This design is beneficial in that you can isolated roles and firewall function but yet have a gatekeeper-firewall pe-se for that department. Each firewall vdom would be Autonomous or
Sovereign. The vdoms can be full or partial meshed. This post will demonstrate a partial meshed.
Sovereign. The vdoms can be full or partial meshed. This post will demonstrate a partial meshed.
1st what is a vdom ?
This feature is a fortinet term for " virtual domain " or simply put; " a firewall Virtualization Technology" . Think of it in the same way of the cisco ASA contexts, or Juniper SRX virtual-routers. We defined a community with a communities of policies, admin, resource-limits and interfaces that are isolated from each others.
1st here's the topology;
Vdom ROOT ( RED ) is our public facing virtual firewall that has access to the internet backbone.
Vdom custA & custB are stacked behind the Root-Vdom and relies on the root-vdom for all internet access. You can look at this as a firewall behind another firewall. In the above drawing, I placed one physical interfaces for the local lan subnets in each customer side vdom.
This concept is used in a lot of hosted of enterprise communities. The number of possible vdoms would be determine by the chassis type and possible the number of physical interfaces you consume for a vdom. We will use both real and virtual interfaces in this example for the 3 vdoms shown.
Root = WAN virtual-link, vlinkcustA2root and vlinkcustB2root,
custA = PORT1 , vlinkcustA2root
custB = PORT2 , vlinkcustB2root
The custA & custB will use these virtual-links as the gateways to internet. These interfaces could have been etherchannels , Wifi-interfaces, or 802.1q tagged subinterfaces. Each vdom custA&B have dhcp-sys-services installed for dynamic allocation.
I like to call this vdom setup a "stacked" approach.
Okay now let's build this out. The setup is quite simple, but the 1st time you stumble into the fortinet vdoms world you might want to build a checklist of things to look at and do B4 you start.
NOTE: the organizing of your design & thoughts, can save a lot of time, create less confusing, and reduce errors/mistakes
So plan ahead for the proposed design.
Okay let put some /30 address on the vlinks that we will use for the 2 customer vdoms ( custA custB )
vlinkcustA2root 192.168.10.0/30 ( .1 + .2 )
vlinkcustB2root 192.168.10.4/30 ( .5 + .6 )
1step assuming your already in vdom cfg mode and have set the firewall up with vdom enabled.
note: All fortigate appliance minus the smaller SOHO have the capability to install upto 10vdoms each. With the bigger chassis you can install vdom license for 10< vdom
config sys global
set vdom-admin enable
end
We 1st build the additional vdoms named ; custA and custB
config vdom
edit custA
next
edit custB
end
2nd step
We define these interfaces port1 and port2 for these vdoms custA and custB respectively
config global
config sys interface
edit interna1
set vdom custA
next
edit internal2
set vdom custB
end
NOTE: You have to have the vdom created before you can place a interface into it.
3rd
Okay now, we will apply our virtual-links cfgs. These are our virtual WAN-uplinks. This is used for inter-vdom traffic ( traffic between vdoms ) and can be looked at as a real interface except it's really virtual. Your clients would not know the difference btw. For all purpose it's a interface. So you can do packet captures, allowaccess, build firewall rules, etc....
Each vlink will have one side addressed in the root-vdom and other side in the customer vdom. The sub numbers will end in a 0 and 1 as shown in the system interfaces. make sure you pay very good attention to the numbers and where you assign them and the address. In this post the Zero ( 0 ) will be in Root and One ( 1) will be in the customer vdom.
( vdom interlink creation )
config system vdom-link
edit "root2custA"
next
edit "root2custB"
next
end
( vdom interlink address config sys interfaces )
edit "root2custA0"
set vdom "root"
set ip 192.168.10.1 255.255.255.252
set allowaccess ping
set type vdom-link
set snmp-index 22
next
edit "root2custA1"
set vdom "custA"
set ip 192.168.10.2 255.255.255.252
set allowaccess ping
set type vdom-link
set snmp-index 25
next
edit "root2custB0"
set vdom "root"
set ip 192.168.10.5 255.255.255.252
set allowaccess ping
set type vdom-link
set snmp-index 27
next
edit "root2custB1"
set vdom "custB"
set ip 192.168.10.6 255.255.255.252
set allowaccess ping
set type vdom-link
set snmp-index 28
next
4th, after you have the vlink installed and configured, we will start the vdom policy configurations. These are simple to configured and you will need policies in ALL vdoms for allowing the traffic flows.
( root firewall address + policies )
config firewall address
edit "custA"
set uuid a435f472-39f9-51e4-3f01-2f63d976cc44
set subnet 10.100.10.0 255.255.255.0
next
edit "custB"
set uuid ad656096-39f9-51e4-0d06-ee9f8c992982
set subnet 10.200.10.0 255.255.255.0
next
end
config firewall policy
edit 0
set srcintf "root2custA0"
set dstintf "virtual-wan-link"
set srcaddr "custA"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
set nat enable
next
edit 0
set srcintf "root2custB0"
set dstintf "virtual-wan-link"
set srcaddr "custB"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
set nat enable
next
end
( custA firewall address and policies )
config firewall policy
edit 1
set srcintf "internal1"
set dstintf "root2custA1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
set comments "custA-outbound"
next
end
( and finally custB )
config firewall policy
edit 1
set srcintf "internal2"
set dstintf "root2custB1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
set comments "custB-outbound"
next
end
NOTE: we are allowing all traffic with no nat enabled, NAt overload will be configured in the root vdom
5th, you need routing for traffic entering and exiting the vdoms and for the root-vdom to route traffic to the local subnets
( custA static route )
config router static
edit 1
set device "root2custA1"
set comment "default custA"
next
end
(custB static route )
config router static
edit 1
set device "root2custB1"
set comment "default custB"
next
end
( root vdom static route to the customer vdom subnets using the inter-vdom-links )
config router static
edit 1002
set dst 10.200.10.0 255.255.255.0
set gateway 192.168.10.6
set device "root2custB0"
next
edit 1001
set dst 10.100.10.0 255.255.255.0
set gateway 192.168.10.2
set device "root2custA0"
next
end
Finally some traceroute output to show that this all works;
( custA vdom )
( custB vdom )
Vdoms & inter-vdom-links can be fun and challenging. Departmentalizing the fortigate firewall is a feature that can be used for dedication of resources and relinquishing operations and controls to a sub administration.
keep points
- be careful of the inter-vdom links numberings
- ensure routing or a routing protocol is used
- firewall for all traffic flows needs to be build across vdoms
- SNAT and DNAT can be complex ( stay focus on what vdom your in )
- look at each vdom as a firewall that unique that happens to sit in the same physical hardware
- leverage 802.1q tagging to avoid port exhausting
- HA clustering and vdom balancing can be a plus for A-P operations
- All interfaces have the ability for ; packet dump, allowaccess, if-index, netflow/sflow,etc......
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
very understandable document
ReplyDeleteTaking your example as a starting point, if customer A wanted a static NAT, would this be done on the root VDOM?
ReplyDeleteIt depends, but to answer it simplified the STATIC nat could be done at the EDGE to top-vdom that has uplink access or if the custA interface was public-routed it could be done at that point.
ReplyDeleteIt basically will be determine by the routing and address topology, but keep in mind all fwpolicies have to allow the traffic thru.
So in this example vdom-custA will have a policy allowing it's internal out over the inter-vdom-link and root-vdom would have a policy allow the traffic in over the inter-vdom-link and then out whatever interface the traffic was destined for.
Nice doc Ken. We have similar setup:
ReplyDeleteInternet ---- vdom-WAN ----- vdom-SVR ---- [SERVER-LAN]
incoming traffic is natted to VIPs on vdom-WAN as it needs to hit servers on the SERVER-LAN.
inter-vdom connectivity is via an unnumbered 0.0.0.0 link both ends.
Problem is we can't see traffic hitting the server's.
Rules are fine and so is routing on both vdoms.
Are we missing something glaringly obvious?
PS. Outbound traffic from the servers to internet works fine.
dalinhvuc buôn các mặt hàng gia dụng
ReplyDeleteđoàn tàu despicable cho bé
- Thiết kế theo mô hình một đoàn tàu đang chạy trên đường ray
- Màu sắc tươi sáng, bắt mắt
- Giúp trẻ phát triển các kỹ năng toàn diện
- Sản phẩm làm từ nhựa an toàn cho trẻ
- Sản phẩm dành cho trẻ trên 3 tuổi
Balo mickey cho bé
- Ba lô có kích thước vừa phải, không quá to để bé cảm thấy nặng, trễ vai. Chiếc ba lô xinh xắn này cực kỳ tiện dụng để đựng đồ khi cho bé mẫu giáo đi học, đi chơi.
Màu sắc tươi sáng
- Chiếc ba lô xinh xắn này cực kỳ tiện dụng cho bé trai và bé gái khi đi học, đi chơi với bố mẹ hay bạn bè. Chất liệu vải da gai không độc hại, vừa bảo vệ được đồ vật bên trong khỏi mưa ẩm, không bị mốc, ố, dễ lau chùi, vừa giúp bé giữ được ba lô sạch sẽ, lúc nào cũng như mới.
Đồ chơi bóng rổ cho bé
- Bộ đồ chơi bóng rổ - cho bé luyện tập thể thao vừa sức mỗi ngày
Ngoài việc hỗ trợ rèn luyện thể chất, đồ chơi bóng rổ còn giúp các bé đang độ tuổi đi học có thêm thời gian thư giãn bổích sau những giờ học căng thẳng.
- Bộ đồ chơi ném bóng rổ giúp bé vận động, chơi đùa thỏa thích và giúp bé phát triển chiều cao
Hộp đựng đồ 1 nắp
- Không gian nhà bạn đang có quá nhiều đồ lặt vặt mà bạn chưa biết cất ở đâu, hay chỉ đơn giản là bạn muốn cất bớt quầnáo, sách báo để cho cái tủ được rộng rãi và dễ dàng lấy đồ. Vậy thì hãy thử tham khảo chiếc hộp đựng đồ
- Thiết kế nhỏ gọn, tiện dụng cho việc sắp xếp đồ một cách gọn gàng, ngăn nắp
Bộ Đồ chơi bóng rổ cho bé
Balo mickey cho bé dalinhvuc
Balo mickey
đoàn tàu đồ chơi despicable
đoàn tàu despicable cho bé dalinhvuc
Hộp đựng đồ được may bằng vải không dệt rất bền và dày giúp đồ luôn được bảo vệ an toàn, sạch sẽ
Hộp đựng đồ 1 nắp dalinhvuc
kệ để giày dép bằng gỗ 4 tầng
Cân điện tử công nghệ cảm biến dalinhvuc
Dép bông Smiling Cute
giỏ lưới đựng quần áo
Bán Buôn Hoa Hồng Mạ Vàng 24k
ReplyDeleteBan Buon Hoa Hong Ma Vang 24k
hoa hồng mạ vàng 24k golden rose
hoa hồng mạ vàng 24k
Bán Buôn Hoa Hồng Mạ Vàng 24k
hoa hồng mạ vàng giá bao nhiêu
giá hoa hồng mạ vàng 24k
hoa hồng dát vàng bán ở đâu
hoa hồng mạ vàng giá rẻ
hoa hồng mạ vàng giá bao nhiêu
hoa hồng bằng vàng 24k
hoa hồng dát vàng bán ở đâu
Hoa hồng dát vàng
hoa hồng mạ vàng ấn độ
hoa hong ma vang
hi, how to link between vdomA and vdomB so that they can communicate each other.
ReplyDelete