provides information and procedures for using and configuring the FortiClient
software.
FortiMail documentation
FortiMail Administration Guide

Describes how to install, configure, and manage a FortiMail unit in gateway
mode and server mode, including how to configure the unit; create profiles and
policies; configure antispam and antivirus filters; create user accounts; and set
up logging and reporting.
FortiMail online help

You can access online help from the web-based manager as you work.
FortiMail Web Mail Online Help

Describes how to use the FortiMail web-based email client, including how to
send and receive email; how to add, import, and export addresses; and how to
configure message display preferences.
FortiAnalyzer documentation
FortiLog Administration Guide

Describes how to install and configure a FortiLog unit to collect FortiGate and
FortiMail log files. It also describes how to view FortiGate and FortiMail log
files, generate and view log reports, and use the FortiLog unit as a NAS server.
FortiLog online help

You can access online help from the web-based manager as you work.
Fortinet Knowledge Center

The most recent Fortinet technical documentation is available from the Fortinet
Knowledge Center. The knowledge center contains short how-to articles, FAQs,
technical notes, product and feature guides, and much more. Visit the Fortinet
Knowledge Center at http://kc.forticare.com.
Comments on Fortinet technical documentation

Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to techdoc@fortinet.com.

For antivirus and attack definition updates, firmware updates, updated product
documentation, technical support information, and other resources, please visit
the Fortinet Technical Support web site at http://support.fortinet.com.
You can also register Fortinet products and service contracts from
http://support.fortinet.com and change your registration information at any time.
Technical support is available through email from any of the following addresses.
Choose the email address for your region:
12

01-30002-0091-20060718
Introduction
amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin

America and South America.
apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong,
Singapore, Malaysia, all other Asian countries, and
Australia.
eu_support@fortinet.com
For customers in the United Kingdom, Scandinavia,

Mainland Europe, Africa, and the Middle East.
For information about our priority support hotline (live support), see
http://support.fortinet.com.
When requesting technical support, please provide the following information:
your name
your companys name and location
your email address
your telephone number
your support contract number (if applicable)
the product name and model number
the product serial number (if applicable)
the software or firmware version number
a detailed description of the problem

01-30002-0091-20060718
13
14
Introduction

01-30002-0091-20060718
Overview of VLAN technology

Virtual Local Area Networks (VLANs) and Virtual Domains (VDOMs) multiply the
capabilities of your FortiGate unit. VLANs use ID tags added to network frames to
increase the number of network interfaces beyond the physical connections on
the FortiGate unit. VDOMs enable the unit to function as multiple independent
units with common administration. Both can provide added network security.
Using VLANs, a single FortiGate unit can provide security services and control
connections between multiple security domains. Using VDOMs, a single FortiGate
unit can serve multiple organizations. It can provide separate firewall policies and,
in NAT/Route mode, completely separate routing and VPN configurations for each
organization.
This document describes how to implement IEEE 802.1Q Virtual LAN (VLAN)
technology on FortiGate units operating in both NAT/Route and Transparent
mode. Example configurations illustrate how VLANs can be implemented
between FortiGate units and other 802.1Q-compliant devices, such as Cisco
switches and routers. This document also describes how to implement virtual
domains (VDOMs) and presents example configurations to illustrate how VDOMs
can be implemented on FortiGate units.
The information in this document applies to all FortiGate units. All FortiGate
models support VLANs and VDOMs.
This document contains the following sections:
Overview of Virtual Domains
Inter-VDOM routing
Each of the Using sections contains detailed example configurations.

A LAN consists of network broadcast domains. A network broadcast domain
includes all the computers that receive a packet broadcast from any computer in
the broadcast domain. Switches automatically forward the packets to all ports on
that switch, whereas by default routers separate broadcast domains by not
automatically forwarding network broadcast packets. If a network has only
switches and no routers, that network is considered one broadcast domain no
matter how large it is.

01-30002-0091-20060718
15
Virtual LANs (VLANs) use ID tags to logically separate devices on a LAN into
smaller broadcast domains. Each VLAN is its own broadcast domain. Smaller
broadcast domains reduce traffic and increase network security. The IEEE 802.1Q
standard defines VLANs. Layer 2 and layer 3 devices must be 802.1Q-compliant
to support VLANs. For more information see VLAN layer-2 switching on page 16
and VLAN layer-3 routing on page 18.
VLANs reduce the size of the broadcast domains by only forwarding packets to
ports that are part of that VLAN, or part of a trunk link. Trunk links form switchswitch or switch-router connections and forward all VLAN traffic. This enables
VLANs to include devices that are on the network but physically distant.
A good example of when to use VLANs is an accounting department within a
company. The accounting computers can be located in different buildings (main
and branch offices). However, accounting computers need to communicate with
each other frequently and require increased security. VLANs allow the accounting
data to only be sent only to accounting computers and connect accounting
computers in different locations as if they were on the same physical subnet.
The VLAN ID tags used to define VLANs are a 4-byte frame extension that is
applied by switches and routers to every packet sent and received by the devices
in the VLAN. Workstations and desktop computers are not an active part of the
VLAN process - all the VLAN tagging and tag removal is done after the packet has
left the computer. For more information see Rules for VLAN IDs on page 19.
VLAN layer-2 switching

Switches are generally 802.1Q compliant - they are layer-2 devices. Layer-2
refers to the second layer of the OSI networking model - the Data Link layer.
FortiGate units act as layer-2 switches when they are in Transparent Mode. They
simply tag and forward the VLAN traffic or receive and remove the tag from it.
A VLAN can have any number of physical interfaces assigned to it. Physical
interfaces can be assigned to multiple VLANs. Typically two or more physical
interfaces are assigned to a VLAN - at least one for incoming and one for outgoing
traffic. Multiple VLANs can be configured on the FortiGate unit, including trunk
links.
Trunk links are connections between switches or routers that pass all VLAN traffic
along so that it can reach other parts of the network. This does not flood the
network with traffic because switches and routers only deliver traffic to the VLAN it
is addressed to.
Layer-2 VLAN example

To better understand VLAN operation, lets look at what happens to a data frame
on a network that uses VLANs.
Two 8-port switches are configured to support 2 VLANs on a network. Subnet 1 is
connected to switch A and subnet 2 is connected to switch B. On switch A, ports 1
through 4 are part of VLAN 100. Port 8 on both switches is connected to an
802.1Q trunk link. Switch A's other ports (ports 5 through 7) belong to VLAN 200.
On switch B, ports 4 and 5 are part of VLAN 100 and port 6 is part of VLAN 200.
There are unassigned ports on switch B.
16

01-30002-0091-20060718
Figure 1: Example VLAN layer-2 switching configuration
Switch B
802.1Q trunk link
Switch A
Ports 1 - 4
Port 8
Ports 4, 5
Port 8
Ports 5 - 7
Port 6
Port 1
VL AN 100
VL AN 200
VL AN 200
VL AN 100
Branch Office
Main Office
Let's follow a data frame sent from a computer on subnet 1 that is part of VLAN
100.
A computer on port 1 of switch A sends a data frame over the network. Switch A
tags the data frame with a VLAN 100 ID tag upon arrival because port 1 is part of
VLAN 100. Switch A forwards the tagged data frame to the other VLAN 100 ports
- ports 2 through 4. Switch A also forwards the data frame to the 802.1Q trunk link
(port 8) so other parts of the network that may contain VLAN 100 groups will
receive VLAN 100 traffic.
This data frame is not forwarded to the other ports on switch A because they are
not part of VLAN 100. This increases security and decreases network traffic.
Switch B receives the data frame over the trunk link (port 8). There are VLAN 100
ports on switch B (ports 4 and 5) and the data frame is forwarded to those ports.
As with switch A, the data frame is not delivered to VLAN 200
If there were no VLAN 100 ports on switch B, the switch would not forward the
data frame and it would stop there.
Figure 2: Example VLAN Layer-2 packet delivery
Frame
Port 8
Port 1
VL AN 100
Branch Office
VL AN 200
Ports 4, 5
Port 8
Ports 5 - 7
Frame
Switch B
802.1Q trunk link
Switch A
Ports 1 - 4
Frame with
VLAN ID tag
Port 6
VL AN 200
Frame
VL AN 100
Main Office
Before a switch forwards the data frame to an end destination, it removes the
VLAN 100 ID tag. The sending computer and the receiving computers are not
aware of any VLAN tagging on the data frame. When any computer receives that
data frame, it appears as a normal data frame.

01-30002-0091-20060718
17
VLAN layer-3 routing

Routers are layer-3 devices. Layer-3 refers to the third layer of the OSI networking
model - the Network layer. FortiGate units act as layer-3 devices when they are in
NAT/Route mode. As with layer-2, FortiGate units acting as layer-3 devices are
802.1Q-compliant.
The main difference between layer-2 and layer-3 devices is how they process
VLAN tags. Layer-2 switches just add, read and remove the tags - they do not
alter the tags or do any other high level actions. Layer-3 routers not only add, read
and remove tags but they analyze the data frame and its contents. This analysis
allows layer-3 routers to change the VLAN tag if it is appropriate and send the
data frame out on a different VLAN
In a layer-3 environment, the 802.1Q-compliant router receives the data frame
and assigns a VLAN ID. The router then forwards the data frame to other
members of the same VLAN broadcast domain. The broadcast domain can
include local ports, layer-2 devices and layer-3 devices such as routers and
firewalls. When a layer-3 device receives the data frame, the device removes the
VLAN tag and examines its contents to decide what to do with the data frame. The
layer-3 device considers:
source and destination addresses
protocol
port number
The data frame may be forwarded to another VLAN, sent to a regular non-VLANtagged network or just forwarded to the same VLAN as a layer-2 switch would do.
It may be discarded if that is the proper firewall policy action.
Layer-3 VLAN Example

In the configuration for this example, subnet 1 is the same as the layer-2 previous
example. In subnet 2, VLAN 300 is on port 5 of switch B. The FortiGate unit is
connected to switch B on port 1 and the trunk link connects the FortiGate units
port 3 to switch A. The other ports on switch B are unassigned. This configuration
is shown in Figure 3 on page 18.
Figure 3: Example VLAN layer-3 routing
Switch A
18

01-30002-0091-20060718
This example explains how traffic originating on VLAN 100 arrives at a destination
on VLAN 300. Layer-2 switches alone cannot accomplish this, but a layer-3 router
can do it. Lets follow a data frame going from VLAN 100 at the Branch Office to
VLAN 300 on at the Main Office.
As in the layer-2 example, the VLAN 100 computer sends the data frame to switch
A and a VLAN 100 tag is added. Switch A forwards the tagged data frame to the
FortiGate unit over the 802.1Q trunk link. The FortiGate unit removes the VLAN
100 tag and uses the content of the data frame to select the correct firewall policy.
In this case, the FortiGate units firewall policy allows the data frame to go to
VLAN 300. It goes to all VLAN 300 interfaces, but in the example there is only one
- port 1 on the FortiGate unit. Before the data frame leaves the FortiGate unit, the
VLAN subinterface adds a VLAN ID 300 tag.
The FortiGate unit then forwards the data frame to switch B. Switch B removes
the VLAN ID 300 tag because this is the last hop and forwards the data frame to
the computer on port 5.
In this example a data frame arrives at the FortiGate unit tagged as VLAN 100 and
after checking its content, the FortiGate unit retags the data frame for VLAN 300.
It is this change from VLAN 100 to VLAN 300 that requires a layer-3 routing
device, in this case the FortiGate unit. Layer-2 switches cannot perform this
change.
Rules for VLAN IDs

Layer-2 switches and layer-3 devices add VLAN ID tags to the traffic as it arrives
and remove them before they deliver the traffic to its final destination. Devices like
PCs and servers on the network do not require any special configuration for
VLANs.
On a layer-2 switch, you can only have one VLAN subinterface per physical
interface, unless that interface is configured as a trunk link. Trunk links can
transport more than one VLANs traffic to other parts of the network.
On a FortiGate unit, multiple VLANs can be added to the same physical interface.
However, VLAN subinterfaces added to the same physical interface cannot have
the same VLAN ID or IP addresses on the same subnet. You can add VLAN
subinterfaces with the same VLAN ID to different physical interfaces.
Creating VLAN subinterfaces with the same VLAN ID does not create any internal
connection between them. For example a VLAN ID of 300 on port1 and VLAN ID
of 300 on port2 are allowed, but they are not connected.Their relationship is the
same as between any two FortiGate network interfaces.

Virtual Domains provide a way to divide your FortiGate unit and operate it as
multiple separate units. You can configure and manage interfaces, VLAN
subinterfaces, zones, firewall policies, routing and VPN configurations separately
for each virtual domain. This separation simplifies configuration because you do
not have to manage as many routes or firewall policies at one time.

01-30002-0091-20060718
19
One application of this capability is to use a single FortiGate unit to provide routing
and network protection for several organizations. Each organization has its own
network interfaces (physical or virtual), routing requirements and network
protection rules. By default, communication between organizations is possible
only if both allow access to an external network such as the internet. The chapter,
Using VDOMs in NAT/Route mode on page 53 provides two examples of this
application.
When a packet enters a virtual domain, it is confined to that virtual domain. In a
given domain, you can only create firewall policies for connections between VLAN
subinterfaces or zones in the virtual domain. The packet never crosses virtual
domain borders.
Maximum number of VDOMs

If virtual domain configuration is enabled on your FortiGate unit and you log on as
the default admin administrator, you can go to System > Status and look at Virtual
Domain in the License Information section to see the maximum number of virtual
domains supported on yourFortiGate unit. By default, your FortiGate unit supports
a maximum of 10 VDOMs in any combination of NAT/Route and Transparent
modes. For FortiGate models numbered 3000 and higher, you can purchase a
license key to increase the maximum number to 25, 50, 100 or 250 VDOMs. For
more information see Creating virtual domains on page 54.
Inter-VDOM routing
FortiOS v3.0 MR1 introduced a new feature called inter-VDOM routing. When
configured, this feature allows traffic to pass between VDOMs without having to
leave the FortiGate unit on a physical interface and return on a different physical
interface. This feature also allows you to determine the level of inter-VDOM
routing varying from having only 2 VDOMs with limited interaction to having all
VDOMs fully inter-connected. All traffic between VDOMs must pass through
firewall policies as it does with all external interface connections.
The command to configure this feature, called vdom-link, is only available in the
CLI. Inter-VDOM routing is not available from the web-manager GUI. This topic is
dealt with in Inter-VDOM routing on page 125 and the VDOM-admin chapter in
the FortiOS CLI Reference.
Management VDOM
All management traffic leaves the FortiGate unit through the management VDOM.
This includes all external logging, remote management and other Fortinet
services. By default the management VDOM is the root VDOM. You can change
this to another VDOM so management traffic will originate from the new VDOM.
For more information see Changing the management VDOM on page 56.
Administration of virtual domains

You can manage virtual domains using either one common administrator or
multiple separate administrators for each VDOM.
The FortiGate default administrator account is the admin administration account. It
is a common administrator that can access all of the virtual domains on the
FortiGate unit. You cannot delete the admin administration account.
20

01-30002-0091-20060718
You can use the admin administration account to create regular administrator
accounts and assign them to VDOMs. Each regular administrator account can
only configure its own VDOM. Global properties affect all VDOMs. Access to
global properties is available only through the admin administration account.
Access profiles configure read-only or read/write access for all administrators.
Administrators can have access to:
system configuration
logs and reporting
security policy
user authorization
administrator configuration
FortiGuard Update
configuration backup/restore
This makes it possible for you to have administrators for different services on
each VDOM. For example you can have one administrator responsible for logs
and reporting on a VDOM, while another administrator is responsible for security
policies on that same VDOM. For more information on access profiles, see the
FortiOS Administration Guide.
When you are configuring VDOMs using the admin administration account, the
web-based manager shows which VDOM you are editing in the center of the
status line at the bottom of the page. If you are configuring global properties, there
is no virtual domain indicator.
Figure 4: Status line virtual domain indicator
Global and virtual domain settings

When working with virtual domains, it is important to remember which settings
belong exclusively to the virtual domain and which apply to the entire FortiGate
unit. The following list of items are in the order they appear in the web-manager
interface.
Settings exclusive to virtual domains
The following configuration settings are exclusively part of a virtual domain and
are not shared between virtual domains:
System settings
Router configuration

01-30002-0091-20060718
Zones
DHCP services
Operation mode (NAT/Route or Transparent)
Management IP (Transparent mode)
all
21
Firewall settings
User settings
VPN settings
IM settings
22
Policies
Addresses
Service groups and custom services
Schedules
Virtual IPs
IP pools
Users
User groups
RADIUS and LDAP servers
IPSec
PPTP
SSL
L2TP
Policy Download
Statistics
User lists and policies

01-30002-0091-20060718
Settings shared by all virtual domains

Virtual domains share the following global settings with other processes on the
FortiGate unit:
System settings
Physical interfaces and VLAN subinterfaces

(Each physical interface or VLAN subinterface belongs to
only one VDOM. Each VDOM can use or configure only its
own interfaces.)
DNS settings
Host name
System time
Firmware version
Idle and authentication timeout
Web-based manager language
LCD panel PIN, where applicable
Dead gateway detection
HA configuration
SNMP configuration
Replacement messages
Administrators
Access profiles
FortiManager configuration
Configuration backup and restore
FDN update configuration
Bug reporting
Predefined services
Protection Profiles
IPS settings
all
Antivirus settings
all
Web filter configuration
all
Spam filter configuration
all
Logging configuration
and log reports
all
Firewall settings
For more information

Detailed information and procedures involving virtual domains are provided in the
Using VDOMs in NAT/Route mode and Using VLANs and VDOMs in
Transparent mode chapters.

01-30002-0091-20060718
23
24

01-30002-0091-20060718
Overview

Overview
In NAT/Route mode the FortiGate unit functions as a layer-3 device. In this mode,
it controls the flow of packets between VLANs and can also remove VLAN tags
from incoming VLAN packets. The FortiGate unit can also forward untagged
packets to other networks, such as the Internet.
In NAT/Route mode, the FortiGate unit supports VLAN trunk links with IEEE
802.1Q-compliant switches (or routers). The trunk link transports VLAN tagged
packets between physical subnets or networks. When you add VLAN subinterfaces to the FortiGate physical interfaces, the VLANs have IDs that match the
VLAN IDs of packets on the trunk link. The FortiGate unit directs packets with
VLAN IDs to sub-interfaces with matching IDs.
Normally the FortiGate unit's internal interface is connected to a VLAN trunk and
the external interface connects to an untagged Internet router. In this configuration
the FortiGate unit can apply different policies for traffic on each VLAN connected
to the internal interface.
You can define VLAN sub-interfaces on all FortiGate physical interfaces. However
if multiple virtual domains are configured on the FortiGate unit, you will only have
access to the physical interfaces on your virtual domain. The FortiGate unit can
tag packets leaving on a VLAN subinterface. It can also remove VLAN tags from
incoming packets and add a different VLAN tag to outgoing packets.
Configuring FortiGate units in NAT/Route mode

You can access FortiGate unit's web-based manager (GUI) with a supported web
browser that connects to a FortiGate interface. The interface must be configured
for administrative access. Use HTTPS to access the address of the interface. All
FortiGate units have administrative access enabled by default on the default
interface. On the FortiGate 800 the default interface is the Internal interface. For
the examples presented in this chapter, the default interface has an address of
192.168.1.99. If you need more information, refer to the Quick Start Guide or
Installation Guide that came with your FortiGate unit.
In this chapter, we assume you have not enabled VDOM configuration on your
FortiGate unit. If have enabled it, you will need to navigate to the global or VDOM
configuration as needed before following each procedure.
This document does not explain how to configure the protection profiles for virus
scanning, web filtering and spam filtering. Your FortiGate unit documentation
explains Protection profiles.
There are several essential steps to configuring your FortiGate unit for VLANs:
Adding VLAN subinterfaces

01-30002-0091-20060718
25
Configuring FortiGate units in NAT/Route mode
Creating firewall policies
Configuring routing

You add VLAN subinterfaces to the physical interface that receives VLAN-tagged
packets.
FortiGate interfaces cannot have overlapping IP addresses. That is, the IP
addresses of all interfaces must be on different subnets. This rule applies to both
physical interfaces and to VLAN subinterfaces.
Note: If you are unable to change your existing configurations to prevent IP overlap, enter
the CLI command config system global and set ip-overlap enable to allow IP
address overlap. If you enter this command, multiple VLAN interfaces can have an IP
address that is part of a subnet used by another interface. This command is recommended
for advanced users only.
Each VLAN subinterface must be configured with its own IP address and
netmask. The subinterface VLAN ID can be any number between 1 and 4096. The
VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE
802.1Q-compliant router. If the IDs do not match, the subinterface will not recieve
the VLAN tagged traffic.
To add a VLAN subinterface in NAT/Route mode
1
Go to System > Network > Interface.
Select Create New to add a VLAN subinterface.
Enter a Name to identify the VLAN subinterface.
From the Interface list, select the physical interface that receives the VLAN
packets intended for this VLAN subinterface.
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
Configure the VLAN subinterface settings as you would for any FortiGate
interface.
Select OK to save your changes.

The FortiGate unit adds the new VLAN subinterface to the interface that you
selected in step 4.
To view the new VLAN subinterface, select the blue arrow next to the parent
physical interface. This will expand to display all VLAN subinterfaces on this
physical interface. If there is no blue arrow displayed, there are no subinterfaces
on this physical interface.

Firewall policies permit communication between the FortiGate units network
interfaces based on source and destination IP addresses. Optionally, you can limit
communication to particular times and services.
You need firewall policies to permit packets to pass from the VLAN interface
where they enter the FortiGate unit to the interface where they exit. Each VLAN
requires you create a firewall policy for each of the following permitted
connections the VLAN will be using:
26

01-30002-0091-20060718
Example configuration NAT/Route mode (simple)
from the VLAN to an external network
to the VLAN from an external network
from the VLAN to another VLAN in the same virtual domain on the FortiGate
unit
to the VLAN from another VLAN in the same virtual domain on the FortiGate
unit
The packets on each VLAN are subject to antivirus and antispam scans as they
pass through the FortiGate unit.
To add firewall policies for VLAN subinterfaces
1
Go to Firewall > Address.
Select Create New to add firewall addresses that match the source and
destination IP addresses of VLAN packets.
Go to Firewall > Policy.
Add firewall policies as required.
Configuring routing
In the simplest case, you need to configure a default route for packets with
external destinations to the gateway of an external network. In more complex
cases, you might have to configure different routes based on packet source and
destination addresses. Routing is explained in the FortiGate Administration Guide
and the CLI Reference documentation.
As with firewalls, you need to configure routes for VLANs. VLANs need routing
and a gateway configured to send and recieve packets outside their local subnet.
Depending on the network you are connecting to it can be static or dynamic
routing. Dynamic routing can be routing information protocol (RIP), border
gateway protocol (BGP), open shortest path first (OSPF), or multicast.
If you enable protocols like SSH, PING, TELNET and HTTP on the VLAN you can
use them to confirm that routing is properly configured. Enabling logging on the
interfaces can also help locate any possible issues.

Figure 5 shows a simplified NAT/Route mode VLAN configuration. In this
example, FortiGate internal interface connects to a Cisco 2950 VLAN switch using
an 802.1Q trunk and is configured with two VLAN subinterfaces (VLAN 100 and
VLAN 200). The external interface connects to the Internet and is not configured
with VLAN subinterfaces.

01-30002-0091-20060718
27
Figure 5: FortiGate unit in NAT/Route mode
Internet
Untagged packets
External port
172.16.21.2
FortiGate unit
Internal port
192.168.110.126
802.1Q trunk
Fa 0/24
VL AN 100
Fa 0/9
Fa 0/3
VLAN Switch
VL AN 200
VL AN 200 Network
10.1.2.0
VLAN 100 Network

10.1.1.0
When the Cisco switch receives packets from VLAN 100 and VLAN 200, it applies
VLAN ID tags and forwards the packets to local ports and across the trunk to the
FortiGate unit. The FortiGate unit has policies that allow traffic to flow between the
VLANs and from the VLANs to the external network.
This section describes how to configure a FortiGate 800 unit and a Cisco Catalyst
2950 switch for this example network topology. Cisco configuration commands
used in this section are IOS commands. It is assumed that both the FortiGate 800
and the Cisco 2950 switch are installed, connected and basic configuration has
been completed. On the switch you will need to be able to access the CLI to enter
commands. Refer to the manuals for each unit for more information.
General configuration steps

The following steps provide an overview of configuring and testing the hardware
used in this example. The steps are explained in detail later in this section.
1
Configuring the FortiGate-800 unit
Configuring the external interface
Add two VLAN subinterfaces to the Internal network interface.
Add Firewall addresses and address ranges for the internal and external
networks.
Add firewall policies to allow:
28
the VLAN networks to access each other.

the VLAN networks to access the external network.
Configuring the Cisco switch to support VLAN tags

01-30002-0091-20060718
Testing the configuration.

Use the FortiGate web-based manager to configure the FortiGate-800 unit.
Alternately the CLI can be used.
Configuring the FortiGate unit includes:
Adding the firewall addresses
Adding firewall policies

The FortiGate units external interface will be the path to the Internet for our
network.
Configuring the external interface can be completed through the web-based
manager or the CLI.
To configure the external interface - web-based manager
1
Select the Edit icon for the external interface.
Enter the following information for the external interface and select OK:
Addressing mode
Manual
IP/Netmask
172.16.21.2/255.255.255.0
Configure other fields as required.
To configure the external interface - CLI

config system interface
edit external
set mode static
set ip 172.16.21.2 255.255.255.0
end

This step creates the VLANs on the FortiGate physical interfaces. The rest of this
example is configuring the VLAN behavior on the FortiGate unit, configuring the
switches to treat the VLANs the same way as the FortiGate unit and testing that
all of the settings are correct.
Adding VLAN subinterfaces can be completed through the web-based manager,
or the CLI.
To add VLAN subinterfaces - web-based manager
1
Select Create New.
Enter the following information for VLAN_100 and select OK:

01-30002-0091-20060718
29
Name
VLAN_100
Interface
internal
VLAN ID
100
Addressing mode
Manual
IP/Netmask
10.1.1.1/255.255.255.0
Administrative Access
HTTPS, PING, TELNET
Select Create New.

Name
VLAN_200
Interface
internal
VLAN ID
200
Addressing mode
Manual
IP/Netmask
10.1.2.1/255.255.255.0
HTTPS, PING, TELNET

Figure 6: VLAN subinterfaces
To add VLAN subinterfaces - CLI

edit VLAN_100
set interface internal
set vlanid 100
set mode static
set ip 10.1.1.1 255.255.255.0
set allowaccess https ping telnet
next
edit VLAN_200
set vlanid 200
set mode static
set ip 10.1.2.1 255.255.255.0
end
30

01-30002-0091-20060718

You need to define the addresses of the VLAN subnets for use in firewall policies.
The FortiGate unit provides one default address, all, that you can use when a
firewall policy applies to all addresses as a source or destination of a packet.
In this example, the _Net part of the address name indicates a range of
addresses instead of a unique address. When choosing firewall address names
keep them informative and unique, but short.You can select the web-based
manager or the CLI to add firewall addresses.
To add the firewall addresses - web-based manager
1
Select Create New.
Enter the following information and select OK:

Address Name
VLAN_100_Net
Type
Subnet/IP Range
Subnet / IP Range
10.1.1.0/255.255.255.0
Select Create New.

Address Name
VLAN_200_Net
Type
Subnet/IP Range
Subnet / IP Range
10.1.2.0/255.255.255.0
Figure 7: Firewall addresses
To add the firewall addresses - CLI

config firewall address
edit VLAN_100_Net
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next
edit VLAN_200_Net
set type ipmask
set subnet 10.1.2.0 255.255.255.0
end
Adding the firewall policies

Once you have assigned addresses to the VLANs, you need to configure firewall
policies for them using either the web-based manager or the CLI. This will allow
packets to pass from one VLAN to another and to the Internet.

01-30002-0091-20060718
31
If you do not wish to allow all services on a VLAN, you can create a firewall policy
for each service you want to allow. This example allows all services.
To add the firewall policies - web-based manager
1
Select Create New.

Source
Interface/Zone
VLAN_100
Address Name
VLAN_100_Net
Destination
Interface/Zone
VLAN_200
Address Name
VLAN_200_Net
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Select Create New.

Source
Interface/Zone
VLAN_200
Address Name
VLAN_200_Net
Destination
Interface/Zone
VLAN_100
Address Name
VLAN_100_Net
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
32
Select Create New.

01-30002-0091-20060718
Source
Interface/Zone
VLAN_100
Address Name
VLAN_100_Net
Destination
Interface/Zone
external
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Select Create New.

Source
Interface/Zone
VLAN_200
Address Name
VLAN_200_Net
Destination
Interface/Zone
external
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
To add the firewall policies - CLI

edit 1
set srcintf VLAN_100
set dstintf VLAN_200
set srcaddr VLAN_100_Net
set dstaddr VLAN_200_Net
set schedule always
set service ANY
set action accept
set nat enable
set status enable
next
edit 2
set dstintf VLAN_100
set dstaddr VLAN_100_Net
set schedule always
set service ANY
set action accept
01-30002-0091-20060718
33
set nat enable

set status enable
next
edit 3
set dstintf external
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
next
edit 4
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
end
Configuring the Cisco switch to support VLAN tags

On the Cisco Catalyst 2950 ethernet switch, you need to define VLANs 100 and
200 in the VLAN database and then add a configuration file to define the VLAN
subinterfaces and the 802.1Q trunk interface.
One method to configure a Cisco switch is to connect over a serial connection to
the console port and enter the commands at the CLI. Another method is to
designate one interface on the switch as the management interface and use a
web browser to connect to the switchs graphical interface. For details on
connecting and configuring your Cisco switch, refer to the installation and
configuration manuals for the switch.
The switch used in this example is a Cisco Catalyst 2950 switch. The commands
used are IOS commands. Refer to the switch manual for help with these
commands.
To configure the VLAN subinterfaces and the trunk interfaces
Add this file to the Cisco switch:
!
interface FastEthernet0/3
switchport access vlan 100
!
!
switchport trunk encapsulation dot1q
switchport mode trunk
34

01-30002-0091-20060718
!
The switch has the following configuration:
Port 0/3
VLAN ID 100
Port 0/9
VLAN ID 200
Port 0/24
802.1Q trunk
Note: To complete the setup, configure devices on VLAN 100 and VLAN 200 with default
gateways. The default gateway for VLAN 100 is the FortiGate VLAN 100 subinterface. The
default gateway for VLAN 200 is the FortiGate VLAN 200 subinterface.
Testing the configuration

Use diagnostic commands (tracert, ping) to test traffic routed through the
FortiGate unit and the Cisco switch. Testing includes:
Testing traffic from VLAN 100 to VLAN 200
Testing traffic from VLAN 100 to the external network

In this example, a route is traced between the two internal networks. The route
target is a host on VLAN 200.
From VLAN 100, access a command prompt and enter this command:
C:\>tracert 10.1.2.2
Tracing route to 10.1.2.2 over a maximum of 30 hops:
1
<10 ms
<10 ms
<10 ms 10.1.1.1
2
<10 ms
<10 ms
<10 ms 10.1.2.2
Trace complete.
Figure 8: Example trace route from VLAN 100 to VLAN 200
FortiGate-800 unit
VLAN 100
subinterface
10.1.1.1
VLAN 200
subinterface
10.1.2.1
tracert
Switch
VL AN 100 Network
10.1.1.2
VL AN 200 Network
10.1.2.2

In this example, a route is traced from an internal network to the external network.
The route target is the external network interface of the FortiGate-800 unit.

01-30002-0091-20060718
35
Example configuration NAT/Route mode (complex)
C:\>tracert 172.16.21.2
1
<10 ms
<10 ms
<10 ms 10.1.1.1
2
<10 ms
<10 ms
<10 ms 172.16.21.2
Trace complete.
Figure 9: Example trace route from VLAN 100 to the external network
FortiGate-800 unit
External
interface
30.1.1.21
VLAN 100
subinterface
10.1.1.1
Internet
tracert
Switch
VL AN 100 Network

In this example, a FortiGate-800 unit operates in NAT/Route mode. Its network
interfaces are configured as follows:
The internal interface is configured with two VLAN subinterfaces: VLAN 10 for
the Local users network and VLAN 20 for the Finance network. The internal
interface connects to a Cisco 2950 switch using an 801.1Q trunk.
The external interface is configured with two VLAN subinterfaces: VLAN 30 for
the ATT ISP network and VLAN 40 for the XO ISP network. The internal
interface connects to a Cisco 2950 switch using an 801.1Q trunk.
The FortiGate-800 is configured with firewall policies that control the flow of traffic
between networks. The Finance network is the most secure network. It allows
outbound traffic to all other networks, but it does not allow inbound traffic. The
Local users network allows outbound traffic to the external networks (ATT ISP and
XO ISP), inbound traffic from the Finance network and a single inbound
connection from a VPN client on the ATT ISP network.
This section describes how to configure a FortiGate-800 unit and two 802.1Qcompliant switches for the example network topology shown in Figure 10.
36

01-30002-0091-20060718
Figure 10: Example VLAN topology (FortiGate unit in NAT/Route mode)
Internet
VPN client
XO ISP
ATT ISP
VLAN 30
VLAN 40
Fa 0/9
Fa 0/3
Fa 0/24
Cisco 2950 Switch

(External)
802.1Q
trunk
VLAN 30
VLAN 40
External
FortiGate-800 unit
Internal
802.1Q
trunk
VLAN 10
VLAN 20
Fa 0/24
VLAN 10
Fa 0/9
Fa 0/3
Cisco 2950 Switch
(Internal)
Local users network

192.168.10.0
VLAN 20
Finance network
192.168.20.0

The following steps break down the NAT/Route mode complex configuration
example into smaller sections, each with a number of smaller procedures.
1
Configuring the FortiGate-800 IPSec VPN tunnel and encrypt policy
Configuring the VPN client
Configuring the internal Cisco switch
Configuring the external Cisco switch

Start the web-based manager or use the CLI to configure the FortiGate-800 unit.
Configuring the FortiGate unit includes:
Adding the VLAN subinterfaces Local-LAN, Finance, ATT-ISP and XO-ISP
Adding a default route

01-30002-0091-20060718
37
Adding the VLAN subinterfaces

Select either the web-based manager or the CLI to add VLAN subinterfaces.
To add the VLAN subinterfaces - web-based manager
38
Select Create New.
Enter the following information for the Local users network and select OK:
Name
Local-LAN
Interface
internal
VLAN ID
10
Addressing mode
Manual
IP/Netmask
192.168.10.1/255.255.255.0
HTTPS, PING, TELNET
Select Create New.
Enter the following information for the Finance network and select OK:
Name
Finance
Interface
internal
VLAN ID
20
Addressing mode
Manual
IP/Netmask
192.168.20.1/255.255.255.0
HTTPS, PING, TELNET
Select Create New.
Enter the following information for the ATT ISP network and select OK:
Name
ATT-ISP
Interface
external
VLAN ID
30
Addressing mode
Manual
IP/Netmask
30.1.1.1/255.255.255.0
HTTPS, PING, TELNET
Select Create New.
Enter the following information for the XO ISP network and select OK:
Name
XO-ISP
Interface
external
VLAN ID
40
Addressing mode
Manual
IP/Netmask
40.1.1.1/255.255.255.0
Access
HTTPS, PING, TELNET

01-30002-0091-20060718
To add the VLAN subinterfaces - CLI

edit Local-LAN
set vlanid 10
set mode static
set ip 192.168.10.1 255.255.255.0
next
edit Finance
set vlanid 20
set mode static
set ip 192.168.20.1 255.255.255.0
next
edit ATT-ISP
set interface external
set vlanid 30
set mode static
set ip 30.1.1.1 255.255.255.0
next
edit XO-ISP
set vlanid 40
set mode static
set ip 40.1.1.1 255.255.255.0
end

Default routes need to be added to the ISP connections. They are weighted
differently using the distance metric. This means traffic will use ATT-ISP by
default.
Select either the web-based manager or the CLI to add a default route.

01-30002-0091-20060718
39
To add a default route - web-based manager

1
Go to Router > Static > Static Route.
Select Create New to add a new route.
Enter the following information to add a default route to ATT-ISP for network traffic
leaving the external interface and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
30.1.1.2
Device
ATT-ISP
Distance
10
Enter the following information to add a secondary default route to XO-ISP for
network traffic leaving the external interface and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
40.1.1.2
Device
XO-ISP
Distance
20
To add a default route - CLI

config router static
edit 1
set device ATT-ISP
set gateway 30.1.1.2
set distance 10
next
edit 2
set device XO-ISP
set distance 20
end

Before you can configure firewall policies to control inter-VLAN and VLAN-internet
traffic, you need to assign firewall addresses. These define the subnets where the
firewall policies are applied.
Select either the web-based manager or the CLI to add the firewall addresses.
1
Select Create New.
40
Address Name
Local_users
Type
Subnet/IP Range
IP Range/Subnet
192.168.10.0/255.255.255.0
Select Create New.

01-30002-0091-20060718

Address Name
Finance_users
Type
Subnet/IP Range
IP Range/Subnet
192.168.20.0/255.255.255.0
Figure 12: firewall addresses

edit Local_users
set type ipmask
set subnet 192.168.10.0 255.255.255.0
next
edit Finance_users
set type ipmask
set subnet 192.168.20.0 255.255.255.0
end

Firewall policies allow VLAN traffic to move to other VLANs and the internet.
Select either the web-based manager or the CLI to add the firewall policies.
1
Select Create New.

Source
Interface/Zone
Finance
Address Name
Finance_users
Destination
Interface/Zone
ATT-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Select Create New.

01-30002-0091-20060718
41

Source
Interface/Zone
Finance
Address Name
Finance_users
Destination
Interface/Zone
XO-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Select Create New.

Source
Interface/Zone
Finance
Address Name
Finance_users
Destination
Interface/Zone
Local-LAN
Address Name
Local_users
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
10
11
Select Create New.
12

Source
Interface/Zone
Local-LAN
Address Name
Local_users
Destination
Interface/Zone
ATT-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
42

01-30002-0091-20060718
13
14
Select Create New.
15

Source
Interface/Zone
Local-LAN
Address Name
Local_users
Destination
Interface/Zone
XO-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
The list of firewall policies looks like this:

edit 1
set srcintf Finance
set dstintf ATT-ISP
set srcaddr Finance_users
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
next
edit 2
set srcintf Finance
set dstintf XO-ISP
set dstaddr all
set schedule always
set service ANY
set action accept
01-30002-0091-20060718
43
set nat enable

set status enable
next
edit 3
set srcintf Finance
set dstintf Local-LAN
set dstaddr Local_users
set schedule always
set service ANY
set action accept
set nat enable
set status enable
next
edit 4
set srcintf Local-LAN
set dstintf ATT-ISP
set srcaddr Local_users
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
end
edit 5
set dstintf XO-ISP
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
end
Configuring the FortiGate-800 IPSec VPN tunnel and encrypt policy

In this example, one user is allowed to connect to the Local user network through
a VPN tunnel from an external dial-up connection. To enable this, you need to do
the following:
Configure the VPN gateway.
Configure the VPN tunnel.
Define the IP address for the VPN user on the Local users network.
Add the encrypt firewall policy to enable the connection.
Configuring the VPN gateway

VPN IPSec tunnels are typically a two phase process. The VPN gateway is the
first phase.
Select either the web-based manager or the CLI to configure the VPN gateway.
44

01-30002-0091-20060718
To configure the VPN gateway - web-based manager

1
Go to VPN > IPSEC Tunnel > Auto Key.
Select Create Phase 1 and then select Advanced.
Enter the following information, then select OK:

Name
Dialup_tunnel
Remote Gateway
Dialup User
Local Interface
ATT-ISP
Mode
Aggressive
Authentication Method
Preshared key
Pre-shared key
The key must contain at least 6 printable characters and

should only be known by network administrators. For
optimum protection against currently known attacks, the
key should consist of a minimum of 16 randomly chosen
alphanumeric characters.
The client must use the same pre-shared key.
Advanced
Select Advanced to configure the following options. The

values shown here are the defaults and should not need to
be changed.
P1 Proposal
1-Encryption 3DES, Authentication SHA1

2-Encryption 3DES, Authentication MD5
DH Group
Keylife
28800 (seconds)
To configure the VPN gateway - CLI

config vpn ipsec phase1
edit Dialup_tunnel
set type dynamic
set mode aggressive
set authmethod psk
set psksecret <pre-shared key>
set proposal 3des-sha1 3des-md5
set dhgrp 5
set keylife 28800
end
Configuring the VPN tunnel

With the VPN gateway configured, the VPN tunnel can be configured. The VPN
tunnel is Phase 2.
Select either the web-based manager or the CLI to configure the VPN tunnel.
To configure the VPN tunnel - web-based manager
1
Go to VPN > IPSEC > Phase 2.
Select Create New and then select Advanced.

01-30002-0091-20060718
45
Name
Dialup-client
Phase 1
Dialup_tunnel
Advanced
Select Advanced to configure the following options.
P2 Proposal
1-Encryption 3DES, Authentication SHA1

2-Encryption 3DES, Authentication MD5
Enable replay
detection
Select
Enable perfect
forward secrecy
Select
DH Group
Keylife
1800 seconds
Autokey Keep Alive
Select
DHCP-IPsec
Clear
Quick Mode Selector

Source address
Source port
Destination address
Destination port
Protocol
To configure the VPN tunnel - CLI

config vpn ipsec phase2
edit Dialup-client
set phase1name Dialup_tunnel
set proposal 3des-sha1 3des-md5
set replay enable
set pfs enable
set dhgrp 5
set keylife_type seconds
set keylifeseconds 1800
set keepalive enable
end
Defining the VPN user IP address

The destination address used in the firewall policy determines the acceptable
source address range for the remote VPN user. To allow the user to use the VPN
from any host, the firewall policy could specify the all firewall address. This
example requires that the remote user can only use the ATT-ISP network.
To define the VPN user IP address - web-based users
46
Go to Firewall > Address > Address.
Select Create New.

01-30002-0091-20060718
Address Name
ATT-net
Type
Subnet/IP Range
IP Range/Subnet
30.1.1.0/255.255.255.0
To define the VPN user IP address - CLI

edit VIP_IP
set type ipmask
set start_ip 30.1.1.0 255.255.255.0
end
Adding the encrypt policy

Select either the web-based manager or the CLI to add the encrypt policy.
To add the encrypt policy - web-based manager
1
Select Create New.

Source
Interface/Zone
Local-LAN
Address Name
Local_users
Destination
Interface/Zone
ATT-ISP
Address Name
ATT-net
Schedule
Always
Service
ANY
Action
IPSEC
VPN Tunnel
Allow inbound
Select
Allow outbound
Clear
Inbound NAT
Select
Outbound NAT
Clear
Place the policy in the policy list above non-encrypt policies. If there is more than
one encrypt policy in the list, place the more specific ones above the more general
ones with similar source and destination addresses.
To add the encrypt policy - CLI
edit 6
set dstintf ATT-ISP
set dstaddr ATT-net
set schedule always

01-30002-0091-20060718
47
set
set
set
set
set
set
set
set
end
service ANY
action ipsec
vpntunnel Dialup-clientset inbound enable
outbound disable
natinbound enable
natoutbound disable
vpntunnel Dialup_tunnel
status enable
Configuring the VPN client

The Local users network allows a single inbound connection from a VPN client on
the ATT ISP network.
This example shows how to configure FortiClient for this purpose.
Creating a new VPN connection

1
Start FortiClient.
Go to VPN > Connections and select Add.

Figure 13: New VPN Connection
48
Type a name for the connection in the Connection Name field.
In the Remote Gateway IP address box, enter 30.1.1.1.
In the Remote Network address box, enter 192.168.10.0/255.255.255.0.
From the Authentication Method box select Preshared Key.
Type the pre-shared key in the Pre-Shared Key field.
Select Advanced.

01-30002-0091-20060718
Figure 14: Advanced Settings
Select Acquire virtual IP address and then select Config.

The Virtual IP Acquisition dialog box opens.
10
Select Manually Set.
11
Enter the following information and select OK.
12
IP
30.1.1.0
Subnet mask
255.255.255.0
Select OK and then select OK again to complete configuration of the VPN

connection.
Configuring the internal Cisco switch

On the Cisco Catalyst 2950 ethernet switch connected to the internal interface,
you need to define VLANs 10 and 20 in the VLAN database and then add a
configuration file to define the VLAN subinterfaces and the 802.1Q trunk interface.
This example uses Cisco IOS commands.
Configuring the VLAN subinterfaces and the trunk interfaces

Add this file to the Cisco switch connected to the internal interface:
!
!
!
!
01-30002-0091-20060718
49

Port 0/3
VLAN ID 10
Port 0/9
VLAN ID 20
Port 0/24
802.1Q trunk
Configuring the external Cisco switch

On the Cisco Catalyst 2900 ethernet switch connected to the external interface,
you need to define VLANs 30 and 40 in the VLAN database and then add a
configuration file to define the VLAN subinterfaces and the 802.1Q trunk interface.
This example uses Cisco IOS commands.

Add this file to the Cisco switch connected to the external interface:
!
!
!
!
Port 0/3
VLAN ID 30
Port 0/9
VLAN ID 40
Port 0/24
802.1Q trunk

FortiGate unit and the Cisco switch.
The traffic route tests include:
50
testing traffic from VLAN 20 to VLAN 10
testing traffic from VLAN 20 to the external network

01-30002-0091-20060718

target is a host on the Local users network (VLAN 10).
From the Finance network, access a command prompt and enter this command:
C:\>tracert 192.168.10.2
1
<10 ms
<10 ms
<10 ms 192.168.20.1
<10 ms
<10 ms
<10 ms 192.168.10.2
Trace complete.
FortiGate-800 unit
VLAN 10
subinterface
192.168.10.1
VLAN 20
subinterface
192.168.20.1
tracert
VL AN 20
Switch
Finance Network
VL AN 10
Local users network

192.168.10.2

In this example, a route is traced from VLAN 10 on an internal network to the
external network. The route target is the external network interface of the
FortiGate-800 unit.
From the Local users network (VLAN 10), access a command prompt and enter
this command:
C:\>tracert 172.16.21.2
1
<10 ms
<10 ms
<10 ms
192.168.10.1
<10 ms
<10 ms
<10 ms
172.16.21.2
Trace complete.

01-30002-0091-20060718
51
FortiGate-800 unit
External
interface
172.16.21.1
VLAN 10
subinterface
192.168.10.1
Internet
tracert
VL AN 10
Switch
Local users network
52

01-30002-0091-20060718
Overview

Overview
Virtual Domains split your FortiGate unit into multiple separate units so that it can
serve multiple organizations. Each VDOM has separate routing and firewall
policies. Each interface, physical or VLAN, belongs exclusively to one virtual
domain. This simplifies administration because you can see only the interfaces,
routing tables and firewall policies for the VDOM you are configuring.
This chapter contains the following sections:
Getting started with VDOMs
Configuring virtual domains
Example VDOM configuration in NAT/Route mode (simple)
Example VDOM configuration in NAT/Route mode (complex)

To configure your FortiGate unit for operation with multiple virtual domains, you
will be:
Enabling virtual domain configuration
Creating virtual domains
Creating administrators for virtual domains
Accessing virtual domains to configure them
Enabling virtual domain configuration

Using the default admin administration account, you can enable multiple VDOM
operation on the FortiGate unit.
To enable virtual domain configuration
1
Log in to the web-based manager as admin.
Go to System > Admin > Settings.
Select Enable under Virtual Domain Configuration.
Select Apply.
The FortiGate unit logs you off. You can now log in again as admin.
When Virtual Domain Configuration is enabled, the web-based manager and the
CLI are changed as follows:
Global and per-VDOM configurations are separated.
Only the admin account can view or configure global options.
The admin account can configure all VDOM configurations.

01-30002-0091-20060718
53
Regular administrators can configure only the VDOM to which they are
assigned.
By default, there is no password for admin. To improve security, you should set a
password. Optionally, you can also rename the admin account. For more
information on this see the user sections of FortiGate Administration Guide.

Only the default admin administrator account can create VDOMs. By default, the
FortiGate unit has one fixed virtual domain named root, which you cannot delete
or rename. You can create additional virtual domains and name them as you like.
To create virtual domains
1
Log in as admin.
The web-based manager Virtual Domain Configuration page opens.
Select Create New.
Enter the name for your new virtual domain select OK. The name must not exceed
11 characters.
You can verify the new VDOM was created by selecting << Main Menu and
confirming it is in the list of virtual domains. You can repeat Steps 2 and 3 for each
VDOM that you want to create.
By default, your FortiGate unit supports a maximum of 10 VDOMs in any
combination of NAT/Route and Transparent modes. For FortiGate models
numbered 3000 and higher, you can purchase a license key to increase the
maximum number to 25, 50, 100 or 250 VDOMs.
To obtain a VDOM license key
Record your FortiGate unit serial number. You can find the serial number in the
web-based manager on the System Status page.
Send the serial number to Fortinet customer support and request a license key for
25, 50, 100 or 250 VDOMs.
When you receive your license key, in the web-based manager, go to System >
Maintenance > License.
In the License Key field, enter the 32-character license key you received from
Fortinet.
Select Apply.
You can verify the new VDOM license by going to System Status under Global
Configuration. There under License Information, Virtual Domains shows the new
maximum number of VDOMs allowed.
Creating administrators for virtual domains

Only the admin administrator account can create regular administrator accounts
and assign each of them to a VDOM.
To create administrators for virtual domains
1
Log in as admin.
The web-based manager Virtual Domain Configuration page opens.
54

01-30002-0091-20060718
Select Global Configuration.

The main web-based manager page opens.
Go to System > Admin > Administrators.
Select Create New.

The New Administrator dialog box opens.
From the Virtual Domain list, select the VDOM that this administrator will control.
Configure the remaining settings of the administrator account. See the System
Admin chapter of the FortiGate Administration Guide for detailed information.
Select OK.
The newly-created administrator can access the FortiGate unit only through a
network interface that belongs to the assigned VDOM or through the Console
interface. The network interface must be configured to allow management access,
such as HTTPS and SSH.
Accessing virtual domains to configure them

Only the admin administrator account can access all of the virtual domains on the
FortiGate unit. A regular administrator account can access and configure only its
own VDOM and must connect to an interface in that VDOM.
Management systems such as SNMP, logging, alert email, updates using the FDN
and setting system time using NTP all use addresses and routing in the root
virtual domain to communicate with the network. They can only connect to
network resources that can communicate with the root virtual domain.
To access a virtual domain as admin
1
Log in as admin.
The web-based manager Virtual Domain Configuration page opens. From here
you can access global settings using the Global Settings button or select a
specific VDOM to configure.
Figure 17: List of virtual domains
Select the name of the virtual domain that you want to configure.
The main web-based manager page opens.
The footer of the web-based manager page displays the currently selected virtual
domain name, unless only the root domain exists.

01-30002-0091-20060718
55
Figure 18: Status line virtual domain indicator
When you are finished configuring the VDOM, you can
Select << Main Menu to return to the Virtual Domain Configuration page.
Log out.
To access a virtual domain as a regular administrator

1
Connect to a FortiGate unit interface that belongs to the VDOM that you want to
configure.
To configure the root VDOM using the CLI, you can also connect to the Console
connector.
Log in using an administrator account that belongs to the VDOM.

The main web-based manager page opens. From here you can access VDOMspecific settings.

To configure VDOMs on your FortiGate unit, you may be:
Changing the management VDOM
Adding interfaces and VLAN subinterfaces to a virtual domain
Configuring routing for a virtual domain
Configuring firewall policies for a virtual domain
Configuring VPNs for a virtual domain
Changing the management VDOM

By default the management VDOM is root. When other VDOMs are configured on
your FortiGate unit, management traffic can be moved to them. Management
traffic is generally any traffic that originates from the FortiGate unit. This includes:
DNS lookups
logging to FortiAnalyzer, syslog or webtrend
FortiGuard service
sending alert emails
network time protocol traffic (ntpd)
sending SNMP traps
quarantining suspicious files and email
Before you change the management VDOM, ensure that virtual domain
configuration is selected.
56

01-30002-0091-20060718
To change the management VDOM from the web based manager

1
Select the VDOM that will be the new management VDOM.
Select Set Management to apply the changes.

Management traffic will now originate from the new management VDOM.
To change the management VDOM from the CLI
configuration global
configuration system global
set management-vdom <new_mgmt_vdom>
end
Management traffic will now originate from the new management VDOM
<new_mgmt_vdom>.
Adding interfaces and VLAN subinterfaces to a virtual domain

A virtual domain must contain at least two interfaces. These can be physical
interfaces or VLAN interfaces. By default all physical interfaces are in the root
virtual domain and when you create a new VLAN, the default virtual domain is
root.
To add a VLAN subinterface to a virtual domain
1
Select the physical interface that receives the VLAN packets intended for this
VLAN subinterface. The interface can be on a different VDOM from the VLAN.
VLAN subinterface.
Select the virtual domain to add this VLAN subinterface to.
Configure the VLAN subinterface settings as you would for any FortiGate
interface.

The FortiGate unit adds the new VLAN subinterface to the interface that you
selected in step 5.
To move an existing interface to another virtual domain
Select Edit for the physical interface you want to move.
From the Virtual Domain list, select the new VDOM of the interface.

01-30002-0091-20060718
57
Select OK.
The interface moves to the selected virtual domain. Firewall IP pools and virtual
IPs added for this interface are deleted. You should manually delete any routes
that include this interface.
To add zones to a virtual domain
Go to System > Virtual domain > Virtual domains.
Select Change following the current virtual domain name above the table.
Choose the virtual domain to add zones to.
Select OK.
Go to System > Network > Zone.
Select Create new.
Configuring routing for a virtual domain

Routing is VDOM-specific. Each VDOM should have at least the default route
configured.
To configure routing for a virtual domain
1
Log in as admin.
Select the VDOM.
Go to Router.
Configure routing for the current virtual domain as required.

The routing you define applies only to network traffic entering interfaces belonging
to this virtual domain.
Configuring firewall policies for a virtual domain

Firewall policies are VDOM-specific. This includes adding firewall addresses and
configuring firewall policies.
To add firewall addresses to a virtual domain
1
Log in as admin.
Select the VDOM for which to configure firewall addresses.
Add new firewall addresses, address ranges and address groups to the current
virtual domain.
To configure firewall policies for a virtual domain
58
Log in as admin.
Choose the VDOM for which to configure firewall policies.

01-30002-0091-20060718
Select Create new to add firewall policies to the current virtual domain.
Your firewall policies can involve only the interfaces, zones and firewall addresses
that are in the current virtual domain. The firewall policies that you add are only
visible when you are viewing the current virtual domain. Network traffic accepted
by the interfaces and VLAN subinterfaces in this virtual domain is controlled by
the firewall policies in this virtual domain
Configuring VPNs for a virtual domain

Configurations for IPSec Tunnel, IPSec Interface, PPTP and SSL are VDOMspecific. Certificates are shared by all virtual domains.
To configure VPN for a virtual domain
1
Log in as admin.
Select the VDOM for which to configure VPN.
Go to VPN.
Configure IPSec Tunnel, IPSec Interface, PPTP and SSL as required.

For more information on VPN, see the FortiGate Administration Guide

Figure 19 shows a simplified NAT/Route mode VLAN configuration in which a
FortiGate unit provides Internet access with real time network protection for two
organizations. Inside the FortiGate unit, each organization has its own virtual
domain, enabling separate configuration of network protection profiles.
A Cisco 2950 VLAN switch combines the LANs of the two organizations into an
802.1Q trunk that connects to the Internal interface of the FortiGate-800 unit.
There are two VLAN subinterfaces on the Internal interface, VLAN 100 and VLAN
200.
The external and DMZ interfaces of the FortiGate unit connect to the Internet
through different ISPs, one for each organization. These interfaces are not
configured with VLAN subinterfaces.

01-30002-0091-20060718
59
Figure 19: FortiGate unit in Nat/Route mode
VLAN Switch
ABC Inc.
10.1.1.0
When the switch receives packets from VLAN 100 and VLAN 200, it applies the
proper VLAN ID tags and forwards the packets across the trunk link to the
FortiGate unit. The FortiGate unit is a layer-3 device - it has policies that allow
traffic to flow from VLAN 100 to the external network and from VLAN 200 to the
DMZ network.
This section describes how to configure a FortiGate-800 unit and a Cisco 2950
switch for this example network topology.

While this example may not be labelled complex, it is not trivial. This section is a
list of steps provide a brief overview describing topics the following sections will
cover in detail.
To generally configure the FortiGate-800 unit and the Cisco switch.
60
Create virtual domains.
Configure the FortiGate-800 external and DMZ interfaces.
Configure each virtual domain on the FortiGate-800 unit:
Add a VLAN subinterface to the Internal network interface.
Add Firewall addresses and address ranges for the internal and external
networks.
Add a firewall policy to allow the VLAN to access the external network.

01-30002-0091-20060718
Configure the default route to the ISP.
Configure the Cisco switch to support VLAN tags.
Test the implementation.
Creating the virtual domains

In this example, two new virtual domains are created: ABCdomain for company
ABC and DEFdomain for company DEF. You can create them either with the webbased manager or through the CLI.
To create the virtual domains - web-based manager
1
Log in as admin.
Select Create New.
Type ABCdomain and select OK.
Select Create New.
Type DEFdomain and select OK.

To create the virtual domains - CLI
config vdom
edit ABCdomain
next
edit DEFdomain
end
Configuring the FortiGate-800 external and DMZ interfaces

Start the FortiGate web-based manager to configure the FortiGate-800 unit.
Select Global Configuration. This section configures the interfaces for each
company and their connections to the Internet. Configuring the external
interface
Now you will configure the external interface using either the web-based manager, or
through the CLI.
To configure the external interface - web-based manager

1
Log in as admin.
Select Edit on the external interface.
Virtual domain
ABCdomain
Addressing mode
Manual
IP/Netmask
30.1.1.21/255.255.255.0

01-30002-0091-20060718
61
To configure the external interface - CLI

config global
edit external
set vdom ABCdomain
set mode static
set ip 30.1.1.21 255.255.255.0
end
end
Configuring the DMZ interface

Next, you will configure the DMZ interface either with the web-based manager or
the CLI.
To configure the DMZ interface - web-based manager
1
Log in as admin.
Select Edit on the external interface.
Virtual domain
DEFdomain
Addressing mode
Manual
IP/Netmask
40.1.1.32/255.255.255.0
To configure the DMZ interface - CLI

config global
edit dmz/ha
set vdom DEFdomain
set mode static
set ip 40.1.1.32 255.255.255.0
end
end
Configuring the ABCdomain VDOM

In this example, the ABCdomain VDOM is used for company ABC. You configure
it with a VLAN subinterface for VLAN_100 and a firewall policy to allow connection
to the External interface.
62
Adding the VLAN interface will provide a way to send and recieve packets to
the VDOM. Interfaces are part of the global configuration.
Adding the firewall policy will allow connection to the external interface and
limit unwanted traffic. Firewall policies apply to each VDOM.

01-30002-0091-20060718
Adding the VLAN subinterface

VLAN 100 is how ABC Inc. communicates with the outside world. Ensure that
access protocols are added or ABC Inc. will not be able to manage their VDOM.
To add the VLAN 100 subinterface
1
Log in as admin.
Select Create New.

Name
VLAN_100
Interface
internal
VLAN ID
100
Virtual Domain
ABCdomain
Addressing mode
Manual
IP/Netmask
10.1.1.1/255.255.255.0
HTTPS, PING, TELNET

Figure 20: ABCdomain VDOM interfaces and subinterfaces
To add the VLAN 100 subinterface - CLI

config global
edit VLAN_100
set vlanid 100
set vdom ABCdomain
set mode static
set ip 10.1.1.1 255.255.255.0
end
end
Selecting the ABCdomain VDOM

Before you follow the rest of the procedure for configuring VLAN 100, you must
ensure that ABCdomain is the current domain.
To select the ABCdomain VDOM - web-based manager
1
Log in as admin.

01-30002-0091-20060718
63
Select ABCdomain.
To select the ABCdomain VDOM - CLI
config vdom
edit ABCdomain
Adding ABCdomain firewall addresses

You need to define the addresses of the VLAN subnets for use in firewall policies.
The FortiGate unit provides one default address, all, that you can use when a
firewall policy applies to all addresses as a source or destination of a packet.
To add ABCdomain firewall addresses - web-based manager
1
Select Create New.

Address Name
VLAN_100_Net
Type
Subnet/IP Range
IP Range/Subnet
10.1.1.0/255.255.255.0
Figure 21: ABCdomain VDOM firewall addresses
To add the ABCdomain VDOM firewall addresses - CLI

edit VLAN_100_Net
set type ipmask
set subnet 10.1.1.0 255.255.255.0
end
Adding the ABCdomain firewall policy

Next you will add the ABCdomain firewall policy using either the web-based
manager or the CLI.
To add the ABCdomain firewall policy - web-based manager
64
Select Create New.

01-30002-0091-20060718

Source
Interface/Zone
VLAN_100
Address Name
VLAN_100_Net
Destination
Interface/Zone
External
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select

Figure 22: ABCdomain VDOM firewall policy
To add the firewall policy - CLI

edit 1
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
end

You need to define a default route to direct packets to the ISP if their destination is
outside of the VLAN 100 subnet.
Go to Router > Static.
Enter the following information to add a default route to ISP1 for network traffic
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
30.1.1.2
Device
external
Distance
10

01-30002-0091-20060718
65
Figure 23: ABCdomain VDOM routing table

edit 1
set device external
end
Configuring the DEFdomain VDOM

In this example, the DEFdomain VDOM is used for company DEF. You configure it
with a VLAN subinterface for VLAN_200 and a firewall policy to allow connection
to the External interface. Interfaces are part of the global configuration. Firewall
policies apply to each VDOM.
Adding the VLAN 200 subinterface

VLAN 200 is how DEF Inc. communicates with the outside world. Ensure that
access protocols are added or DEF Inc. will not be able to manage their VDOM.
To add the VLAN 200 subinterface - web-based manager
1
Log in as admin.
Select Create New.

Name
VLAN_200
Interface
internal
VLAN ID
200
Virtual Domain
DEFdomain
Addressing mode
Manual
IP/Netmask
10.1.2.1/255.255.255.0
HTTPS, PING, TELNET

Figure 24: DEFdomain interfaces and subinterfaces
66

01-30002-0091-20060718
To add VLAN 200 subinterface - CLI

config global
edit VLAN_200
set vlanid 200
set vdom DEFdomain
set mode static
set ip 10.1.2.1 255.255.255.0
end
end
Selecting the DEFdomain VDOM

ensure that the current domain is DEFdomain.
To select the DEFdomain VDOM - web-based manager
1
Log in as admin.
Select DEFdomain.
To select the DEFdomain VDOM - CLI
config vdom
edit ABCdomain
Adding the DEFdomain firewall address

You need to define addresses for use in firewall policies. In this example, the
DEFdomain VDOM needs an address for the VLAN 200 subnet and the all
address.
To add the DEFdomain firewall address - web-based manager
1
Select Create New.

Address Name
all
Type
Subnet/IP Range
IP Range/Subnet
0.0.0.0/0.0.0.0
Select Create New.

Address Name
VLAN_200_Net
Type
Subnet/IP Range
IP Range/Subnet
10.1.2.0/255.255.255.0

01-30002-0091-20060718
67
Figure 25: Firewall addresses for DEFdomain
To add the DEFdomain firewall address - CLI

edit VLAN_200_Net
set type ipmask
set subnet 10.1.2.0 255.255.255.0
end
Adding the DEFdomain firewall policy

The DEFdomain firewall policy allows all traffic. This configuration is an example.
To add the DEFdomain firewall policy - web-based manager
1
Select Create New.

Source
Interface/Zone
VLAN_200
Address Name
VLAN_200_Net
Destination
Interface/Zone
dmz/ha
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select

Figure 26: DEFdomain firewall policy
68

01-30002-0091-20060718
To add the DEFdomain firewall policy - CLI

edit 1
set dstintf dmz/ha
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
end

You need to define a default route to direct packets to the ISP if their destination is
outside of the VLAN 200 subnet.
1
Enter the following information to add a default route to ISP2 for network traffic
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
40.1.1.2
Device
dmz/ha
Distance
10
Figure 27: DEFdomain routing table

edit 1
set device external
end

01-30002-0091-20060718
69
Configuring the Cisco switch


!
!
!
!
Port 0/3
VLAN ID 100
Port 0/9
VLAN ID 200
Port 0/24
802.1Q trunk


The route target is the external network interface of the FortiGate-800 unit.
C:\>tracert 30.1.1.21
1
<10 ms
<10 ms
<10 ms
10.1.1.1
<10 ms
<10 ms
<10 ms
30.1.1.21
Trace complete.
70

01-30002-0091-20060718
FortiGate-800 unit
External
interface
30.1.1.21
VLAN 100
subinterface
10.1.1.1
Internet
tracert
Switch
VL AN 100 Network
Testing traffic from VLAN 200 to the DMZ network

The route target is the DMZ network interface of the FortiGate-800 unit.
C:\>tracert 40.1.1.32
1
<10 ms
<10 ms
<10 ms
10.1.2.1
<10 ms
<10 ms
<10 ms
40.1.1.32
Trace complete.
Figure 29: Example trace route from VLAN 200 to the DMZ network
FortiGate-300 unit
VLAN 200
subinterface
10.1.2.1
DMZ
interface
40.1.1.32
Internet
tracert
Switch
VLAN 200 network

01-30002-0091-20060718
71

In this example, a FortiGate-800 unit operates in NAT/Route mode, serving two
organizations. Two virtual domains are used. The ABCdomain domain serves a
school with student and instructor networks. The second domain, Commercial,
serves a business with product development and sales networks. The internal and
external interfaces of the FortiGate unit are connected to Cisco switches through
801.1Q trunks that carry the traffic for both virtual domains.
Figure 30 illustrates this network topology, with the Commercial domain network
connections in red. This remainder of the chapter describes how to configure a
FortiGate-800 unit and Cisco Catalyst 2950 ethernet switches for this topology.
The ABCdomain domain is configured as follows:
the students network and VLAN 20 for the instructors network.
The external interface is configured with a VLAN subinterface, VLAN 30, for
the ATT-ISP network.
Firewall policies allow both the instructors and students networks to access the
internet through the ATT-ISP network. For students there is a more strict
protection profile governing their online activities.
A firewall policy allows instructors access to the students network.
The Commercial domain is configured as follows:
the Sales network and VLAN 90 for the Development network.
The external interface is configured with two VLAN subinterfaces, VLAN 40

and VLAN 50, for access to the Internet via the redundant XO-ISP and XS-ISP
networks.
Firewall policies allow access to the Internet through the XO-ISP and XS-ISP
networks from both Sales and Development networks.
Firewall policies allow access from the Sales network to the Development
network and from the Development network to the Sales network.
You might have noticed that the Student network and the Development network
have the same network address ranges. This does not cause a problem because
the two address ranges reside in different virtual domains.
72

01-30002-0091-20060718
Figure 30: Example VLAN/VDOM topology (FortiGate unit in NAT/Route mode)
Student network
192.168.10.0

01-30002-0091-20060718
Development network
192.168.10.0
73

This example has many parts that need to be configured. This is a brief overview
of the steps involved. These steps are covered in more detail in the following
sections.
1
Create the Commercial domain.
Configure the ABCdomain domain:
Add the VLAN subinterfaces.
Configure a default route.
Add firewall addresses for the networks connected to the VLANs.
the instructors network to access the students network

the instructors network to access the external network
the students network to access the external network with a strict protection
profile
Configure the Commercial domain:
Add the VLAN subinterfaces.
Configure a default route and a secondary default route.
Add firewall addresses for the VLANs.
the development network to access the sales network

the sales network to access the development network
the sales network to access the external network
the development network to access the external network
Configure the Cisco switches.
Creating the virtual domains

In this example, two virtual domains are created: ABCdomain for the school and
Commercial for the business.
1
Log in as admin.
Select Create New.
Select Create New.
Type Commercial and select OK.

config vdom
edit ABCdomain
next
edit Commercial
end
74

01-30002-0091-20060718
Configuring the ABCdomain VDOM

In this example, the ABCdomain VDOM is used to serve a school. You configure
two VLAN subinterfaces on the Internal interface and one on the External
interface. A firewall policy allows connections from the internal VLANs to the
VLAN on the External interface.
Selecting the ABCdomain virtual domain

Before you follow the rest of the procedures for configuring the ABCdomain
VDOM, you must ensure that the current domain is ABCdomain.
To select the ABCdomain virtual domain - web-based manager
1
Log in as admin.
Select the ABCdomain VDOM.

To select the ABCdomain virtual domain - CLI
config vdom
edit ABCdomain

In the ABCdomain VDOM, you need two VLAN subinterfaces on the internal
physical interface to receive the VLAN 10 and VLAN 20 packets from the students
and instructors networks. You need a VLAN subinterface on the external interface
to send packets to the ATT-ISP network on VLAN 30.
1
Select Create New.
Enter the following information for the students network and select OK:
Name
students
Interface
internal
VLAN ID
10
Virtual Domain
ABCdomain
Addressing mode
Manual
IP/Netmask
192.168.10.1/255.255.255.0
Select Create New.
Enter the following information for the instructors network and select OK:
Name
instructors
Interface
internal
VLAN ID
20
Virtual Domain
ABCdomain
Addressing mode
Manual
IP/Netmask
192.168.20.1/255.255.255.0

01-30002-0091-20060718
75
Select Create New.
Enter the following information for the ATT ISP network and select OK:
Name
ATT-ISP
Interface
external
VLAN ID
30
Virtual Domain
ABCdomain
Addressing mode
Manual
IP/Netmask
30.1.1.1/255.255.255.0

Figure 31: VLAN subinterfaces for ABCdomain VDOM

edit students
set vlanid 10
set vdom ABCdomain
set mode static
set ip 192.168.10.1 255.255.255.0
next
edit instructors
set vlanid 20
set vdom ABCdomain
set mode static
set ip 192.168.20.1 255.255.255.0
edit ATT-ISP
set vlanid 30
set vdom ABCdomain
set mode static
set ip 30.1.1.1 255.255.255.0
end

You need to define a default route for packets with destinations that are not on the
FortiGate unit networks connected to the ABCdomain VDOM. The simplest way to
do this is to set the ISP gateway address as the route for all packets leaving the
VLAN subinterface that is connected to the ISP.
76

01-30002-0091-20060718

1
Enter the following information to add a default route to ATT-ISP for network traffic
leaving the external interface from the ABCdomain domain and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
30.1.1.2
Device
ATT-ISP
Distance
10

edit 1
set device ATT-ISP
next
end

You need to define the addresses of the ABCdomain VDOM subnets for use in
firewall policies. In the ABCdomain VDOM, the FortiGate unit provides one default
address, all, that you can use when a firewall policy applies to all addresses as a
source or destination of a packet. In other VDOMs, you have to create this
address.
To add firewall addresses - web-based manager
1
Select Create New.

Address Name
student_net
Type
Subnet/IP Range
IP Range/Subnet
Select Create New.
Figure 32: Firewall addresses for ABCdomain domain

01-30002-0091-20060718
77
To add firewall addresses - CLI

edit all
set subnet 0.0.0.0 0.0.0.0
next
edit student_net
set subnet 192.168.10.0 255.255.255.0
next
edit instructor_net
set subnet 192.168.20.0 255.255.255.0
end

Each internal network needs a policy to permit it to access the ATT-ISP network
for connection to the Internet. By choosing different protection profiles in each
policy, the two groups of users can be subject to different levels of web filtering,
web category filtering and content logging. For simplicity, this example uses the
pre-configured protection profiles strict and scan. You can modify these or
create custom protection profiles as needed.
To add firewall policies - web-based manager
1
Select Create New.

Source
Interface/Zone
students
Address Name
student_net
Destination
Interface/Zone
ATT-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
strict
78
Select Create New.

01-30002-0091-20060718

Source
Interface/Zone
instructors
Address Name
instructor_net
Destination
Interface/Zone
ATT-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
scan
Select Create New.

Source
Interface/Zone
instructors
Address Name
instructor_net
Destination
Interface/Zone
students
Address Name
student_net
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select

Figure 33: Firewall policies for ABCdomain VDOM

01-30002-0091-20060718
79
To add firewall policies - CLI

edit 1
set srcintf students
set dstintf ATT-ISP
set srcaddr student_net
set dstaddr all
set action accept
set schedule always
set service ANY
set profile_status enable
set profile strict
set nat enable
next
edit 2
set srcintf instructors
set dstintf ATT-ISP
set srcaddr instructor_net
set dstaddr all
set action accept
set schedule always
set service ANY
set nat enable
next
edit 3
set srcintf instructors
set dstintf students
set srcaddr student_net
set dstaddr student_net
set action accept
set schedule always
set service ANY
set nat enable
next
end
Configuring the Commercial VDOM

The Commercial VDOM serves a company with development and sales networks.
Start the web-based manager to configure the FortiGate-800 unit.
Selecting the Commercial VDOM

Before you follow the rest of the procedure for configuring the Commercial
domain, you must ensure that the current domain is Commercial.
To select the Commercial VDOM - web-based manager
1
Log in as admin.
Select the Commercial virtual domain.

To select the Commercial VDOM - CLI
config vdom
edit Commercial
80

01-30002-0091-20060718

In the Commercial VDOM, you need two VLAN subinterfaces on the internal
physical interface to receive the VLAN 80 and VLAN 90 packets from the Sales
and Development networks. You need a VLAN subinterface on the external
interface to send packets to the XO-ISP network on VLAN 40.
1
Select Create New.
Enter the following information for the Sales network and select OK:
Name
Sales
Interface
internal
VLAN ID
80
Virtual Domain
Commercial
Addressing mode
Manual
IP/Netmask
192.168.15.1/255.255.255.0
Select Create New.
Enter the following information for the Development network and select OK:
Name
Development
Interface
internal
VLAN ID
90
Virtual Domain
Commercial
Addressing mode
Manual
IP/Netmask
192.168.10.1/255.255.255.0
Select Create New.
Enter the following information for the XO ISP network and select OK:
Name
XO-ISP
Interface
external
VLAN ID
40
Virtual Domain
Commercial
Addressing mode
Manual
IP/Netmask
40.1.1.1/255.255.255.0
Select Create New.

01-30002-0091-20060718
81
Enter the following information for the XS ISP network and select OK:
Name
XS-ISP
Interface
external
VLAN ID
50
Virtual Domain
Commercial
Addressing mode
Manual
IP/Netmask
145.1.1.1/255.255.255.0

Figure 34: VLAN subinterfaces for Commercial VDOM

edit Sales
set vlanid 80
set vdom Commercial
set mode static
set ip 192.168.15.1 255.255.255.0
next
edit Development
set vlanid 90
set vdom Commercial
set mode static
set ip 192.168.10.1 255.255.255.0
next
edit XO-ISP
set vlanid 40
set vdom Commercial
set mode static
set ip 40.1.1.1 255.255.255.0
next
edit XS-ISP
set vlanid 50
set vdom Commercial
set mode static
set ip 145.1.1.1 255.255.255.0
end
82

01-30002-0091-20060718

You need to define a default route for packets with destinations that are not on the
FortiGate units networks. The simplest way to do this is to set the ISP gateway
address as the route for all packets leaving the VLAN subinterface that is
connected to the ISP. As this example includes redundant ISPs, you also define a
route to the secondary ISP with a greater distance.
1
Enter the following information to add a default route to XO-ISP for network traffic
leaving the external interface from the Commercial domain and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
40.1.1.2
Device
XO-ISP
Distance
10
Enter the following information to add a secondary default route to XS-ISP for
network traffic leaving the external interface from the Commercial domain and
select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
145.1.1.2
Device
XS-ISP
Distance
20

edit 1
set device XO-ISP
set distance 10
next
edit 2
set device XS-ISP
set distance 20
end

You need to define the addresses of the Commercial VDOM subnets for use in
firewall policies. In the ABCdomain VDOM, the FortiGate unit provides one default
address, all, that you can use when a firewall policy applies to all addresses as a
source or destination of a packet. In other VDOMs, you have to create this
address.

01-30002-0091-20060718
83

1
Select Create New.

Address Name
all
Type
Subnet/IP Range
IP Range/Subnet
0.0.0.0/0.0.0.0
Select Create New.

Address Name
development_net
Type
Subnet/IP Range
IP Range/Subnet
192.168.10.0/255.255.255.0
Select Create New.

Address Name
sales_net
Type
Subnet/IP Range
IP Range/Subnet
192.168.15.0/255.255.255.0
Figure 35: Firewall addresses for Commercial domain

edit all
set subnet 0.0.0.0 0.0.0.0
next
edit development_net
set subnet 192.168.10.0 255.255.255.0
next
edit sales_net
set subnet 192.168.15.0 255.255.255.0
next
end

Each internal network needs a policy to permit it to access the XO-ISP and XSISP networks for connection to the Internet. Also, each internal network needs a
policy to allow it to connect to the other internal network.
84

01-30002-0091-20060718

1
Select Create New.

Source
Interface/Zone
Sales
Address Name
sales_net
Destination
Interface/Zone
XO-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
scan
Select Create New.

Source
Interface/Zone
Sales
Address Name
sales_net
Destination
Interface/Zone
XS-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
scan
Select Create New.

01-30002-0091-20060718
85

Source
Interface/Zone
Development
Address Name
development_net
Destination
Interface/Zone
XO-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
scan
Select Create New.

Source
Interface/Zone
Development
Address Name
development_net
Destination
Interface/Zone
XS-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
scan
10
Select Create New.
11

Source
Interface/Zone
Sales
Address Name
sales_net
Destination
Interface/Zone
Development
Address Name
development_net
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
86

01-30002-0091-20060718
12
Select Create New.
13

Source
Interface/Zone
Development
Address Name
development_net
Destination
Interface/Zone
Sales
Address Name
sales_net
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select

Figure 36: Firewall policies for Commercial VDOM

edit 1
set srcintf Sales
set dstintf XO-ISP
set srcaddr sales_net
set dstaddr all
set action accept
set schedule always
set service ANY
set profile strict
set nat enable
next
edit 2
set srcintf Sales
set dstintf XS-ISP
set dstaddr all

01-30002-0091-20060718
87
set action accept

set schedule always
set service ANY
set profile strict
set nat enable
next
edit 3
set srcintf Development
set dstintf XO-ISP
set srcaddr development_net
set dstaddr all
set action accept
set schedule always
set service ANY
set profile strict
set nat enable
next
edit 4
set dstintf XS-ISP
set dstaddr all
set action accept
set schedule always
set service ANY
set profile strict
set nat enable
next
edit 5
set srcintf Sales
set dstintf Development
set dstaddr development_net
set action accept
set schedule always
set service ANY
set nat enable
next
edit 6
set dstintf Sales
set dstaddr sales_net
set action accept
set schedule always
set service ANY
set nat enable
end
88

01-30002-0091-20060718
Note: To complete the setup, configure devices on the VLANs with default gateways. The
default gateway for VLAN 10 is the FortiGate VLAN 10 subinterface. The default gateway
for VLAN 20 is the FortiGate VLAN 20 subinterface and so on.

Add a configuration file to each of Cisco Catalyst 2950 ethernet switches. The
configuration file defines the VLAN subinterfaces and the 802.1Q trunk interface
on the switch.

Add this file to the Cisco switch connected to the FortiGate-800 internal interface:
!
!
!
!
!
!
Port 0/3
VLAN ID 10
Port 0/4
VLAN ID 20
Port 0/14
VLAN ID 80
Port 0/16
VLAN ID 90
Port 0/24
802.1Q trunk

01-30002-0091-20060718
89
Add this file to the Cisco switch connected to the FortiGate-800 external interface:
!
!
!
!
!
Port 0/3
VLAN ID 30
Port 0/9
VLAN ID 40
Port 0/19
VLAN ID 50
Port 0/24
802.1Q trunk

Testing traffic from instructors network to student network

In this example, a route is traced from the instructors network to the student
network. The route target is a host on the student network.
From the instructors network, access a command prompt and enter this
command:
C:\>tracert 192.168.10.2
1
<10 ms
<10 ms
<10 ms 192.168.20.1
<10 ms
<10 ms
<10 ms 192.168.10.2
Trace complete.
90

01-30002-0091-20060718

FortiGate-300 unit
VLAN 20
subinterface
192.168.20.1
VLAN 10
subinterface
192.168.10.1
tracert
VLAN 20
Instructors Network
Switch
VL AN 10
Student network
192.168.10.2
Other tests
Using the preceding method, you can also test traffic from the Development
network to the Sales network and vice-versa, as well as traffic from each of the
internal networks to locations on the Internet.

01-30002-0091-20060718
91
92

01-30002-0091-20060718
Overview
Using VLANs and VDOMs in

Transparent mode
Overview
In Transparent mode, the FortiGate unit can provide services such as antivirus
scanning, web filtering, spam filtering and intrusion protection to traffic on an IEEE
802.1Q VLAN trunk. You can insert the FortiGate unit operating in Transparent
mode into the trunk without making changes to your network. In a typical
configuration, the FortiGate internal interface accepts VLAN packets on a VLAN
trunk from a VLAN switch or router connected to internal VLANs. The FortiGate
external interface forwards tagged packets through another trunk to an external
VLAN switch or router connected to external networks or the Internet. You can
configure the FortiGate unit to apply different policies for traffic on each VLAN in
the trunk.
To pass VLAN traffic through the FortiGate unit, you add two VLAN subinterfaces
with the same VLAN ID, one to the internal interface and the other to the external
interface. You then create a firewall policy to permit packets to flow from the
internal VLAN interface to the external VLAN interface. If required, you create
another firewall policy to permit packets to flow from the external VLAN interface
to the internal VLAN interface. Network protection, such as spam filtering, web
filtering and anti-virus scanning, are applied through the protection profile
specified in each firewall policy.
For each VLAN you are protecting with the FortiGate unit, you need to define a
pair of VLAN subinterfaces and the necessary firewall policies. Usually in
Transparent mode you do not permit packets to move between VLANs.
When the FortiGate unit receives a VLAN tagged packet at a physical interface,
the packet is directed to the VLAN subinterface with the matching VLAN ID. The
VLAN tag is removed from the packet and the FortiGate unit then applies firewall
policies in the same way as it does for non-VLAN packets. If the packet exits the
FortiGate unit through a VLAN subinterface, the VLAN ID for that subinterface is
added to the packet and the packet is sent to the corresponding physical
interface.
VLANs and virtual domains

When you add each VLAN subinterface, you associate it with a virtual domain. By
default the FortiGate configuration includes one virtual domain, named root and
you can add as many VLAN subinterfaces as you require to this virtual domain.
You can add more virtual domains if you want to separate groups of VLAN
subinterfaces into virtual domains. When using a FortiGate unit to serve multiple
organizations, this simplifies administration because you see only the firewall
policies for the VDOM you are configuring. For information on adding and
configuring virtual domains, see Getting started with VDOMs on page 53.
01-30002-0091-20060718
93
Configuring the FortiGate unit in Transparent mode
One essential application of virtual domains is to prevent problems caused when a

FortiGate unit is connected to a layer-2 switch that has a global MAC table.
FortiGate units normally forward ARP requests to all interfaces, including VLAN
subinterfaces. It is then possible for the switch to receive duplicate ARP packets
on different VLANs. Some layer-2 switches reset when this happens. As ARP
requests are only forwarded to interfaces in the same virtual domain, you can
solve this problem by creating a virtual domain for each VLAN. For an example of
this type of configuration, see Example configuration Transparent mode (multiple
virtual domains) on page 105.

There are two essential steps to configure of your FortiGate unit to work with
VLANs:
Add VLAN subinterfaces
Create firewall policies
You can also configure the protection profiles that govern virus scanning, web
filtering and spam filtering. Protection profiles are covered in the documentation
for your FortiGate unit.
In Transparent mode, you can access the FortiGate unit web-based manager by
connecting to an interface configured for administrative access and using HTTPS
to access the management IP address. On the FortiGate-800 used as an example
in this document, administrative access is enabled by default on the Internal
interface and the default management IP address is 10.10.10.1. If you need more
information, see the Quick Start Guide or Installation Guide for your unit.
The procedures in this section assume that you have not enabled VDOM
configuration. If VDOM configuration is enabled, you need to navigate to the
global or VDOM configuration as needed before following each procedure.

The VLAN ID of each VLAN subinterface must match the VLAN ID added by the
IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number
between 1 and 4096. You add VLAN subinterfaces to the physical interface that
receives VLAN-tagged packets.
To add VLAN subinterfaces in Transparent mode
1
Select the physical interface that receives the VLAN packets intended for this
VLAN subinterface.
VLAN subinterface.
Select the virtual domain to which to add this VLAN subinterface.
Configure other settings as required.

94
01-30002-0091-20060718

The FortiGate unit adds the new subinterface to the interface that you selected.
10
Repeat Step 2 through Step 8, but choose the physical interface through which
the VLAN packets exit the FortiGate unit. Use the same VLAN ID and VDOM as
before.
For each of the VLAN subinterfaces you added, select Bring Up to start the
interface.

Firewall policies permit communication between the FortiGate unit network
interfaces based on source and destination IP addresses. Optionally, you can limit
communication to particular times and services.
In Transparent mode, the FortiGate unit subjects the packets on each VLAN to
antivirus and antispam scanning as they pass through the unit. You need firewall
policies to permit packets to pass from the VLAN interface where they enter the
unit to the VLAN interface where they exit the unit. If there are no firewall policies
configured, no packets will be allowed to pass from one interface to another.
To add firewall policies for VLAN subinterfaces
1
Select Create New to add firewall addresses that match the source and
destination IP addresses of VLAN packets.
Select Create New.
From the Source Interface/Zone list, select the VLAN interface where packets
enter the unit.
From the Destination Interface/Zone list, select the VLAN interface where packets
exit the unit.
Select the Source and Destination Address names.
Select Protection Profile and select the profile from the list.
10

01-30002-0091-20060718
Select OK.
95
Example configuration Transparent mode (simple)

In this example, the FortiGate-800 unit is operating in Transparent mode. The
FortiGate-800 unit is configured with two VLANs, one with an ID of 100 and the
other with ID 200. The Internal and External physical interfaces each have two
VLAN subinterfaces, one for VLAN 100 and one for VLAN 200.
The FortiGate unit is connected to a Cisco 2900 switch on its internal network
interface and to a Cisco 2620 router on its external network interface. The switch
and the router add VLAN IDs to packets and then forward the packets to the
FortiGate unit. When the FortiGate units receives a tagged packet, it directs it from
one VLAN subinterface to another.
For example, when the switch receives a packet from VLAN 100, it adds VLAN ID
100 and forwards the packet to VLAN subinterface 100 on the internal network
interface on the FortiGate unit. The FortiGate unit directs the packet to VLAN
subinterface 100 on the external network interface. From here the packet is
forwarded to the router.
This section describes how to configure a FortiGate-800 unit, a Cisco switch and a
Cisco router, for the example network topology shown in Figure 38.
Figure 38: Example VLAN topology (FortiGate unit in Transparent mode)
Internet
VLAN router
10.1.1.1
10.1.2.1
VLAN switch
802.1Q trunk
VLAN 1
VLAN 2
External
FortiGate-300 unit
in Transparent mode
Internal
VLAN 1
802.1Q trunk VLAN 2
VLAN switch
Fa0/3
VLAN 100
10.1.1.2
Fa0/24
Fa0/9
VLAN 200
10.1.2.2

96
01-30002-0091-20060718

1
Configure the FortiGate-800 unit.
Add four VLAN subinterfaces:
VLAN ID 100 added to internal and external network interfaces

VLAN ID 200 added to internal and external network interfaces
the VLAN networks to access the external network.

the external network to access the VLAN networks.
Configure the Cisco switch to support VLAN tags.
Configure the Cisco router to support VLAN tags.

Start the FortiGate web-based manager to configure the FortiGate-800 unit.

For each VLAN, you need to create a VLAN subinterface on the internal interface
and another one on the external interface, both with the same VLAN ID.
1
Select Create New.

Table 1:
Name
VLAN_100_int
Interface
internal
VLAN ID
100
Select Create New.

Table 2:
Name
VLAN_100_ext
Interface
external
VLAN ID
100

01-30002-0091-20060718
Select Create New.
97

Table 3:
Name
VLAN_200_int
Interface
internal
VLAN ID
200
Select Create New.

Table 4:
Name
VLAN_200_ext
Interface
external
VLAN ID
200

To add VLAN subinterfaces - CLI

edit VLAN_100_int
set status down
set vlanid 100
next
edit VLAN_100_ext
set status down
set vlanid 100
next
edit VLAN_200_int
set status down
set vlanid 200
next
edit VLAN_200_ext
set status down
set vlanid 200
end

98
01-30002-0091-20060718

Firewall policies allow packets to travel from the VLAN_100_int interface to the
VLAN_100_ext interface and from the VLAN_200_int interface to the
VLAN_200_ext interface.
1
Select Create New.

Table 5:
Source
Interface/Zone
VLAN_100_int
Address Name
all
Destination
Interface/Zone
VLAN_100_ext
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
Select Create New.

Table 6:
Source
Interface/Zone
VLAN_100_ext
Address Name
all
Destination
Interface/Zone
VLAN_100_int
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
Select Create New.

01-30002-0091-20060718
99

Table 7:
Source
Interface/Zone
VLAN_200_int
Address Name
all
Destination
Interface/Zone
VLAN_200_ext
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
9
10
Select Create New.

Table 8:
Source
Interface/Zone
VLAN_200_ext
Address Name
all
Destination
Interface/Zone
VLAN_200_int
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT

Figure 40: Firewall policies for VLANs

100
01-30002-0091-20060718

edit 1
set srcintf VLAN_100_int
set dstintf VLAN_100_ext
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 2
set srcintf VLAN_100_ext
set dstintf VLAN_100_int
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 3
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 4
set srcintf VLAN_200_ext
set dstintf VLAN_200_int
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
end

01-30002-0091-20060718
101


!
!
!
Table 9:
Port 0/3
VLAN ID 100
Port 0/9
VLAN ID 200
Port 0/24
802.1Q trunk
Configuring the Cisco router

Add a configuration file to the Cisco Multiservice 2620 ethernet router. The file
defines the VLAN subinterfaces and the 802.1Q trunk interface on the router. (The
802.1Q trunk is the physical interface on the router.)

Add this file to the Cisco router:
!
!
interface FastEthernet0/0.1
encapsulation dot1Q 100
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 200
ip address 10.1.2.1 255.255.255.0

102
01-30002-0091-20060718
!
The router has the following configuration:
Table 10:
Port 0/0.1
VLAN ID 100
Port 0/0.2
VLAN ID 200
Port 0/0
802.1Q trunk
gateways. The default gateway for VLAN 100 is the Cisco router VLAN 100 subinterface.
The default gateway for VLAN 200 is the Cisco router VLAN 200 subinterface.

01-30002-0091-20060718
103

network.

target is a host on VLAN 200.
C:\>tracert 10.1.2.2
1
<10 ms
<10 ms
<10 ms
10.1.1.1
<10 ms
<10 ms
<10 ms
10.1.2.2
Trace complete.
Router
10.1.1.1
10.1.1.2
External
FortiGate-300 unit
Internal
tracert
VL AN 100
10.1.1.2
Switch
VLAN 200
10.1.2.2

104
01-30002-0091-20060718
Example configuration Transparent mode (multiple virtual domains)
Example configuration Transparent mode (multiple virtual

domains)
In this example, the FortiGate-800 unit provides network protection to three
organizations that quite different policies for incoming and outgoing traffic. This
requires that they have different firewall policies and protection profiles. Although
this might be achieved without using virtual domains, the administration is simpler
using the virtual domains to view and configure only one organizations policies at
a time.
The procedures in this section assume that you have enabled virtual domain
configuration on your FortiGate unit. For more information, see Getting started
with VDOMs on page 53.
Figure 42: Transparent mode operation with multiple domains
Internet
Router
Untagged packets
Fa0/3
VLAN Switch 2
Fa0/6
VLAN_100_ext
VLAN Trunk VLAN_200_ext
External VLAN_300_ext
FortiGate unit
in Transparent mode
Internal
VLAN Trunk
VLAN Switch 1
Fa0/1
VLAN_100_int
VLAN_200_int
VLAN_300_int
Fa0/8
Fa0/5
Fa0/2
ABC Inc
VLAN ID = 100
DEF Inc
VLAN ID = 200
XYZ Inc.
VLAN = 300
Configuring global items

Some components of the protection profiles that you create are global, rather than
per-domain.
Creating schedules
The FortiGate-800 unit in this example serves organizations that are all
businesses that vary their policies according to the time of day. For simplicity, this
example assumes that they all have the same lunch hours. It would be possible to
accommodate different definitions of lunchtime by creating multiple schedules
tailored to the needs of each organization.

01-30002-0091-20060718
105
To create a recurring schedule for lunchtime - web-based manager

1
Go to Firewall > Schedule > Recurring.
Select Create New.
Enter Lunch as the name for the schedule.
Select Monday, Tuesday, Wednesday, Thursday and Friday.
Set the Start time as 11:45 and set the Stop time as 14:00.
Select OK.
To create a recurring schedule for lunchtime - CLI
config firewall schedule recurring
edit Lunch
set day monday tuesday wednesday thursday friday
saturday
set start 11:45
set end 14:00
end
Creating protection profiles

The FortiGate-800 provides pre-configured protection profiles: strict, scan, web
and unfiltered. This example also requires custom protection profiles to take
advantage of the FortiGate content blocking features. Protection profiles are
global, but you can create as many as you need to cover the requirements of
different organizations.
This example creates the following protection profiles:
Table 11:
Profile name
Description
Used by

106
01-30002-0091-20060718
To create the BusinessOnly protection profile - web-based manager

1
Go to Firewall > Protection Profile.
Select Create New.
Enter BusinessOnly as the Profile Name.
Select Anti-Virus and enable Virus Scan for HTTP, FTP, IMAP, POP3 and SMTP.
Select Web Category Filtering and enable category block.

Configure categories as follows:
Potentially Liable (group)
Block
Objectionable or Controversial (group)
Block
Potentially Non-productive (group)
Block
Potentially Bandwidth Consuming (group) Block

Potentially Security Violating (group)
Block
General Interest (group)
Block
Business Oriented
Allow
Other
Block
Select Spam Filtering and enable RBL & ORDBL check for IMAP, POP3 and
SMTP.
Select Banned word check for IMAP, POP3 and SMTP.
For Spam action, select tagged for IMAP and POP3, discard for SMTP.
Select IPS and enable IPS Signature and IPS Anomaly.
10
Select OK.
To create the BusinessOnly protection profile - CLI
config firewall profile
edit BusinessOnly
set ftp scan
set http scan catblock
set imap scan fragmail spamrbl bannedword
set pop3 scan fragmail spamrbl bannedword
set smtp scan fragmail spamrbl bannedword
set ips signature anomaly
set cat_allow 49-50-51-52-53
set cat_deny g01-g02-g03-g04-g05-g06-g08
end
To create the Relaxed protection profile - web-based manager
Go to Firewall > Protection Profile.
Select Create New.
Enter Relaxed as the Profile Name.
Select Anti-Virus and enable Virus Scan for HTTP, FTP, IMAP, POP3 and SMTP.
Select Web Category Filtering and enable category block.

Configure categories as follows:

01-30002-0091-20060718
107
Potentially Liable (group)
Block
Objectionable or Controversial (group)
Block
Potentially Non-productive (group)
Monitor
Potentially Bandwidth Consuming (group) Monitor

Potentially Security Violating (group)
Block
General Interest (group)
Allow
Business Oriented
Allow
Others
Allow
Select Spam Filtering and enable RBL & ORDBL check for IMAP, POP3 and
SMTP.
Select Banned word check for IMAP, POP3 and SMTP.
For Spam action, select tagged for IMAP and POP3, discard for SMTP.
Select IPS and enable IPS Signature and IPS Anomaly.
10
Select OK.
To create the Relaxed protection profile - CLI
config firewall profile
edit Relaxed
set ftp scan
set http scan catblock
set imap scan
set pop3 scan
set smtp scan spamrbl
set ips anomaly
set ips signature
set cat_allow g06-g07-g08
set cat_deny g01-g02-g05
set cat_monitor g03-g04
end

The FortiGate-800 supports 10 virtual domains. The root domain is the default
domain. It cannot be deleted or renamed. In this example, the root domain is not
used. New virtual domains are created for company ABC, company DEF and
company XYZ.
1
Log in as admin.
Select Create New.
Select Create New.
Type DEFdomain and select OK.
Select Create New.
Type XYZdomain and select OK.

108
01-30002-0091-20060718

config
edit
next
edit
next
edit
end
system vdom
ABCdomain
DEFdomain
XYZdomain
Configuring the ABCdomain

This section describes how to add VLAN subinterfaces and configure firewall
policies for the ABCdomain VDOM.

You need to create a VLAN subinterface on the internal interface and another one
on the external interface, both with the same VLAN ID.
1
Select Create New.

Table 12:
Name
VLAN_100_int
Interface
internal
VLAN ID
100
Virtual Domain
ABCdomain
Select Create New.

Table 13:
Name
VLAN_100_ext
Interface
external
VLAN ID
100
Virtual Domain
ABCdomain

Figure 43: Interfaces for ABCdomain

01-30002-0091-20060718
109
Example configuration Transparent mode (multiple virt

110
01-30002-0091-20060718
Configuring ABCdomain firewall addresses

The all address is present by default in the root domain. In other domains, you
must create it.
To configure ABCdomain firewall addresses - web-based manager
1
Select Create New.
Type new in the Address Name field.
Type 0.0.0.0/0.0.0.0 in the IP Range/Subnet field.
Select OK.
To configure ABCdomain firewall addresses - CLI
edit all
set type ipmask
set subnet 0.0.0.0 0.0.0.0
end
Configuring ABCdomain firewall policies

Firewall policies allow packets to travel from the VLAN 100 interface to the
external interface subject to the restrictions of the protection profile.
To configure ABCdomain firewall policies - web-based manager
1
Go to Firewall > Policy > Policy.
Select Create New.

Table 14:
Interface/Zone Source
VLAN_100_int
Interface/Zone Destination
VLAN_100_ext
Address Name Source
all
Address Name Destination all

Schedule
BusinessDay
Service
games-chat
Action
DENY
This policy prevents the use of network games or chat programs during business
hours.

01-30002-0091-20060718
111

Table 15:
VLAN_100_int
VLAN_100_ext
Address Name Source
all

Schedule
Lunch
Service
HTTP
Action
ACCEPT
Protection Profile
Relaxed
This policy relaxes the web category filtering during lunch hour.
5

Table 16:
VLAN_100_int
VLAN_100_ext
Address Name Source
all

Schedule
BusinessDay
Service
HTTP
Action
ACCEPT
Protection Profile
BusinessOnly
This policy provides rather strict web category filtering during business hours.
Figure 44: ABCdomain firewall policies

112
01-30002-0091-20060718
To configure ABCdomain firewall policies - CLI

edit 1
set srcaddr all
set dstaddr all
set schedule BusinessDay
set service games-chat
next
edit 2
set srcaddr all
set dstaddr all
set action accept
set schedule Lunch
set service HTTP
set profile Relaxed
next
edit 3
set srcaddr all
set dstaddr all
set action accept
set service HTTP
set profile BusinessOnly
end
Configuring the DEFdomain

policies for the DEFdomain VDOM.

1
Select Create New.

01-30002-0091-20060718
113

Table 17:
Name
VLAN_200_int
Interface
internal
VLAN ID
200
Virtual Domain
DEFdomain
Select Create New.

Table 18:
Name
VLAN_200_ext
Interface
external
VLAN ID
200
Virtual Domain
DEFdomain

Figure 45: Interfaces for DEFdomain

edit VLAN_200_int
set vlanid 200
set vdom DEFdomain
next
edit VLAN_200_ext
set vlanid 200
set vdom DEFdomain
end
Selecting the DEFdomain VDOM

ensure that the current domain is DEFdomain.
To select the DEFdomain VDOM - web-based manager
1

114
01-30002-0091-20060718
Choose the DEFdomain VDOM.

To select the DEFdomain VDOM - CLI
config vdom
edit DEFdomain
Creating service groups

DEF Inc. does not want their employees to use online gaming software or any
online chat software except NetMeeting, which they use for net conferencing. To
simplify the creation of a firewall policy for this purpose, you create a service
group that contains all of the services you want to restrict. A firewall policy can
manage only one service or one group. The administrator decided to simply name
this group Games although it also restricts chat software.
To create a games service group - web-based manager
1
Go to Firewall > Service > Group.
Select Create New.
Type Games in the Group Name field.
For each of AOL, IRC, Quake, SIP-MSNmessenger and Talk, select the service in
the Available Services list and select the right arrow to add it to the Members list.
Select OK.
To create a games and chat service group - CLI
config firewall service group
edit Games
set member IRC QUAKE SIP-MSNmessenger AOL TALK
end
Configuring DEFdomain firewall addresses

must create it.
To configure DEFdomain firewall addresses - web-based manager
1
Select Create New.
Select OK.
To configure DEFdomain firewall addresses - CLI
edit all
set type ipmask
set subnet 0.0.0.0 0.0.0.0
end

01-30002-0091-20060718
115
Configuring DEFdomain firewall policies

To configure DEFdomain firewall policies - web-based manager
1
Select Create New.

Table 19:
VLAN_200_int
VLAN_200_ext
Address Name Source
all

Schedule
BusinessDay
Service
games-chat
Action
DENY
This policy prevents the use of network games or chat programs (except
NetMeeting) during business hours.
4

Table 20:
VLAN_200_int
VLAN_200_ext
Address Name Source
all

Schedule
Lunch
Service
HTTP
Action
ACCEPT
Protection Profile
Relaxed
This policy relaxes the web category filtering during lunch hour.

116
01-30002-0091-20060718

Table 21:
VLAN_200_int
VLAN_200_ext
Address Name Source
all

Schedule
BusinessDay
Service
HTTP
Action
ACCEPT
Protection Profile
BusinessOnly
This policy provides rather strict web category filtering during business hours.
6

Table 22:
VLAN_200_int
VLAN_200_ext
Address Name Source
all

Schedule
always
Service
ANY
Action
ACCEPT
Protection Profile
Relaxed
Because it is last in the list, this policy applies to the times and services not
covered in preceding policies. This means that outside of regular business hours
the Relaxed protection profile applies to email and web browsing and that online
chat and games are permitted. DEF Inc. needs this policy because its employees
sometimes work overtime. The other companies in this example maintain fixed
hours and dont want any after-hours internet access.
Figure 46: DEFdomain firewall policies

01-30002-0091-20060718
117
To configure DEFdomain firewall policies - CLI

edit 1
set srcaddr all
set dstaddr all
set service Games
set action deny
next
edit 2
set srcaddr all
set dstaddr all
set action accept
set schedule Lunch
set service HTTP
set profile Relaxed
next
edit 3
set srcaddr all
set dstaddr all
set action accept
set service HTTP
set profile BusinessOnly
next
edit 4
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
set profile Relaxed
end
Configuring the XYZdomain

policies for the XYZdomain VDOM.

118
01-30002-0091-20060718

1
Select Create New.

Table 23:
Name
VLAN_300_int
Interface
internal
VLAN ID
300
Virtual Domain
XYZdomain
Select Create New.

Table 24:
Name
VLAN_300_ext
Interface
external
VLAN ID
300
Virtual Domain
XYZdomain

Figure 47: Interfaces for XYZdomain

edit VLAN_300_int
set vlanid 300
set vdom XYZdomain
next
edit VLAN_300_ext
set vlanid 300
set vdom XYZdomain
end

01-30002-0091-20060718
119
Selecting the XYZdomain VDOM

ensure that the current domain is XYZdomain.
To select the XYZdomain VDOM - web-based manager
1
Choose the XYZdomain VDOM.

To select the XYZdomain VDOM - CLI
config vdom
edit XYZdomain
Creating service groups

XYZ Inc. wants network protection for email and web services. To simplify creation
of firewall policies, you can create a email service group for POP3, IMAP and
SMTP and a web service group for HTTP, HTTPS and FTP.
To create an email service group - web-based manager
1
Select Create New.
Type Email in the Group Name field.
For each of POP3, IMAP and SMTP, select the service in the Available Services
list and select the right arrow to add it to the Members list.
Select OK.
To create an email service group - CLI
edit Email
set member POP3 IMAP SMTP
end
To create a web service group - web-based manager
Select Create New.
Type Web in the Group Name field.
For each of HTTP, HTTPS and FTP, select the service in the Available Services
list and select the right arrow to add it to the Members list.
Select OK.
To create an email service group - CLI
edit Web
set member HTTP HTTPS FTP
end

120
01-30002-0091-20060718
Configuring XYZdomain firewall addresses

must create it.
To configure XYZdomain firewall addresses - web-based manager
1
Select Create New.
Select OK.
To configure XYZdomain firewall addresses - CLI
edit all
set type ipmask
set subnet 0.0.0.0 0.0.0.0
end
Configuring XYZdomain firewall policies

To configure XYZdomain firewall policies - web-based manager
1
Select Create New.
Table 25:
VLAN_300_int
VLAN_300_ext
Address Name Source
all

Schedule
always
Service
Email
Action
ACCEPT
Protection Profile
strict
This policy provides network protection for email using the default strict protection
profile. The administrator must also set up the antivirus, web filter and spam filter
settings. These procedures are not described in this document.
4

01-30002-0091-20060718
121
Table 26:
VLAN_300_int
VLAN_300_ext
Address Name Source
all

Schedule
always
Service
Web
Action
ACCEPT
Protection Profile
web
This policy provides network protection for HTTP, HTTPS and FTP using the
default web protection profile. The administrator must also set up the antivirus and
web filter settings. These procedures are not described in this document.
Figure 48: XYZdomain firewall policies
To configure XYZdomain firewall policies - CLI

edit 1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service Email
set profile strict
next
edit 2
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service Web
set profile web
end

122
01-30002-0091-20060718

On the Cisco Catalyst 2900 ethernet switches, you need to define the VLANs 100,
200 and 300 in the VLAN database and then add configuration files to define the
VLAN subinterfaces and the 802.1Q trunk interface.
Configuring switch 1
Add this file to Cisco VLAN switch 1:
!
!
!
!
!
Switch 1 has the following configuration:
Table 27:
Port 0/1
VLAN ID 100
Port 0/2
VLAN ID 200
Port 0/3
VLAN ID 300
Port 0/6
802.1Q trunk
Configuring switch 2
Add this file to Cisco VLAN switch 2:
switchport
!
!

01-30002-0091-20060718
123
Switch 1 has the following configuration:

Table 28:
Port 0/1
VLAN ID 100
Port 0/2
VLAN ID 200
Port 0/3
VLAN ID 300
Port 0/6
802.1Q trunk

network.
Testing traffic from VLAN 100 to the Internet

In this example, a route is traced from VLANs to a host on the Internet. The route
target is www.fortinet.com.
1
From a host on VLAN 100, access a command prompt and enter this command:
C:\>tracert www.fortinet.com
Tracing route to www.fortinet.com [128.242.109.135]
over a maximum of 30 hops:
1
<10 ms
<10 ms
<10 ms
172.20.120.2
172 ms
141 ms
140 ms
128.242.109.135
...
14
Trace complete.
2
Repeat for VLAN 200 and VLAN 300.

124
01-30002-0091-20060718
Inter-VDOM routing
Overview
Inter-VDOM routing
Overview
In the past VDOMs have been completely separate from each other - there has
been no internal communication between virtual domains on a FortiGate unit. Any
communication between VDOMs had to leave on a physical interface and re-enter
the FortiGate unit on another physical interface.
Inter-VDOM routing changes this. With the introduction of inter-VDOM routing in
FortiOS v3.0 MR1, VDOMs can communicate internally without using additional
physical interfaces. FortiManager units support inter-VDOM routing on managed
FortiGate units starting with FortiManager v3.0 MR1.
This chapter contains the following sections:
Benefits of inter-VDOM routing
Getting started with inter-VDOM routing
Available inter-VDOM configurations
FortiManager and inter-VDOMs
Inter-VDOM planning
Benefits of inter-VDOM routing

Inter-VDOM routing has a number of benefits over independent VDOM routing.
These benefits include:
Freeing up physical interfaces
Continuing to use secure firewall policies
More flexible configurations

01-30002-0091-20060718
125
Inter-VDOM routing
With the introduction of inter-VDOM routing, traffic can travel between VDOMs
internally, freeing up physical interfaces for external traffic. Using the above
example we can use the 4 VDOM configuration and all the interfaces will have
their full bandwidth.
Continuing to use secure firewall policies

VDOMs help to separate traffic based on your needs. This is an important step in
satisfying regulations that require proof of secure data handling. This is especially
important to health, law and accounting industries and the sensitive data they
handle every day.
By keeping things separate, traffic has to leave the FortiGate and re-enter to
change VDOMs. This forces traffic to go through the firewall when leaving and
enter through another firewall, keeping traffic secure.
The need for the physical interfaces is gone with inter-VDOM routing, but as with
all FortiGate interfaces, firewall policies need to be in place for traffic to be allowed
to pass through any interface - physical or virtual. This provides the same level of
security both internally and externally. In fact you will be able to configure more
VDOMs which will allow you more flexibility
Your data will continue to have the high level of security you have come to expect.
More flexible configurations

A typical VDOM uses at least two physical interfaces - one for internal and one for
external traffic. Depending on the configuration, more interfaces may be required.
As explained earlier, the maximum number of VDOMs configurable on a FortiGate
unit is the number of physical interfaces available divided by two. VLANs can be
an answer to this, but they have some limitations.
Using external interfaces for inter-VDOM communication severely limits the
number of possible configurations on your FortiGate unit, but inter-VDOM routing
allows these connections to be moved inside the FortiGate unit. Using internal
virtual interfaces for inter-VDOM communication frees up the physical interfaces
for external traffic. Using Inter-VDOM routing on a FortiGate unit with 8 interfaces,
you can have 4 VDOMs communicating with each other (full mesh) and continue
to have 2 physical interfaces each for internal and external connections. This
configuration would have required 20 physical interfaces without inter-VDOM
routing. With inter-VDOM routing it only requires 8 physical interfaces, with the
other 12 interfaces being internal virtual interfaces.
Inter-VDOM routing allows you the freedom to select Stand-alone VDOM,
Management VDOM and Meshed VDOMs configurations without being limited by
the number of physical interfaces on your FortiGate unit.

There are very few extra steps to configure inter-VDOM routing once the VDOMs
themselves are configured. Inter-VDOM configuration can only be accomplished
through the CLI. For more information see FortiGate CLI reference.
This example assumes that your FortiGate unit is set to multiple VDOM mode and
that you have 2 VDOMs called customer1 and customer2 already configured.
126

01-30002-0091-20060718
Inter-VDOM routing
To configure an inter-VDOM routing connection

1
Create an internal point-to-point interface called vlink.

config global
config system vdom-link
edit vlink
next
end
In creating the point-to-point interface, you also created two additional interface
objects by default. They are called vlink0 and vlink1. These are the two ends
of the link that will be configured for each VDOM.
Bind the interface objects to the VDOMs.

edit vlink0
set vdom customer1
next
edit vlink1
set vdom customer2
next
end
These point-to-point interfaces are now treated like normal FortiGate interfaces
and need to be configured as regular interfaces would. This includes IP address
and netmask and what administrative access is allowed.
Configure the appropriate firewalls and policies.

To remove an inter-VDOM routing connection
Delete the inter-VDOM link and the link objects will also be deleted.
Before deleting the inter-VDOM link, make sure that all policies, firewalls and
other configurations that include the link are deleted, removed or changed to no
longer include the inter-VDOM link.
The following are the commands to remove an inter-VDOM routing connection
called vlink. This will also remove its two link objects vlink0 and vlink1.
config global
config system vdom-link
delete vlink
end

By using fewer physical interfaces to inter-connect VDOMs, inter-VDOM routing
provides you with more configuration options.
The inter-VDOM configurations are:

01-30002-0091-20060718
127
Inter-VDOM routing
Stand-alone VDOM
Independent VDOMs
Management VDOM
Meshed VDOMs
Stand-alone VDOM
Stand-alone VDOM uses a single VDOM - the root VDOM that all FortiGate units
have by default. This is the VDOM configuration you are likely familiar with.
This configuration has no VDOM inter-connections and requires no special
configurations or settings.
The stand-alone VDOM configuration can be used for simple network
configurations that only have one department or one company administering the
connections, firewalls and other VDOM dependant settings.
Independent VDOMs
Independent VDOMs use multiple VDOMs that are completely separate from each
other. This is likely another VDOM configuration you are familiar with.
This configuration has no communication between VDOMs and apart from initially
setting up each VDOM this configuration requires no special configurations or
settings. Any communications between VDOMs is treated as if communication
was with a separate physical device.
The independent VDOMs configuration can be used where more than one
department or one company is sharing the FortiGate unit. They can each
administer the connections, firewalls and other VDOM dependant settings of only
their own VDOM. To each company or department it appears as if they have their
own FortiGate unit.
Management VDOM
In the management VDOM configuration, the root VDOM is the management
VDOM and the other VDOMs are connected to the management VDOM with interVDOM links. There are no other inter-VDOM connections.
Only the management VDOM is connected to the Internet. The other VDOMs are
connected to internal networks and possibly to very small secure external
networks, say a VPN dialup connection. All external traffic is routed through the
management VDOM using inter-VDOM links between the VDOMs. This ensures
the management VDOM has full control over access to the Internet including what
types of traffic are allowed in both directions. Security is greatly increased with
only one point of entry and exit. Only the management VDOM needs to be
professionally managed to ensure network security in this case.
The management VDOM configuration is ideally suited for a service provider
business. The service provider is the management VDOM and the other VDOMs
are customers. These customers do not require a dedicated IT person to manage
their network. The service provider controls the traffic and can prevent the
customers from using banned services and prevent Internet connections from
initiating those same banned services. One example of a banned service might be
128

01-30002-0091-20060718
Inter-VDOM routing
Instant Messaging (IM) at a company concerned about intellectual property.

Another example could be to limit bandwidth used by file sharing applications
without banning it completely. Firewall policies control the traffic between a
customer VDOM and the management VDOM and can be customized for each
customer.
Meshed VDOMs
Meshed VDOMs, including partial and full mesh, has VDOMs inter-connected with
other VDOMs. Partial mesh means only some VDOMs are inter-connected. In a
full mesh configuration, all VDOMs are inter-connected to all other VDOMs. This
can be useful when you want to provide full access between VDOMs but handle
traffic differently depending on which VDOM it originates from or is going to.
With full access to all VDOMs being possible, it is important to ensure proper
security. This can be accomplished through proper firewall policies and secure
account access for admins and users.
Meshed VDOM configurations can become complex very quickly, with full mesh
VDOMs being the most complex. Ensure this is the proper solution for your
situation before using this configuration.

ForitManager helps you manage FortiGate units with features such as monitoring
and multiple device configuration. Starting with v3.0 MR1, FortiManager supports
inter-VDOM routing.
Configuring inter-VDOMs with FortiManager

Before configuring inter-VDOM routing
you must have at least two virtual domains configured on the FortiGate device
the virtual domains must all be in NAT/route mode
each virtual domain to be linked must have at least one interface or

subinterface assigned to it
To create an inter-VDOM link

1
In the Policy Manager, select a virtual domain in the navigation frame.
Select the blue arrow to expand Configure Inter-VDOM routing.

If there is no blue arrow, there is only one virtual domain. You must create at least
one more virtual domain before continuing.
Select the checkbox next to the VDOM to be linked to the current VDOM (the one
selected in step 1).
Enter a name for the inter-VDOM link. Both virtual interfaces will use this name.
For example if the link is my_vlink, the virtual interfaces will be my_vlink0 and
my_vlink1.
Enter the IP address and netmask for the virtual interface for this link on the
current VDOM and the peer VDOM. For example if the current VDOM is vdom1,
root could be the peer VDOM.
Once the inter-VDOM link is created, these IP addresses cannot be changed
without deleting the link.

01-30002-0091-20060718
129
Inter-VDOM planning
Inter-VDOM routing
Select Traffic Log to log the traffic on this inter-VDOM link.
Select Apply to save your settings.

You can repeat these steps to create other inter-VDOM links if you have more
than two VDOMs.
To remove an inter-VDOM link, clear the checkbox next to it and select Apply.
Both ends of the link will be removed.
For more information on using FortiManager, see the FortiManager Administration
Guide.
Inter-VDOM planning
Inter-VDOM routing enables more FortiGate unit configurations than were
previously possible. This additional flexibility has benefits, but also has potential
difficulties.
Complexity
With more connections possible in inter-VDOM configurations, complexity quickly
becomes an issue. VDOMs are not trivial to understand and with additional
settings and issues to consider things can easily get out of hand.
To prevent this, you should carefully plan your move to the inter-VDOM
configuration to ensure you are aware of the differences between your new and
old setups as well as how these changes affect the interaction between the
VDOMs.
Making changes
Once configured, this new complex configuration means that any changes you
make to the system have a greater chance of introducing problems into the
system. Extra care should be taken to make sure any changes do not negatively
affect your existing FortiGate unit configuration.
For example using the old method to change communication between VDOMs,
cable connections had to be physically changed. When compared to inter-VDOM
where all the changes are internal, there is generally more checking built into the
physical process than there is for simple CLI commands.This lowered level of
checking may allow un-intended changes in VDOM interactions to slip into the
configuration undetected.
130

01-30002-0091-20060718
Overview

Overview
There are several issues that can cause problems with your VLANs:
Asymmetric routing
Layer 2 traffic
NetBIOS
STP forwarding
Asymmetric routing
You might discover, unexpectedly, that hosts on some networks are unable to
reach certain other networks. This occurs when request and response packets
follow different paths. If the FortiGate unit sees the response packets, but not the
requests, it blocks them as invalid. Also, if the FortiGate unit sees the same
packets repeated on multiple interfaces, it blocks the session as a potential attack.
These are instances of asymmetric routing. By default, FortiGate units block
packets or drop the session when this happens. Using the Command Line
Interface (CLI), you can configure the FortiGate unit to permit asymmetric routing:
config system global
set asymroute enable
end
If this solves your blocked traffic problem, you know that asymmetric routing is the
cause. But allowing asymmetric routing is not the best solution because it can
reduce the security of your system. It is better to change routing or change how
FortiGate unit connects into your network. The Asymmetric Routing and Other
FortiGate Layer-2 Installation Issues technical note provides detailed examples of
asymmetric routing situations and possible solutions.
Layer 2 traffic
By default, FortiGate units do not pass Layer-2 traffic. If there are Layer-2
protocols such as IPX, PPTP or L2TP in use on your network, you need to
configure FortiGate interfaces to pass them. You can do this using the CLI:
edit <name_str>
set l2forward enable
end
where <name_str> is the name of an interface.

01-30002-0091-20060718
131
Layer 2 traffic
Enabling Layer 2 traffic can cause a problem if it is possible for packets to

repeatedly loop through the network. This occurs when there is more than one
Layer 2 path from a source to a destination. Traffic can be impeded. One method
of addressing the loop that is created is to configure Spanning Tree Protocol
(STP) on switches and routers on the network. Using STP with FortiGate units is
covered in STP forwarding on page 133.
ARP traffic
Address Resolution Protocol (ARP) traffic is vital to communication on a network
and is enabled on FortiGate interfaces by default. Normally you want ARP packets
to pass through the FortiGate unit, especially if it is sitting between a client and a
server or between a client and a router.
ARP traffic can cause problems, especially in Transparent mode where ARP
packets arriving on one interface are sent to all other interfaces, including VLAN
subinterfaces. Some Layer 2 switches become unstable when they detect the
same MAC address originating on more than one switch interface or from more
than one VLAN. This instability can occur if the Layer 2 switch does not maintain
separate MAC address tables for each VLAN. Unstable switches may reset
causing network traffic to slow down.
Multiple VDOMs solution

One solution is to configure multiple VDOMs on the FortiGate unit, one for each
VLAN. This means one inbound and one outbound VLAN interface in each virtual
domain. ARP packets are not forwarded between VDOMs.
By default, physical interfaces are in the root domain. Do not configure any of your
VLANs in the root domain.
As a result of this VDOM configuration, the switches do not receive multiple ARP
packets with the same source MAC but different VLAN IDs and the instability does
not occur.
Forward-domain solution
You may run into problems using the multiple VDOMs solution to solve the same
MAC address seeming to originate on multiple interfaces. It is possible that you
have more VLANs than licensed VDOMs, not enough physical interfaces or your
configuration may work better by grouping some VLANs together. In these
situations the separate VDOMs solution may not work for you.
In these situations, the solution is to use the forward-domain
<collision_group> CLI command. This command tags VLAN traffic as
belonging to a particular forward-domain collision group and only VLANs tagged
as part of that collision group recieve that traffic. By default interfaces and VLANs
are part of forward-domain collision group 0.
There are many benefits for this solution from reduced administration, to using
fewer physical interfaces to being able to allowing you more flexible network
solutions.
In the following example, forward-domain collision group 340 includes VLAN 340
traffic on Port1 and untagged traffic on Port2. Forward-domain collision group 341
includes VLAN 341 traffic on Port1 and untagged traffic on Port3. All other
interfaces are part of forward-domain collision group 0 by default.
132

01-30002-0091-20060718
NetBIOS
These are the CLI commands to accomplish this setup.

edit port1
next
edit "port2"
set forward_domain 340
next
edit port3
next
edit "port1-340"
set interface "port1"
set vlanid 340
next
edit "port1-341"
set interface "port1"
set vlanid 341
next
end
There is a more detailed discussion of this issue in the Asymmetric Routing and
Other FortiGate Layer-2 Installation Issues technical note.
NetBIOS
Networked computers running Microsoft Windows operating systems rely on a
WINS server to resolve host names to IP addresses. The hosts communicate with
the WINS server using NetBIOS protocol. To support this type of network you
need to enable the forwarding of NetBIOS requests to a WINS server. Enter the
following CLI commands:
edit <interface>
set netbios_forward enable
set wins-ip <wins_server_ip>
end
where <interface> is the name of the interface and <wins_server_ip> is
the IP address of the WINS server. These commands apply only in NAT/Route
mode.
STP forwarding
The FortiGate unit does not participate in the Spanning Tree protocol (STP). STP
is an IEEE 802.1 protocol to ensure there are no Layer-2 loops on the network.
Loops happen when there is more than one route for traffic to take and that traffic
is broadcasted back to the original switch - creating a loop that floods the network
with never ending traffic.

01-30002-0091-20060718
133
STP forwarding
If you use the FortiGate unit in a network topology that relies on STP for network
loop protection, you need to make changes to the FortiGate configuration.
Otherwise, STP sees the FortiGate unit as a blocked link and forwards the data to
another path. By default, the FortiGate unit blocks STP as well as other non-IP
protocol traffic.
Using the CLI, you can enable forwarding of STP and other Layer 2 protocols
through the interface:
edit <name_str>
set l2forward enable
set stpforward enable
end
where <name_str> is the name of the interface. This configuration will also allow
Layer-2 protocols such as IPX, PPTP or L2TP to be used on the network. For
more information see Layer 2 traffic on page 131.
134

01-30002-0091-20060718
Index
Index
Numerics
external logging 20
802.1Q 15, 16, 18, 26
firewall address
complex VDOM NAT/Route mode example 77, 83
complex VLAN NAT/Route example 40
multiple VDOM example 121
multiple VDOM Transparent example 115
policy 27
simple VDOM NAT/Route example 64, 67
simple VDOM NAT/Routeexample 64
simple VLAN NAT/Route example 31
Transparent multiple VDOM example 111
firewall policy
complex VDOM NAT/Route example 78, 84
multiple VDOM example 111, 116, 121
simple Transparent VDOM example 99
simple VDOM NAT/Route example 68
simple VDOM NAT/Routeexample 64, 68
simple VLAN NAT/Route example 31, 32
Transparent mode 95
VDOM 58
VLAN subinterface 26
firewall schedule
Firewall settings 22, 23
FortiClient 48
FortiGate
CLI 28, 37, 126
IP address 26
NAT/Route 25
web-based manager 37
FortiManager v3.0 MR1 125, 129
Fortinet customer service 12
Fortinet services 20
FortiOS v3.0 MR1 125
administrators
access profiles 21
common 20
multiple 21
VDOM 55
Antivirus settings 23
asymmetric routing 131
B
border gateway protocol (BGP) 27
C
Cisco router configuration
IOS commands 28
Cisco switch
Cisco switch configuration
complex VDOM NAT/Route example 89
IOS commands 28
multiple VDOM Transparent example 123
CLI 28, 37, 126
customer service 12
D
default route 27, 58
complex VLAN NAT/Route example 39, 40
default route, setting
complex VDOM example 83
diagnostics
ping 27, 35
tracert 35
E
example
complex VDOM NAT/Route 72
complex VLAN NAT/Route 36
complex VLAN NAT/Route mode VLAN 36
multiple VDOM Transparent 105
simple VLAN NAT/Route 27
simple VLAN NAT/Route topology 59
simple VLAN Transparent 96
01-30002-0091-20060718
G
gateway, VPN 44, 45
H
HTTP 27
I
ID tag 18
ID tags 19
IEEE 802.1Q 15, 16, 18, 26
IM settings 22
In 125
independant VDOM 128
interfaces
135
Index
802.1Q trunk 25, 34

DMZ, simple VDOM NAT/Route example 62
external, simple VDOM NAT/Route example 61
external, simple VLAN NAT/Route 29
external, simple VLAN NAT/Route example 29
physical 125
subinterface 25
virtual 126
inter-VDOM
physical interfaces 125
secure data handling 126
stand-alone VDOM 128
virtual interfaces 126
IP address 26
IPS settings 23
IPX, layer-2 forwarding 131
L
L2TP, layer-2 forwarding 131
layer-2 16
forwarding 131
layer-3 18
license 20
M
management traffic 20
management VDOM 20
multicast 27
N
NAT/Route
complex VLAN example 36
VLAN 25
NetBIOS, for Windows networks 133
O
open shortest path first (OSPF) 27
P
packets
handling 20
VLAN-tagged 26
physical interfaces 125
ping 27, 35
PPTP, layer-2 forwarding 131
protection profile
Transparent VDOM example 106
R
remote management 20
Router settings 21
routing
BGP 27
multicast 27
OSPF 27
RIP 27
STP 134
136
routing information protocol (RIP) 27

routing, default route 27
complex VDOM example 83
complex VLAN NAT/Route example 39, 40
NAT/Route 27
VDOM 58
rules, VLAN ID 19
S
schedule, firewall
secure data handling 126
security 126
service group
multiple VDOM Transparent example 115, 120
Transparent mode multiple VDOM example 110
settings shared by VDOMs 23
Spanning Tree Protocol, see STP.
SSH 27
stand-alone VDOM 128
STP, forwarding 134
subinterface 25
VDOM 57
VLAN NAT/Route 26
System settings 21, 23
T
tag 18
technical support 12
TELNET 27
testing
complex VDOM NAT/Route mode example 90
testing configuration
tracert 35
Transparent mode 93
firewall policy 95
trunk interface 25, 34
tunnel 45
U
User settings 22
V
VDOM 19
administration 55
administrators 20
firewall policy 58
license 20
multiple VDOMs example 108
packet handling 20

01-30002-0091-20060718
Index
routing 58
settings, common 23
settings, exclusive 21
simple VDOM NAT/Route VDOM example 66
stand-alone 128
Transparent mode 93
VPN settings 59
VDOM exclusive settings 21, 22
VDOM shared settings 23
Virtual 53
virtual domain, See VDOM.
virtual interfaces 126
Virtual Private Network, see VPN.
VLAN
Cisco switch 49
complex VLAN NAT/Route 49
NAT/Route 25
packets, VLAN-tagged 26
subinterface 25
Transparent mode 93
VLAN ID
layer-3 18
rules 19

01-30002-0091-20060718
VLAN subinterface
complex VDOM NAT/Route example 75, 81
firewall policy 26
multiple VDOM example 109, 113, 118
simple VDOM Transparent example 97
Transparent mode 94
VDOM NAT/Route 57
VPN
client 48
encrypt policy 47
firewall policy 47
FortiClient 48
gateway 44, 45
tunnel 45
user IP address 46
VDOM 59
W
web-based manager 21, 37
Windows networks
enabling NetBIOS 133
WINS 133
137
Index
138

01-30002-0091-20060718
www.fortinet.com
www.fortinet.com

FortiGate VLANs and VDOMs Guide 01-30002-0091-20060718

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

FortiGate VLANs and VDOMs Guide 01-30002-0091-20060718

Încărcat de

Drepturi de autor:

Formate disponibile

USER GUIDE

FortiGate VLANs and VDOMs

FortiGate VLANs and VDOMs User Guide

Customer service and technical support ...................................................... 12

Introduction to VLANs and VDOMs................................................ 15

Overview of Virtual Domains .......................................................................... 19

Using VLANs in NAT/Route mode .................................................. 25

Adding the firewall policies ...................................................................

Example configuration NAT/Route mode (complex).................................... 36

Using VDOMs in NAT/Route mode................................................. 53

Configuring virtual domains........................................................................... 56

Example VDOM configuration in NAT/Route mode (simple)....................... 59

FortiGate VLANs and VDOMs Version 3.0 User Guide

unit. Select Global Configuration. This section configures the interfaces

Using VLANs and VDOMs in Transparent mode........................... 93

FortiGate VLANs and VDOMs Version 3.0 User Guide

Configuring the FortiGate unit in Transparent mode................................... 94

Inter-VDOM routing........................................................................ 125

FortiGate VLANs and VDOMs Version 3.0 User Guide

Benefits of inter-VDOM routing .................................................................... 125

FortiManager and inter-VDOMs.................................................................... 129

Avoiding Problems with VLANs ................................................... 131

FortiGate VLANs and VDOMs Version 3.0 User Guide

FortiGate VLANs and VDOMs Version 3.0 User Guide

About FortiGate VLANs and VDOMs

About FortiGate VLANs and VDOMs

About this document

Customer service and technical support

About FortiGate VLANs and VDOMs

About this document

Introduction to VLANs and VDOMs

Using VLANs in NAT/Route mode

Using VDOMs in NAT/Route mode

Using VLANs and VDOMs in Transparent mode

Avoiding Problems with VLANs

Each of the Using sections contains detailed example configurations.

Notes and Cautions are used to provide important information:

Note: Highlights useful additional information.

FortiGate VLANs and VDOMs Version 3.0 User Guide

config sys global

CLI command syntax

config firewall policy

FortiGate Administration Guide

Go to VPN > IPSEC > Phase 1 and select Create New.

FortiGate QuickStart Guide

FortiGate Installation Guide

FortiGate Administration Guide

FortiGate online help

FortiGate VLANs and VDOMs Version 3.0 User Guide

FortiGate CLI Reference

FortiGate Log Message Reference

FortiGate High Availability User Guide

FortiGate IPS User Guide

FortiGate IPSec VPN User Guide

FortiGate PPTP VPN User Guide

FortiGate Certificate Management User Guide

FortiManager QuickStart Guide

FortiManager System Administration Guide

FortiManager System online help

Describes how to use the FortiManager System to manage FortiGate devices.

FortiClient Host Security User Guide

FortiGate VLANs and VDOMs Version 3.0 User Guide

Customer service and technical support