Documente Academic
Documente Profesional
Documente Cultură
www.fortinet.com
Caution: If you install a battery that is not the correct type, it could
explode. Dispose of used batteries according to local regulations.
Contents
Contents
Introduction ........................................................................................ 9
About FortiGate VLANs and VDOMs ............................................................... 9
About this document......................................................................................... 9
Document conventions.................................................................................. 9
Typographic conventions...................................................................... 10
FortiGate documentation ................................................................................ 10
Related documentation ................................................................................... 11
FortiManager documentation ......................................................................
FortiClient documentation ...........................................................................
FortiMail documentation ..............................................................................
FortiAnalyzer documentation ......................................................................
Fortinet Knowledge Center .........................................................................
Comments on Fortinet technical documentation .........................................
11
11
12
12
12
12
16
16
18
18
19
20
20
20
20
21
23
28
29
29
29
31
Contents
31
34
35
35
35
37
37
38
39
40
41
44
44
45
46
47
48
48
49
49
50
50
50
51
51
53
54
54
55
56
57
58
58
59
Contents
74
74
75
75
75
76
77
78
80
80
81
83
83
84
89
89
90
90
91
Contents
105
105
106
108
109
109
110
110
111
111
113
113
114
115
115
116
118
118
120
120
121
121
123
123
123
124
124
Contents
128
128
128
129
Index................................................................................................ 135
Contents
Introduction
Introduction
This chapter introduces you to FortiGate VLANs and VDOMs and the following
topics:
FortiGate documentation
Related documentation
Inter-VDOM routing
Document conventions
The following document conventions are used in this guide:
In the examples, private IP addresses are used for both private and public IP
addresses.
FortiGate documentation
Introduction
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Typographic conventions
FortiGate documentation uses the following typographical conventions:
Convention
Example
Keyboard input
In the Gateway Name field, type a name for the remote VPN
peer or client (for example, Central_Office_1).
Code examples
Document names
File content
<HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Menu commands
Program output
Welcome!
Variables
<address_ipv4>
FortiGate documentation
Information about FortiGate products is available from the following guides:
10
Introduction
Related documentation
Related documentation
Additional information about Fortinet products is available from the following
related documentation.
FortiManager documentation
FortiClient documentation
11
Introduction
FortiMail documentation
FortiAnalyzer documentation
12
Introduction
For information about our priority support hotline (live support), see
http://support.fortinet.com.
When requesting technical support, please provide the following information:
your name
13
14
Introduction
Inter-VDOM routing
15
Virtual LANs (VLANs) use ID tags to logically separate devices on a LAN into
smaller broadcast domains. Each VLAN is its own broadcast domain. Smaller
broadcast domains reduce traffic and increase network security. The IEEE 802.1Q
standard defines VLANs. Layer 2 and layer 3 devices must be 802.1Q-compliant
to support VLANs. For more information see VLAN layer-2 switching on page 16
and VLAN layer-3 routing on page 18.
VLANs reduce the size of the broadcast domains by only forwarding packets to
ports that are part of that VLAN, or part of a trunk link. Trunk links form switchswitch or switch-router connections and forward all VLAN traffic. This enables
VLANs to include devices that are on the network but physically distant.
A good example of when to use VLANs is an accounting department within a
company. The accounting computers can be located in different buildings (main
and branch offices). However, accounting computers need to communicate with
each other frequently and require increased security. VLANs allow the accounting
data to only be sent only to accounting computers and connect accounting
computers in different locations as if they were on the same physical subnet.
The VLAN ID tags used to define VLANs are a 4-byte frame extension that is
applied by switches and routers to every packet sent and received by the devices
in the VLAN. Workstations and desktop computers are not an active part of the
VLAN process - all the VLAN tagging and tag removal is done after the packet has
left the computer. For more information see Rules for VLAN IDs on page 19.
16
Switch B
Switch A
Ports 1 - 4
Port 8
Ports 4, 5
Port 8
Ports 5 - 7
Port 6
Port 1
VL AN 100
VL AN 200
VL AN 200
VL AN 100
Branch Office
Main Office
Let's follow a data frame sent from a computer on subnet 1 that is part of VLAN
100.
A computer on port 1 of switch A sends a data frame over the network. Switch A
tags the data frame with a VLAN 100 ID tag upon arrival because port 1 is part of
VLAN 100. Switch A forwards the tagged data frame to the other VLAN 100 ports
- ports 2 through 4. Switch A also forwards the data frame to the 802.1Q trunk link
(port 8) so other parts of the network that may contain VLAN 100 groups will
receive VLAN 100 traffic.
This data frame is not forwarded to the other ports on switch A because they are
not part of VLAN 100. This increases security and decreases network traffic.
Switch B receives the data frame over the trunk link (port 8). There are VLAN 100
ports on switch B (ports 4 and 5) and the data frame is forwarded to those ports.
As with switch A, the data frame is not delivered to VLAN 200
If there were no VLAN 100 ports on switch B, the switch would not forward the
data frame and it would stop there.
Figure 2: Example VLAN Layer-2 packet delivery
Frame
Port 8
Port 1
VL AN 100
Branch Office
VL AN 200
Ports 4, 5
Port 8
Ports 5 - 7
Frame
Switch B
Switch A
Ports 1 - 4
Frame with
VLAN ID tag
Port 6
VL AN 200
Frame
VL AN 100
Main Office
Before a switch forwards the data frame to an end destination, it removes the
VLAN 100 ID tag. The sending computer and the receiving computers are not
aware of any VLAN tagging on the data frame. When any computer receives that
data frame, it appears as a normal data frame.
17
protocol
port number
The data frame may be forwarded to another VLAN, sent to a regular non-VLANtagged network or just forwarded to the same VLAN as a layer-2 switch would do.
It may be discarded if that is the proper firewall policy action.
Switch A
18
This example explains how traffic originating on VLAN 100 arrives at a destination
on VLAN 300. Layer-2 switches alone cannot accomplish this, but a layer-3 router
can do it. Lets follow a data frame going from VLAN 100 at the Branch Office to
VLAN 300 on at the Main Office.
As in the layer-2 example, the VLAN 100 computer sends the data frame to switch
A and a VLAN 100 tag is added. Switch A forwards the tagged data frame to the
FortiGate unit over the 802.1Q trunk link. The FortiGate unit removes the VLAN
100 tag and uses the content of the data frame to select the correct firewall policy.
In this case, the FortiGate units firewall policy allows the data frame to go to
VLAN 300. It goes to all VLAN 300 interfaces, but in the example there is only one
- port 1 on the FortiGate unit. Before the data frame leaves the FortiGate unit, the
VLAN subinterface adds a VLAN ID 300 tag.
The FortiGate unit then forwards the data frame to switch B. Switch B removes
the VLAN ID 300 tag because this is the last hop and forwards the data frame to
the computer on port 5.
In this example a data frame arrives at the FortiGate unit tagged as VLAN 100 and
after checking its content, the FortiGate unit retags the data frame for VLAN 300.
It is this change from VLAN 100 to VLAN 300 that requires a layer-3 routing
device, in this case the FortiGate unit. Layer-2 switches cannot perform this
change.
19
One application of this capability is to use a single FortiGate unit to provide routing
and network protection for several organizations. Each organization has its own
network interfaces (physical or virtual), routing requirements and network
protection rules. By default, communication between organizations is possible
only if both allow access to an external network such as the internet. The chapter,
Using VDOMs in NAT/Route mode on page 53 provides two examples of this
application.
When a packet enters a virtual domain, it is confined to that virtual domain. In a
given domain, you can only create firewall policies for connections between VLAN
subinterfaces or zones in the virtual domain. The packet never crosses virtual
domain borders.
Inter-VDOM routing
FortiOS v3.0 MR1 introduced a new feature called inter-VDOM routing. When
configured, this feature allows traffic to pass between VDOMs without having to
leave the FortiGate unit on a physical interface and return on a different physical
interface. This feature also allows you to determine the level of inter-VDOM
routing varying from having only 2 VDOMs with limited interaction to having all
VDOMs fully inter-connected. All traffic between VDOMs must pass through
firewall policies as it does with all external interface connections.
The command to configure this feature, called vdom-link, is only available in the
CLI. Inter-VDOM routing is not available from the web-manager GUI. This topic is
dealt with in Inter-VDOM routing on page 125 and the VDOM-admin chapter in
the FortiOS CLI Reference.
Management VDOM
All management traffic leaves the FortiGate unit through the management VDOM.
This includes all external logging, remote management and other Fortinet
services. By default the management VDOM is the root VDOM. You can change
this to another VDOM so management traffic will originate from the new VDOM.
For more information see Changing the management VDOM on page 56.
20
You can use the admin administration account to create regular administrator
accounts and assign them to VDOMs. Each regular administrator account can
only configure its own VDOM. Global properties affect all VDOMs. Access to
global properties is available only through the admin administration account.
Access profiles configure read-only or read/write access for all administrators.
Administrators can have access to:
system configuration
security policy
user authorization
administrator configuration
FortiGuard Update
configuration backup/restore
This makes it possible for you to have administrators for different services on
each VDOM. For example you can have one administrator responsible for logs
and reporting on a VDOM, while another administrator is responsible for security
policies on that same VDOM. For more information on access profiles, see the
FortiOS Administration Guide.
When you are configuring VDOMs using the admin administration account, the
web-based manager shows which VDOM you are editing in the center of the
status line at the bottom of the page. If you are configuring global properties, there
is no virtual domain indicator.
Figure 4: Status line virtual domain indicator
Router configuration
Zones
DHCP services
all
21
Firewall settings
User settings
VPN settings
IM settings
22
Policies
Addresses
Schedules
Virtual IPs
IP pools
Users
User groups
IPSec
PPTP
SSL
L2TP
Policy Download
Statistics
DNS settings
Host name
System time
Firmware version
HA configuration
SNMP configuration
Replacement messages
Administrators
Access profiles
FortiManager configuration
Bug reporting
Predefined services
Protection Profiles
IPS settings
all
Antivirus settings
all
all
all
Logging configuration
and log reports
all
Firewall settings
23
24
Overview
25
Configuring routing
Each VLAN subinterface must be configured with its own IP address and
netmask. The subinterface VLAN ID can be any number between 1 and 4096. The
VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE
802.1Q-compliant router. If the IDs do not match, the subinterface will not recieve
the VLAN tagged traffic.
To add a VLAN subinterface in NAT/Route mode
1
From the Interface list, select the physical interface that receives the VLAN
packets intended for this VLAN subinterface.
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
Configure the VLAN subinterface settings as you would for any FortiGate
interface.
26
from the VLAN to another VLAN in the same virtual domain on the FortiGate
unit
to the VLAN from another VLAN in the same virtual domain on the FortiGate
unit
The packets on each VLAN are subject to antivirus and antispam scans as they
pass through the FortiGate unit.
To add firewall policies for VLAN subinterfaces
1
Select Create New to add firewall addresses that match the source and
destination IP addresses of VLAN packets.
Configuring routing
In the simplest case, you need to configure a default route for packets with
external destinations to the gateway of an external network. In more complex
cases, you might have to configure different routes based on packet source and
destination addresses. Routing is explained in the FortiGate Administration Guide
and the CLI Reference documentation.
As with firewalls, you need to configure routes for VLANs. VLANs need routing
and a gateway configured to send and recieve packets outside their local subnet.
Depending on the network you are connecting to it can be static or dynamic
routing. Dynamic routing can be routing information protocol (RIP), border
gateway protocol (BGP), open shortest path first (OSPF), or multicast.
If you enable protocols like SSH, PING, TELNET and HTTP on the VLAN you can
use them to confirm that routing is properly configured. Enabling logging on the
interfaces can also help locate any possible issues.
27
Internet
Untagged packets
External port
172.16.21.2
FortiGate unit
Internal port
192.168.110.126
802.1Q trunk
Fa 0/24
VL AN 100
Fa 0/9
Fa 0/3
VLAN Switch
VL AN 200
VL AN 200 Network
10.1.2.0
When the Cisco switch receives packets from VLAN 100 and VLAN 200, it applies
VLAN ID tags and forwards the packets to local ports and across the trunk to the
FortiGate unit. The FortiGate unit has policies that allow traffic to flow between the
VLANs and from the VLANs to the external network.
This section describes how to configure a FortiGate 800 unit and a Cisco Catalyst
2950 switch for this example network topology. Cisco configuration commands
used in this section are IOS commands. It is assumed that both the FortiGate 800
and the Cisco 2950 switch are installed, connected and basic configuration has
been completed. On the switch you will need to be able to access the CLI to enter
commands. Refer to the manuals for each unit for more information.
Add Firewall addresses and address ranges for the internal and external
networks.
28
Enter the following information for the external interface and select OK:
Addressing mode
Manual
IP/Netmask
172.16.21.2/255.255.255.0
29
Name
VLAN_100
Interface
internal
VLAN ID
100
Addressing mode
Manual
IP/Netmask
10.1.1.1/255.255.255.0
Administrative Access
VLAN_200
Interface
internal
VLAN ID
200
Addressing mode
Manual
IP/Netmask
10.1.2.1/255.255.255.0
Administrative Access
30
VLAN_100_Net
Type
Subnet/IP Range
Subnet / IP Range
10.1.1.0/255.255.255.0
VLAN_200_Net
Type
Subnet/IP Range
Subnet / IP Range
10.1.2.0/255.255.255.0
31
If you do not wish to allow all services on a VLAN, you can create a firewall policy
for each service you want to allow. This example allows all services.
To add the firewall policies - web-based manager
1
VLAN_100
Address Name
VLAN_100_Net
Destination
Interface/Zone
VLAN_200
Address Name
VLAN_200_Net
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
VLAN_200
Address Name
VLAN_200_Net
Destination
Interface/Zone
VLAN_100
Address Name
VLAN_100_Net
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
32
Source
Interface/Zone
VLAN_100
Address Name
VLAN_100_Net
Destination
Interface/Zone
external
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
VLAN_200
Address Name
VLAN_200_Net
Destination
Interface/Zone
external
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
33
34
!
The switch has the following configuration:
Port 0/3
VLAN ID 100
Port 0/9
VLAN ID 200
Port 0/24
802.1Q trunk
Note: To complete the setup, configure devices on VLAN 100 and VLAN 200 with default
gateways. The default gateway for VLAN 100 is the FortiGate VLAN 100 subinterface. The
default gateway for VLAN 200 is the FortiGate VLAN 200 subinterface.
VLAN 200
subinterface
10.1.2.1
tracert
Switch
VL AN 100 Network
10.1.1.2
VL AN 200 Network
10.1.2.2
35
C:\>tracert 172.16.21.2
Tracing route to 172.16.83.1 over a maximum of 30 hops:
1
<10 ms
<10 ms
<10 ms 10.1.1.1
2
<10 ms
<10 ms
<10 ms 172.16.21.2
Trace complete.
Figure 9: Example trace route from VLAN 100 to the external network
FortiGate-800 unit
External
interface
30.1.1.21
VLAN 100
subinterface
10.1.1.1
Internet
tracert
Switch
VL AN 100 Network
The internal interface is configured with two VLAN subinterfaces: VLAN 10 for
the Local users network and VLAN 20 for the Finance network. The internal
interface connects to a Cisco 2950 switch using an 801.1Q trunk.
The external interface is configured with two VLAN subinterfaces: VLAN 30 for
the ATT ISP network and VLAN 40 for the XO ISP network. The internal
interface connects to a Cisco 2950 switch using an 801.1Q trunk.
The FortiGate-800 is configured with firewall policies that control the flow of traffic
between networks. The Finance network is the most secure network. It allows
outbound traffic to all other networks, but it does not allow inbound traffic. The
Local users network allows outbound traffic to the external networks (ATT ISP and
XO ISP), inbound traffic from the Finance network and a single inbound
connection from a VPN client on the ATT ISP network.
This section describes how to configure a FortiGate-800 unit and two 802.1Qcompliant switches for the example network topology shown in Figure 10.
36
Internet
VPN client
XO ISP
ATT ISP
VLAN 30
VLAN 40
Fa 0/9
Fa 0/3
Fa 0/24
802.1Q
trunk
VLAN 30
VLAN 40
External
FortiGate-800 unit
Internal
802.1Q
trunk
VLAN 10
VLAN 20
Fa 0/24
VLAN 10
Fa 0/9
Fa 0/3
Cisco 2950 Switch
(Internal)
VLAN 20
Finance network
192.168.20.0
37
38
Enter the following information for the Local users network and select OK:
Name
Local-LAN
Interface
internal
VLAN ID
10
Addressing mode
Manual
IP/Netmask
192.168.10.1/255.255.255.0
Administrative Access
Enter the following information for the Finance network and select OK:
Name
Finance
Interface
internal
VLAN ID
20
Addressing mode
Manual
IP/Netmask
192.168.20.1/255.255.255.0
Administrative Access
Enter the following information for the ATT ISP network and select OK:
Name
ATT-ISP
Interface
external
VLAN ID
30
Addressing mode
Manual
IP/Netmask
30.1.1.1/255.255.255.0
Administrative Access
Enter the following information for the XO ISP network and select OK:
Name
XO-ISP
Interface
external
VLAN ID
40
Addressing mode
Manual
IP/Netmask
40.1.1.1/255.255.255.0
Access
Select either the web-based manager or the CLI to add a default route.
39
Enter the following information to add a default route to ATT-ISP for network traffic
leaving the external interface and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
30.1.1.2
Device
ATT-ISP
Distance
10
Enter the following information to add a secondary default route to XO-ISP for
network traffic leaving the external interface and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
40.1.1.2
Device
XO-ISP
Distance
20
40
Address Name
Local_users
Type
Subnet/IP Range
IP Range/Subnet
192.168.10.0/255.255.255.0
Finance_users
Type
Subnet/IP Range
IP Range/Subnet
192.168.20.0/255.255.255.0
Finance
Address Name
Finance_users
Destination
Interface/Zone
ATT-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
41
Finance
Address Name
Finance_users
Destination
Interface/Zone
XO-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Finance
Address Name
Finance_users
Destination
Interface/Zone
Local-LAN
Address Name
Local_users
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
10
11
12
Local-LAN
Address Name
Local_users
Destination
Interface/Zone
ATT-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
42
13
14
15
Local-LAN
Address Name
Local_users
Destination
Interface/Zone
XO-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
43
Define the IP address for the VPN user on the Local users network.
44
Dialup_tunnel
Remote Gateway
Dialup User
Local Interface
ATT-ISP
Mode
Aggressive
Authentication Method
Preshared key
Pre-shared key
Advanced
P1 Proposal
DH Group
Keylife
28800 (seconds)
45
Name
Dialup-client
Phase 1
Dialup_tunnel
Advanced
P2 Proposal
Enable replay
detection
Select
Enable perfect
forward secrecy
Select
DH Group
Keylife
1800 seconds
Select
DHCP-IPsec
Clear
46
Address Name
ATT-net
Type
Subnet/IP Range
IP Range/Subnet
30.1.1.0/255.255.255.0
Local-LAN
Address Name
Local_users
Destination
Interface/Zone
ATT-ISP
Address Name
ATT-net
Schedule
Always
Service
ANY
Action
IPSEC
VPN Tunnel
Allow inbound
Select
Allow outbound
Clear
Inbound NAT
Select
Outbound NAT
Clear
Place the policy in the policy list above non-encrypt policies. If there is more than
one encrypt policy in the list, place the more specific ones above the more general
ones with similar source and destination addresses.
To add the encrypt policy - CLI
config firewall policy
edit 6
set srcintf Local-LAN
set dstintf ATT-ISP
set srcaddr Local_users
set dstaddr ATT-net
set schedule always
47
set
set
set
set
set
set
set
set
end
service ANY
action ipsec
vpntunnel Dialup-clientset inbound enable
outbound disable
natinbound enable
natoutbound disable
vpntunnel Dialup_tunnel
status enable
Start FortiClient.
48
Select Advanced.
10
11
12
IP
30.1.1.0
Subnet mask
255.255.255.0
49
VLAN ID 10
Port 0/9
VLAN ID 20
Port 0/24
802.1Q trunk
Note: To complete the setup, configure devices on VLAN 10 and VLAN 20 with default
gateways. The default gateway for VLAN 10 is the FortiGate VLAN 10 subinterface. The
default gateway for VLAN 20 is the FortiGate VLAN 20 subinterface.
VLAN ID 30
Port 0/9
VLAN ID 40
Port 0/24
802.1Q trunk
Note: To complete the setup, configure devices on VLAN 30 and VLAN 40 with default
gateways. The default gateway for VLAN 30 is the FortiGate VLAN 30 subinterface. The
default gateway for VLAN 40 is the FortiGate VLAN 40 subinterface.
50
<10 ms
<10 ms
<10 ms 192.168.20.1
<10 ms
<10 ms
<10 ms 192.168.10.2
Trace complete.
Figure 15: Example trace route from VLAN 20 to VLAN 10
FortiGate-800 unit
VLAN 10
subinterface
192.168.10.1
VLAN 20
subinterface
192.168.20.1
tracert
VL AN 20
Switch
Finance Network
VL AN 10
<10 ms
<10 ms
<10 ms
192.168.10.1
<10 ms
<10 ms
<10 ms
172.16.21.2
Trace complete.
51
Figure 16: Example trace route from VLAN 10 to the external network
FortiGate-800 unit
External
interface
172.16.21.1
VLAN 10
subinterface
192.168.10.1
Internet
tracert
VL AN 10
Switch
52
Overview
Select Apply.
The FortiGate unit logs you off. You can now log in again as admin.
When Virtual Domain Configuration is enabled, the web-based manager and the
CLI are changed as follows:
53
Regular administrators can configure only the VDOM to which they are
assigned.
By default, there is no password for admin. To improve security, you should set a
password. Optionally, you can also rename the admin account. For more
information on this see the user sections of FortiGate Administration Guide.
Log in as admin.
The web-based manager Virtual Domain Configuration page opens.
Enter the name for your new virtual domain select OK. The name must not exceed
11 characters.
You can verify the new VDOM was created by selecting << Main Menu and
confirming it is in the list of virtual domains. You can repeat Steps 2 and 3 for each
VDOM that you want to create.
By default, your FortiGate unit supports a maximum of 10 VDOMs in any
combination of NAT/Route and Transparent modes. For FortiGate models
numbered 3000 and higher, you can purchase a license key to increase the
maximum number to 25, 50, 100 or 250 VDOMs.
To obtain a VDOM license key
Record your FortiGate unit serial number. You can find the serial number in the
web-based manager on the System Status page.
Send the serial number to Fortinet customer support and request a license key for
25, 50, 100 or 250 VDOMs.
When you receive your license key, in the web-based manager, go to System >
Maintenance > License.
In the License Key field, enter the 32-character license key you received from
Fortinet.
Select Apply.
You can verify the new VDOM license by going to System Status under Global
Configuration. There under License Information, Virtual Domains shows the new
maximum number of VDOMs allowed.
Log in as admin.
The web-based manager Virtual Domain Configuration page opens.
54
From the Virtual Domain list, select the VDOM that this administrator will control.
Configure the remaining settings of the administrator account. See the System
Admin chapter of the FortiGate Administration Guide for detailed information.
Select OK.
The newly-created administrator can access the FortiGate unit only through a
network interface that belongs to the assigned VDOM or through the Console
interface. The network interface must be configured to allow management access,
such as HTTPS and SSH.
Log in as admin.
The web-based manager Virtual Domain Configuration page opens. From here
you can access global settings using the Global Settings button or select a
specific VDOM to configure.
Figure 17: List of virtual domains
Select the name of the virtual domain that you want to configure.
The main web-based manager page opens.
The footer of the web-based manager page displays the currently selected virtual
domain name, unless only the root domain exists.
55
Select << Main Menu to return to the Virtual Domain Configuration page.
Log out.
Connect to a FortiGate unit interface that belongs to the VDOM that you want to
configure.
To configure the root VDOM using the CLI, you can also connect to the Console
connector.
DNS lookups
FortiGuard service
Before you change the management VDOM, ensure that virtual domain
configuration is selected.
56
Select the physical interface that receives the VLAN packets intended for this
VLAN subinterface. The interface can be on a different VDOM from the VLAN.
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
Configure the VLAN subinterface settings as you would for any FortiGate
interface.
From the Virtual Domain list, select the new VDOM of the interface.
57
Select OK.
The interface moves to the selected virtual domain. Firewall IP pools and virtual
IPs added for this interface are deleted. You should manually delete any routes
that include this interface.
To add zones to a virtual domain
Select Change following the current virtual domain name above the table.
Select OK.
Log in as admin.
Go to Router.
Log in as admin.
Add new firewall addresses, address ranges and address groups to the current
virtual domain.
To configure firewall policies for a virtual domain
58
Log in as admin.
Select Create new to add firewall policies to the current virtual domain.
Your firewall policies can involve only the interfaces, zones and firewall addresses
that are in the current virtual domain. The firewall policies that you add are only
visible when you are viewing the current virtual domain. Network traffic accepted
by the interfaces and VLAN subinterfaces in this virtual domain is controlled by
the firewall policies in this virtual domain
Log in as admin.
Go to VPN.
59
VLAN Switch
ABC Inc.
10.1.1.0
When the switch receives packets from VLAN 100 and VLAN 200, it applies the
proper VLAN ID tags and forwards the packets across the trunk link to the
FortiGate unit. The FortiGate unit is a layer-3 device - it has policies that allow
traffic to flow from VLAN 100 to the external network and from VLAN 200 to the
DMZ network.
This section describes how to configure a FortiGate-800 unit and a Cisco 2950
switch for this example network topology.
60
Add Firewall addresses and address ranges for the internal and external
networks.
Add a firewall policy to allow the VLAN to access the external network.
Log in as admin.
interface
Now you will configure the external interface using either the web-based manager, or
through the CLI.
Log in as admin.
Enter the following information for the external interface and select OK:
Virtual domain
ABCdomain
Addressing mode
Manual
IP/Netmask
30.1.1.21/255.255.255.0
61
Log in as admin.
Enter the following information for the external interface and select OK:
Virtual domain
DEFdomain
Addressing mode
Manual
IP/Netmask
40.1.1.32/255.255.255.0
62
Adding the VLAN interface will provide a way to send and recieve packets to
the VDOM. Interfaces are part of the global configuration.
Adding the firewall policy will allow connection to the external interface and
limit unwanted traffic. Firewall policies apply to each VDOM.
Log in as admin.
VLAN_100
Interface
internal
VLAN ID
100
Virtual Domain
ABCdomain
Addressing mode
Manual
IP/Netmask
10.1.1.1/255.255.255.0
Administrative Access
Log in as admin.
63
Select ABCdomain.
To select the ABCdomain VDOM - CLI
config vdom
edit ABCdomain
VLAN_100_Net
Type
Subnet/IP Range
IP Range/Subnet
10.1.1.0/255.255.255.0
64
VLAN_100
Address Name
VLAN_100_Net
Destination
Interface/Zone
External
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Enter the following information to add a default route to ISP1 for network traffic
leaving the external interface and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
30.1.1.2
Device
external
Distance
10
65
Log in as admin.
VLAN_200
Interface
internal
VLAN ID
200
Virtual Domain
DEFdomain
Addressing mode
Manual
IP/Netmask
10.1.2.1/255.255.255.0
Administrative Access
66
Log in as admin.
Select DEFdomain.
To select the DEFdomain VDOM - CLI
config vdom
edit ABCdomain
all
Type
Subnet/IP Range
IP Range/Subnet
0.0.0.0/0.0.0.0
VLAN_200_Net
Type
Subnet/IP Range
IP Range/Subnet
10.1.2.0/255.255.255.0
67
VLAN_200
Address Name
VLAN_200_Net
Destination
Interface/Zone
dmz/ha
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
68
Enter the following information to add a default route to ISP2 for network traffic
leaving the external interface and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
40.1.1.2
Device
dmz/ha
Distance
10
69
VLAN ID 100
Port 0/9
VLAN ID 200
Port 0/24
802.1Q trunk
Note: To complete the setup, configure devices on VLAN 100 and VLAN 200 with default
gateways. The default gateway for VLAN 100 is the FortiGate VLAN 100 subinterface. The
default gateway for VLAN 200 is the FortiGate VLAN 200 subinterface.
<10 ms
<10 ms
<10 ms
10.1.1.1
<10 ms
<10 ms
<10 ms
30.1.1.21
Trace complete.
70
Figure 28: Example trace route from VLAN 100 to the external network
FortiGate-800 unit
External
interface
30.1.1.21
VLAN 100
subinterface
10.1.1.1
Internet
tracert
Switch
VL AN 100 Network
<10 ms
<10 ms
<10 ms
10.1.2.1
<10 ms
<10 ms
<10 ms
40.1.1.32
Trace complete.
Figure 29: Example trace route from VLAN 200 to the DMZ network
FortiGate-300 unit
VLAN 200
subinterface
10.1.2.1
DMZ
interface
40.1.1.32
Internet
tracert
Switch
71
The internal interface is configured with two VLAN subinterfaces: VLAN 10 for
the students network and VLAN 20 for the instructors network.
The external interface is configured with a VLAN subinterface, VLAN 30, for
the ATT-ISP network.
Firewall policies allow both the instructors and students networks to access the
internet through the ATT-ISP network. For students there is a more strict
protection profile governing their online activities.
The internal interface is configured with two VLAN subinterfaces: VLAN 80 for
the Sales network and VLAN 90 for the Development network.
Firewall policies allow access to the Internet through the XO-ISP and XS-ISP
networks from both Sales and Development networks.
Firewall policies allow access from the Sales network to the Development
network and from the Development network to the Sales network.
You might have noticed that the Student network and the Development network
have the same network address ranges. This does not cause a problem because
the two address ranges reside in different virtual domains.
72
Student network
192.168.10.0
Development network
192.168.10.0
73
Log in as admin.
74
Log in as admin.
Enter the following information for the students network and select OK:
Name
students
Interface
internal
VLAN ID
10
Virtual Domain
ABCdomain
Addressing mode
Manual
IP/Netmask
192.168.10.1/255.255.255.0
Enter the following information for the instructors network and select OK:
Name
instructors
Interface
internal
VLAN ID
20
Virtual Domain
ABCdomain
Addressing mode
Manual
IP/Netmask
192.168.20.1/255.255.255.0
75
Enter the following information for the ATT ISP network and select OK:
Name
ATT-ISP
Interface
external
VLAN ID
30
Virtual Domain
ABCdomain
Addressing mode
Manual
IP/Netmask
30.1.1.1/255.255.255.0
76
Enter the following information to add a default route to ATT-ISP for network traffic
leaving the external interface from the ABCdomain domain and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
30.1.1.2
Device
ATT-ISP
Distance
10
student_net
Type
Subnet/IP Range
IP Range/Subnet
77
students
Address Name
student_net
Destination
Interface/Zone
ATT-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
strict
78
instructors
Address Name
instructor_net
Destination
Interface/Zone
ATT-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
scan
instructors
Address Name
instructor_net
Destination
Interface/Zone
students
Address Name
student_net
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
79
Log in as admin.
80
Enter the following information for the Sales network and select OK:
Name
Sales
Interface
internal
VLAN ID
80
Virtual Domain
Commercial
Addressing mode
Manual
IP/Netmask
192.168.15.1/255.255.255.0
Enter the following information for the Development network and select OK:
Name
Development
Interface
internal
VLAN ID
90
Virtual Domain
Commercial
Addressing mode
Manual
IP/Netmask
192.168.10.1/255.255.255.0
Enter the following information for the XO ISP network and select OK:
Name
XO-ISP
Interface
external
VLAN ID
40
Virtual Domain
Commercial
Addressing mode
Manual
IP/Netmask
40.1.1.1/255.255.255.0
81
Enter the following information for the XS ISP network and select OK:
Name
XS-ISP
Interface
external
VLAN ID
50
Virtual Domain
Commercial
Addressing mode
Manual
IP/Netmask
145.1.1.1/255.255.255.0
82
Enter the following information to add a default route to XO-ISP for network traffic
leaving the external interface from the Commercial domain and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
40.1.1.2
Device
XO-ISP
Distance
10
Enter the following information to add a secondary default route to XS-ISP for
network traffic leaving the external interface from the Commercial domain and
select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
145.1.1.2
Device
XS-ISP
Distance
20
83
all
Type
Subnet/IP Range
IP Range/Subnet
0.0.0.0/0.0.0.0
development_net
Type
Subnet/IP Range
IP Range/Subnet
192.168.10.0/255.255.255.0
sales_net
Type
Subnet/IP Range
IP Range/Subnet
192.168.15.0/255.255.255.0
84
Sales
Address Name
sales_net
Destination
Interface/Zone
XO-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
scan
Sales
Address Name
sales_net
Destination
Interface/Zone
XS-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
scan
85
Development
Address Name
development_net
Destination
Interface/Zone
XO-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
scan
Development
Address Name
development_net
Destination
Interface/Zone
XS-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
scan
10
11
Sales
Address Name
sales_net
Destination
Interface/Zone
Development
Address Name
development_net
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
86
12
13
Development
Address Name
development_net
Destination
Interface/Zone
Sales
Address Name
sales_net
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
87
88
Note: To complete the setup, configure devices on the VLANs with default gateways. The
default gateway for VLAN 10 is the FortiGate VLAN 10 subinterface. The default gateway
for VLAN 20 is the FortiGate VLAN 20 subinterface and so on.
VLAN ID 10
Port 0/4
VLAN ID 20
Port 0/14
VLAN ID 80
Port 0/16
VLAN ID 90
Port 0/24
802.1Q trunk
89
Add this file to the Cisco switch connected to the FortiGate-800 external interface:
!
interface FastEthernet0/3
switchport access vlan 30
!
interface FastEthernet0/9
switchport access vlan 40
!
interface FastEthernet0/19
switchport access vlan 50
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
The switch has the following configuration:
Port 0/3
VLAN ID 30
Port 0/9
VLAN ID 40
Port 0/19
VLAN ID 50
Port 0/24
802.1Q trunk
<10 ms
<10 ms
<10 ms 192.168.20.1
<10 ms
<10 ms
<10 ms 192.168.10.2
Trace complete.
90
VLAN 10
subinterface
192.168.10.1
tracert
VLAN 20
Instructors Network
Switch
VL AN 10
Student network
192.168.10.2
Other tests
Using the preceding method, you can also test traffic from the Development
network to the Sales network and vice-versa, as well as traffic from each of the
internal networks to locations on the Internet.
91
92
Overview
93
You can also configure the protection profiles that govern virus scanning, web
filtering and spam filtering. Protection profiles are covered in the documentation
for your FortiGate unit.
In Transparent mode, you can access the FortiGate unit web-based manager by
connecting to an interface configured for administrative access and using HTTPS
to access the management IP address. On the FortiGate-800 used as an example
in this document, administrative access is enabled by default on the Internal
interface and the default management IP address is 10.10.10.1. If you need more
information, see the Quick Start Guide or Installation Guide for your unit.
The procedures in this section assume that you have not enabled VDOM
configuration. If VDOM configuration is enabled, you need to navigate to the
global or VDOM configuration as needed before following each procedure.
Select the physical interface that receives the VLAN packets intended for this
VLAN subinterface.
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
01-30002-0091-20060718
10
Repeat Step 2 through Step 8, but choose the physical interface through which
the VLAN packets exit the FortiGate unit. Use the same VLAN ID and VDOM as
before.
For each of the VLAN subinterfaces you added, select Bring Up to start the
interface.
Select Create New to add firewall addresses that match the source and
destination IP addresses of VLAN packets.
From the Source Interface/Zone list, select the VLAN interface where packets
enter the unit.
From the Destination Interface/Zone list, select the VLAN interface where packets
exit the unit.
Select Protection Profile and select the profile from the list.
10
Select OK.
95
Internet
VLAN router
10.1.1.1
10.1.2.1
VLAN switch
802.1Q trunk
VLAN 1
VLAN 2
External
FortiGate-300 unit
in Transparent mode
Internal
VLAN 1
802.1Q trunk VLAN 2
VLAN switch
Fa0/3
VLAN 100
10.1.1.2
Fa0/24
Fa0/9
VLAN 200
10.1.2.2
01-30002-0091-20060718
VLAN_100_int
Interface
internal
VLAN ID
100
VLAN_100_ext
Interface
external
VLAN ID
100
97
VLAN_200_int
Interface
internal
VLAN ID
200
VLAN_200_ext
Interface
external
VLAN ID
200
01-30002-0091-20060718
VLAN_100_int
Address Name
all
Destination
Interface/Zone
VLAN_100_ext
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
VLAN_100_ext
Address Name
all
Destination
Interface/Zone
VLAN_100_int
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
99
VLAN_200_int
Address Name
all
Destination
Interface/Zone
VLAN_200_ext
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
9
10
VLAN_200_ext
Address Name
all
Destination
Interface/Zone
VLAN_200_int
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
01-30002-0091-20060718
101
VLAN ID 100
Port 0/9
VLAN ID 200
Port 0/24
802.1Q trunk
01-30002-0091-20060718
!
The router has the following configuration:
Table 10:
Port 0/0.1
VLAN ID 100
Port 0/0.2
VLAN ID 200
Port 0/0
802.1Q trunk
Note: To complete the setup, configure devices on VLAN 100 and VLAN 200 with default
gateways. The default gateway for VLAN 100 is the Cisco router VLAN 100 subinterface.
The default gateway for VLAN 200 is the Cisco router VLAN 200 subinterface.
103
<10 ms
<10 ms
<10 ms
10.1.1.1
<10 ms
<10 ms
<10 ms
10.1.2.2
Trace complete.
Figure 41: Example trace route from VLAN 100 to VLAN 200
Router
10.1.1.1
10.1.1.2
External
FortiGate-300 unit
Internal
tracert
VL AN 100
10.1.1.2
Switch
VLAN 200
10.1.2.2
01-30002-0091-20060718
Router
Untagged packets
Fa0/3
VLAN Switch 2
Fa0/6
VLAN_100_ext
VLAN Trunk VLAN_200_ext
External VLAN_300_ext
FortiGate unit
in Transparent mode
Internal
VLAN Trunk
VLAN Switch 1
Fa0/1
VLAN_100_int
VLAN_200_int
VLAN_300_int
Fa0/8
Fa0/5
Fa0/2
ABC Inc
VLAN ID = 100
DEF Inc
VLAN ID = 200
XYZ Inc.
VLAN = 300
Creating schedules
The FortiGate-800 unit in this example serves organizations that are all
businesses that vary their policies according to the time of day. For simplicity, this
example assumes that they all have the same lunch hours. It would be possible to
accommodate different definitions of lunchtime by creating multiple schedules
tailored to the needs of each organization.
105
Set the Start time as 11:45 and set the Stop time as 14:00.
Select OK.
To create a recurring schedule for lunchtime - CLI
config firewall schedule recurring
edit Lunch
set day monday tuesday wednesday thursday friday
saturday
set start 11:45
set end 14:00
end
Description
Used by
01-30002-0091-20060718
Select Anti-Virus and enable Virus Scan for HTTP, FTP, IMAP, POP3 and SMTP.
Block
Block
Block
Block
Block
Business Oriented
Allow
Other
Block
Select Spam Filtering and enable RBL & ORDBL check for IMAP, POP3 and
SMTP.
For Spam action, select tagged for IMAP and POP3, discard for SMTP.
10
Select OK.
To create the BusinessOnly protection profile - CLI
config firewall profile
edit BusinessOnly
set ftp scan
set http scan catblock
set imap scan fragmail spamrbl bannedword
set pop3 scan fragmail spamrbl bannedword
set smtp scan fragmail spamrbl bannedword
set ips signature anomaly
set cat_allow 49-50-51-52-53
set cat_deny g01-g02-g03-g04-g05-g06-g08
end
To create the Relaxed protection profile - web-based manager
Select Anti-Virus and enable Virus Scan for HTTP, FTP, IMAP, POP3 and SMTP.
107
Block
Block
Monitor
Block
Allow
Business Oriented
Allow
Others
Allow
Select Spam Filtering and enable RBL & ORDBL check for IMAP, POP3 and
SMTP.
For Spam action, select tagged for IMAP and POP3, discard for SMTP.
10
Select OK.
To create the Relaxed protection profile - CLI
config firewall profile
edit Relaxed
set ftp scan
set http scan catblock
set imap scan
set pop3 scan
set smtp scan spamrbl
set ips anomaly
set ips signature
set cat_allow g06-g07-g08
set cat_deny g01-g02-g05
set cat_monitor g03-g04
end
Log in as admin.
01-30002-0091-20060718
system vdom
ABCdomain
DEFdomain
XYZdomain
VLAN_100_int
Interface
internal
VLAN ID
100
Virtual Domain
ABCdomain
VLAN_100_ext
Interface
external
VLAN ID
100
Virtual Domain
ABCdomain
109
01-30002-0091-20060718
Select OK.
To configure ABCdomain firewall addresses - CLI
config firewall address
edit all
set type ipmask
set subnet 0.0.0.0 0.0.0.0
end
VLAN_100_int
Interface/Zone Destination
VLAN_100_ext
all
BusinessDay
Service
games-chat
Action
DENY
This policy prevents the use of network games or chat programs during business
hours.
111
VLAN_100_int
Interface/Zone Destination
VLAN_100_ext
all
Lunch
Service
HTTP
Action
ACCEPT
Protection Profile
Relaxed
This policy relaxes the web category filtering during lunch hour.
5
VLAN_100_int
Interface/Zone Destination
VLAN_100_ext
all
BusinessDay
Service
HTTP
Action
ACCEPT
Protection Profile
BusinessOnly
This policy provides rather strict web category filtering during business hours.
Figure 44: ABCdomain firewall policies
01-30002-0091-20060718
113
VLAN_200_int
Interface
internal
VLAN ID
200
Virtual Domain
DEFdomain
VLAN_200_ext
Interface
external
VLAN ID
200
Virtual Domain
DEFdomain
Select Change following the current virtual domain name above the table.
01-30002-0091-20060718
For each of AOL, IRC, Quake, SIP-MSNmessenger and Talk, select the service in
the Available Services list and select the right arrow to add it to the Members list.
Select OK.
To create a games and chat service group - CLI
config firewall service group
edit Games
set member IRC QUAKE SIP-MSNmessenger AOL TALK
end
Select OK.
To configure DEFdomain firewall addresses - CLI
config firewall address
edit all
set type ipmask
set subnet 0.0.0.0 0.0.0.0
end
115
VLAN_200_int
Interface/Zone Destination
VLAN_200_ext
all
BusinessDay
Service
games-chat
Action
DENY
This policy prevents the use of network games or chat programs (except
NetMeeting) during business hours.
4
VLAN_200_int
Interface/Zone Destination
VLAN_200_ext
all
Lunch
Service
HTTP
Action
ACCEPT
Protection Profile
Relaxed
This policy relaxes the web category filtering during lunch hour.
01-30002-0091-20060718
VLAN_200_int
Interface/Zone Destination
VLAN_200_ext
all
BusinessDay
Service
HTTP
Action
ACCEPT
Protection Profile
BusinessOnly
This policy provides rather strict web category filtering during business hours.
6
VLAN_200_int
Interface/Zone Destination
VLAN_200_ext
all
always
Service
ANY
Action
ACCEPT
Protection Profile
Relaxed
Because it is last in the list, this policy applies to the times and services not
covered in preceding policies. This means that outside of regular business hours
the Relaxed protection profile applies to email and web browsing and that online
chat and games are permitted. DEF Inc. needs this policy because its employees
sometimes work overtime. The other companies in this example maintain fixed
hours and dont want any after-hours internet access.
Figure 46: DEFdomain firewall policies
117
01-30002-0091-20060718
VLAN_300_int
Interface
internal
VLAN ID
300
Virtual Domain
XYZdomain
VLAN_300_ext
Interface
external
VLAN ID
300
Virtual Domain
XYZdomain
119
Select Change following the current virtual domain name above the table.
For each of POP3, IMAP and SMTP, select the service in the Available Services
list and select the right arrow to add it to the Members list.
Select OK.
To create an email service group - CLI
config firewall service group
edit Email
set member POP3 IMAP SMTP
end
To create a web service group - web-based manager
For each of HTTP, HTTPS and FTP, select the service in the Available Services
list and select the right arrow to add it to the Members list.
Select OK.
To create an email service group - CLI
config firewall service group
edit Web
set member HTTP HTTPS FTP
end
01-30002-0091-20060718
Select OK.
To configure XYZdomain firewall addresses - CLI
config firewall address
edit all
set type ipmask
set subnet 0.0.0.0 0.0.0.0
end
Table 25:
Interface/Zone Source
VLAN_300_int
Interface/Zone Destination
VLAN_300_ext
all
always
Service
Action
ACCEPT
Protection Profile
strict
This policy provides network protection for email using the default strict protection
profile. The administrator must also set up the antivirus, web filter and spam filter
settings. These procedures are not described in this document.
4
121
Table 26:
Interface/Zone Source
VLAN_300_int
Interface/Zone Destination
VLAN_300_ext
all
always
Service
Web
Action
ACCEPT
Protection Profile
web
This policy provides network protection for HTTP, HTTPS and FTP using the
default web protection profile. The administrator must also set up the antivirus and
web filter settings. These procedures are not described in this document.
Figure 48: XYZdomain firewall policies
01-30002-0091-20060718
Configuring switch 1
Add this file to Cisco VLAN switch 1:
!
interface FastEthernet0/1
switchport access vlan 100
!
interface FastEthernet0/2
switchport access vlan 200
!
interface FastEthernet0/5
switchport access vlan 300
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
Switch 1 has the following configuration:
Table 27:
Port 0/1
VLAN ID 100
Port 0/2
VLAN ID 200
Port 0/3
VLAN ID 300
Port 0/6
802.1Q trunk
Configuring switch 2
Add this file to Cisco VLAN switch 2:
interface FastEthernet0/3
switchport
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
123
VLAN ID 100
Port 0/2
VLAN ID 200
Port 0/3
VLAN ID 300
Port 0/6
802.1Q trunk
From a host on VLAN 100, access a command prompt and enter this command:
C:\>tracert www.fortinet.com
Tracing route to www.fortinet.com [128.242.109.135]
over a maximum of 30 hops:
1
<10 ms
<10 ms
<10 ms
172.20.120.2
172 ms
141 ms
140 ms
128.242.109.135
...
14
Trace complete.
2
01-30002-0091-20060718
Inter-VDOM routing
Overview
Inter-VDOM routing
Overview
In the past VDOMs have been completely separate from each other - there has
been no internal communication between virtual domains on a FortiGate unit. Any
communication between VDOMs had to leave on a physical interface and re-enter
the FortiGate unit on another physical interface.
Inter-VDOM routing changes this. With the introduction of inter-VDOM routing in
FortiOS v3.0 MR1, VDOMs can communicate internally without using additional
physical interfaces. FortiManager units support inter-VDOM routing on managed
FortiGate units starting with FortiManager v3.0 MR1.
This chapter contains the following sections:
Inter-VDOM planning
125
Inter-VDOM routing
With the introduction of inter-VDOM routing, traffic can travel between VDOMs
internally, freeing up physical interfaces for external traffic. Using the above
example we can use the 4 VDOM configuration and all the interfaces will have
their full bandwidth.
126
Inter-VDOM routing
These point-to-point interfaces are now treated like normal FortiGate interfaces
and need to be configured as regular interfaces would. This includes IP address
and netmask and what administrative access is allowed.
127
Inter-VDOM routing
Stand-alone VDOM
Independent VDOMs
Management VDOM
Meshed VDOMs
Stand-alone VDOM
Stand-alone VDOM uses a single VDOM - the root VDOM that all FortiGate units
have by default. This is the VDOM configuration you are likely familiar with.
This configuration has no VDOM inter-connections and requires no special
configurations or settings.
The stand-alone VDOM configuration can be used for simple network
configurations that only have one department or one company administering the
connections, firewalls and other VDOM dependant settings.
Independent VDOMs
Independent VDOMs use multiple VDOMs that are completely separate from each
other. This is likely another VDOM configuration you are familiar with.
This configuration has no communication between VDOMs and apart from initially
setting up each VDOM this configuration requires no special configurations or
settings. Any communications between VDOMs is treated as if communication
was with a separate physical device.
The independent VDOMs configuration can be used where more than one
department or one company is sharing the FortiGate unit. They can each
administer the connections, firewalls and other VDOM dependant settings of only
their own VDOM. To each company or department it appears as if they have their
own FortiGate unit.
Management VDOM
In the management VDOM configuration, the root VDOM is the management
VDOM and the other VDOMs are connected to the management VDOM with interVDOM links. There are no other inter-VDOM connections.
Only the management VDOM is connected to the Internet. The other VDOMs are
connected to internal networks and possibly to very small secure external
networks, say a VPN dialup connection. All external traffic is routed through the
management VDOM using inter-VDOM links between the VDOMs. This ensures
the management VDOM has full control over access to the Internet including what
types of traffic are allowed in both directions. Security is greatly increased with
only one point of entry and exit. Only the management VDOM needs to be
professionally managed to ensure network security in this case.
The management VDOM configuration is ideally suited for a service provider
business. The service provider is the management VDOM and the other VDOMs
are customers. These customers do not require a dedicated IT person to manage
their network. The service provider controls the traffic and can prevent the
customers from using banned services and prevent Internet connections from
initiating those same banned services. One example of a banned service might be
128
Inter-VDOM routing
Meshed VDOMs
Meshed VDOMs, including partial and full mesh, has VDOMs inter-connected with
other VDOMs. Partial mesh means only some VDOMs are inter-connected. In a
full mesh configuration, all VDOMs are inter-connected to all other VDOMs. This
can be useful when you want to provide full access between VDOMs but handle
traffic differently depending on which VDOM it originates from or is going to.
With full access to all VDOMs being possible, it is important to ensure proper
security. This can be accomplished through proper firewall policies and secure
account access for admins and users.
Meshed VDOM configurations can become complex very quickly, with full mesh
VDOMs being the most complex. Ensure this is the proper solution for your
situation before using this configuration.
you must have at least two virtual domains configured on the FortiGate device
Select the checkbox next to the VDOM to be linked to the current VDOM (the one
selected in step 1).
Enter a name for the inter-VDOM link. Both virtual interfaces will use this name.
For example if the link is my_vlink, the virtual interfaces will be my_vlink0 and
my_vlink1.
Enter the IP address and netmask for the virtual interface for this link on the
current VDOM and the peer VDOM. For example if the current VDOM is vdom1,
root could be the peer VDOM.
Once the inter-VDOM link is created, these IP addresses cannot be changed
without deleting the link.
129
Inter-VDOM planning
Inter-VDOM routing
Inter-VDOM planning
Inter-VDOM routing enables more FortiGate unit configurations than were
previously possible. This additional flexibility has benefits, but also has potential
difficulties.
Complexity
With more connections possible in inter-VDOM configurations, complexity quickly
becomes an issue. VDOMs are not trivial to understand and with additional
settings and issues to consider things can easily get out of hand.
To prevent this, you should carefully plan your move to the inter-VDOM
configuration to ensure you are aware of the differences between your new and
old setups as well as how these changes affect the interaction between the
VDOMs.
Making changes
Once configured, this new complex configuration means that any changes you
make to the system have a greater chance of introducing problems into the
system. Extra care should be taken to make sure any changes do not negatively
affect your existing FortiGate unit configuration.
For example using the old method to change communication between VDOMs,
cable connections had to be physically changed. When compared to inter-VDOM
where all the changes are internal, there is generally more checking built into the
physical process than there is for simple CLI commands.This lowered level of
checking may allow un-intended changes in VDOM interactions to slip into the
configuration undetected.
130
Overview
Asymmetric routing
Layer 2 traffic
NetBIOS
STP forwarding
Asymmetric routing
You might discover, unexpectedly, that hosts on some networks are unable to
reach certain other networks. This occurs when request and response packets
follow different paths. If the FortiGate unit sees the response packets, but not the
requests, it blocks them as invalid. Also, if the FortiGate unit sees the same
packets repeated on multiple interfaces, it blocks the session as a potential attack.
These are instances of asymmetric routing. By default, FortiGate units block
packets or drop the session when this happens. Using the Command Line
Interface (CLI), you can configure the FortiGate unit to permit asymmetric routing:
config system global
set asymroute enable
end
If this solves your blocked traffic problem, you know that asymmetric routing is the
cause. But allowing asymmetric routing is not the best solution because it can
reduce the security of your system. It is better to change routing or change how
FortiGate unit connects into your network. The Asymmetric Routing and Other
FortiGate Layer-2 Installation Issues technical note provides detailed examples of
asymmetric routing situations and possible solutions.
Layer 2 traffic
By default, FortiGate units do not pass Layer-2 traffic. If there are Layer-2
protocols such as IPX, PPTP or L2TP in use on your network, you need to
configure FortiGate interfaces to pass them. You can do this using the CLI:
config system interface
edit <name_str>
set l2forward enable
end
where <name_str> is the name of an interface.
131
Layer 2 traffic
ARP traffic
Address Resolution Protocol (ARP) traffic is vital to communication on a network
and is enabled on FortiGate interfaces by default. Normally you want ARP packets
to pass through the FortiGate unit, especially if it is sitting between a client and a
server or between a client and a router.
ARP traffic can cause problems, especially in Transparent mode where ARP
packets arriving on one interface are sent to all other interfaces, including VLAN
subinterfaces. Some Layer 2 switches become unstable when they detect the
same MAC address originating on more than one switch interface or from more
than one VLAN. This instability can occur if the Layer 2 switch does not maintain
separate MAC address tables for each VLAN. Unstable switches may reset
causing network traffic to slow down.
Forward-domain solution
You may run into problems using the multiple VDOMs solution to solve the same
MAC address seeming to originate on multiple interfaces. It is possible that you
have more VLANs than licensed VDOMs, not enough physical interfaces or your
configuration may work better by grouping some VLANs together. In these
situations the separate VDOMs solution may not work for you.
In these situations, the solution is to use the forward-domain
<collision_group> CLI command. This command tags VLAN traffic as
belonging to a particular forward-domain collision group and only VLANs tagged
as part of that collision group recieve that traffic. By default interfaces and VLANs
are part of forward-domain collision group 0.
There are many benefits for this solution from reduced administration, to using
fewer physical interfaces to being able to allowing you more flexible network
solutions.
In the following example, forward-domain collision group 340 includes VLAN 340
traffic on Port1 and untagged traffic on Port2. Forward-domain collision group 341
includes VLAN 341 traffic on Port1 and untagged traffic on Port3. All other
interfaces are part of forward-domain collision group 0 by default.
132
NetBIOS
NetBIOS
Networked computers running Microsoft Windows operating systems rely on a
WINS server to resolve host names to IP addresses. The hosts communicate with
the WINS server using NetBIOS protocol. To support this type of network you
need to enable the forwarding of NetBIOS requests to a WINS server. Enter the
following CLI commands:
config system interface
edit <interface>
set netbios_forward enable
set wins-ip <wins_server_ip>
end
where <interface> is the name of the interface and <wins_server_ip> is
the IP address of the WINS server. These commands apply only in NAT/Route
mode.
STP forwarding
The FortiGate unit does not participate in the Spanning Tree protocol (STP). STP
is an IEEE 802.1 protocol to ensure there are no Layer-2 loops on the network.
Loops happen when there is more than one route for traffic to take and that traffic
is broadcasted back to the original switch - creating a loop that floods the network
with never ending traffic.
133
STP forwarding
If you use the FortiGate unit in a network topology that relies on STP for network
loop protection, you need to make changes to the FortiGate configuration.
Otherwise, STP sees the FortiGate unit as a blocked link and forwards the data to
another path. By default, the FortiGate unit blocks STP as well as other non-IP
protocol traffic.
Using the CLI, you can enable forwarding of STP and other Layer 2 protocols
through the interface:
config system interface
edit <name_str>
set l2forward enable
set stpforward enable
end
where <name_str> is the name of the interface. This configuration will also allow
Layer-2 protocols such as IPX, PPTP or L2TP to be used on the network. For
more information see Layer 2 traffic on page 131.
134
Index
Index
Numerics
external logging 20
firewall address
complex VDOM NAT/Route mode example 77, 83
complex VLAN NAT/Route example 40
multiple VDOM example 121
multiple VDOM Transparent example 115
policy 27
simple VDOM NAT/Route example 64, 67
simple VDOM NAT/Routeexample 64
simple VLAN NAT/Route example 31
Transparent multiple VDOM example 111
firewall policy
complex VDOM NAT/Route example 78, 84
complex VLAN NAT/Route example 41
multiple VDOM example 111, 116, 121
simple Transparent VDOM example 99
simple VDOM NAT/Route example 68
simple VDOM NAT/Routeexample 64, 68
simple VLAN NAT/Route example 31, 32
Transparent mode 95
VDOM 58
VLAN subinterface 26
firewall schedule
multiple VDOM example 105
Firewall settings 22, 23
FortiClient 48
FortiGate
CLI 28, 37, 126
IP address 26
NAT/Route 25
web-based manager 37
FortiManager v3.0 MR1 125, 129
Fortinet customer service 12
Fortinet services 20
FortiOS v3.0 MR1 125
administrators
access profiles 21
common 20
multiple 21
VDOM 55
Antivirus settings 23
asymmetric routing 131
B
border gateway protocol (BGP) 27
C
Cisco router configuration
IOS commands 28
simple Transparent VDOM example 102
Cisco switch
simple VLAN NAT/Route example 34
Cisco switch configuration
complex VDOM NAT/Route example 89
complex VLAN NAT/Route example 49
IOS commands 28
multiple VDOM Transparent example 123
simple Transparent VDOM example 102
simple VDOM NAT/Route example 70
CLI 28, 37, 126
customer service 12
D
default route 27, 58
complex VDOM NAT/Route example 76
complex VLAN NAT/Route example 39, 40
simple VDOM NAT/Route example 65, 69
default route, setting
complex VDOM example 83
diagnostics
ping 27, 35
tracert 35
E
example
complex VDOM NAT/Route 72
complex VLAN NAT/Route 36
complex VLAN NAT/Route mode VLAN 36
multiple VDOM Transparent 105
simple VLAN NAT/Route 27
simple VLAN NAT/Route topology 59
simple VLAN Transparent 96
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30002-0091-20060718
G
gateway, VPN 44, 45
H
HTTP 27
I
ID tag 18
ID tags 19
IEEE 802.1Q 15, 16, 18, 26
IM settings 22
In 125
independant VDOM 128
interfaces
135
Index
L
L2TP, layer-2 forwarding 131
layer-2 16
forwarding 131
layer-3 18
license 20
M
management traffic 20
management VDOM 20
multicast 27
N
NAT/Route
complex VLAN example 36
VLAN 25
NetBIOS, for Windows networks 133
O
open shortest path first (OSPF) 27
P
packets
handling 20
VLAN-tagged 26
physical interfaces 125
ping 27, 35
PPTP, layer-2 forwarding 131
protection profile
Transparent VDOM example 106
R
remote management 20
Router settings 21
routing
BGP 27
multicast 27
OSPF 27
RIP 27
STP 134
136
S
schedule, firewall
multiple VDOM example 105
secure data handling 126
security 126
service group
multiple VDOM Transparent example 115, 120
Transparent mode multiple VDOM example 110
settings shared by VDOMs 23
Spanning Tree Protocol, see STP.
SSH 27
stand-alone VDOM 128
STP, forwarding 134
subinterface 25
VDOM 57
VLAN NAT/Route 26
System settings 21, 23
T
tag 18
technical support 12
TELNET 27
testing
complex VDOM NAT/Route mode example 90
complex VLAN NAT/Route example 50
simple VDOM NAT/Route example 70
simple VLAN NAT/Route example 35
testing configuration
simple Transparent VDOM example 104
tracert 35
Transparent mode 93
firewall policy 95
VLAN subinterface 94
trunk interface 25, 34
tunnel 45
U
User settings 22
V
VDOM 19
administration 55
administrators 20
complex VDOM NAT/Route example 74
firewall policy 58
independant VDOM 128
license 20
multiple VDOMs example 108
packet handling 20
Index
routing 58
settings, common 23
settings, exclusive 21
simple VDOM NAT/Route example 61, 62
simple VDOM NAT/Route VDOM example 66
stand-alone 128
Transparent mode 93
VLAN subinterface 57
VPN settings 59
VDOM exclusive settings 21, 22
VDOM shared settings 23
Virtual 53
virtual domain, See VDOM.
virtual interfaces 126
Virtual Private Network, see VPN.
VLAN
Cisco switch 49
complex VLAN NAT/Route 49
NAT/Route 25
packets, VLAN-tagged 26
subinterface 25
Transparent mode 93
VLAN ID
layer-3 18
rules 19
VLAN subinterface
complex VDOM NAT/Route example 75, 81
complex VLAN NAT/Route example 38
firewall policy 26
multiple VDOM example 109, 113, 118
simple VDOM NAT/Route example 63
simple VDOM Transparent example 97
simple VLAN NAT/Route example 29
Transparent mode 94
VDOM NAT/Route 57
VPN
client 48
encrypt policy 47
firewall policy 47
FortiClient 48
gateway 44, 45
tunnel 45
user IP address 46
VDOM 59
W
web-based manager 21, 37
Windows networks
enabling NetBIOS 133
WINS 133
137
Index
138
www.fortinet.com
www.fortinet.com