Friday, September 12, 2014

A meshed routed-vdom concept with fortigate

In this post we will look at a stacked ( meshed )  vdom routed concept. This is a means for the creation of vdoms for departmental isolation and with a share vdom that routes our traffic to the public wan.

This design is beneficial in that you can isolated roles and firewall function but yet have a gatekeeper-firewall  pe-se for that department. Each firewall vdom would  be Autonomous or
Sovereign.
The vdoms can be full or partial meshed. This post will demonstrate a partial meshed.

 
1st what is a vdom ?

This feature is a fortinet term for " virtual domain " or simply put; "  a firewall Virtualization Technology" . Think of it in the same way of the cisco ASA contexts,  or  Juniper SRX virtual-routers. We defined  a community with a communities of policies, admin, resource-limits and interfaces that are isolated from each others.

1st here's the topology;



Vdom ROOT ( RED ) is our public facing virtual firewall that has access to the internet backbone.

Vdom custA & custB  are stacked behind the  Root-Vdom and relies on the root-vdom for all internet access. You can look at this as a firewall behind another firewall. In  the above drawing,  I placed one  physical interfaces for the local lan subnets in each  customer side vdom.

This concept is used in a lot  of hosted of enterprise communities. The number of possible vdoms would be determine by the chassis type and possible the number of physical interfaces you consume for a vdom. We will use  both real and virtual interfaces in this example for the 3 vdoms shown.

Root =   WAN virtual-link,  vlinkcustA2root and vlinkcustB2root,
custA = PORT1 , vlinkcustA2root
custB = PORT2 , vlinkcustB2root

The custA & custB will use these virtual-links as the gateways to internet. These interfaces could have been  etherchannels ,  Wifi-interfaces,  or 802.1q tagged subinterfaces. Each vdom custA&B have dhcp-sys-services installed for dynamic allocation.

I like to call this vdom setup a "stacked" approach.

Okay now  let's build this out. The setup is quite simple, but the 1st time you stumble into  the fortinet vdoms world you might want to  build a checklist of things to look at and do B4 you start.

NOTE: the organizing of your design & thoughts,  can save a lot of time, create less confusing, and reduce  errors/mistakes 

So plan ahead for the proposed design.

Okay let put some /30 address on the  vlinks that we will use for the 2 customer vdoms ( custA custB )

vlinkcustA2root   192.168.10.0/30 ( .1  + .2 )
vlinkcustB2root   192.168.10.4/30 ( .5  + .6 )

1step assuming your already in vdom cfg mode and have set the firewall up with vdom enabled.


note: All fortigate appliance minus the  smaller SOHO have the capability to install upto 10vdoms each. With the bigger chassis you can  install vdom license for 10< vdom

config sys global
  set vdom-admin enable
end

We  1st build  the additional  vdoms named ;  custA and custB

config vdom
    edit custA
     next
    edit custB
end

2nd step

We define these interfaces port1 and port2 for these vdoms custA and custB respectively

config global 
    config sys interface 
         edit interna1
             set vdom custA
         next 
         edit internal2
            set vdom  custB
end

NOTE: You have to have the vdom created before you can place a interface into it.

3rd

Okay now, we will apply our virtual-links cfgs. These are our virtual WAN-uplinks. This is used for inter-vdom traffic ( traffic between vdoms ) and can be looked at as a real interface except it's really virtual. Your clients would not know the difference btw. For all purpose it's a interface. So you can do packet captures, allowaccess, build firewall rules, etc....

Each vlink will have one side  addressed in the root-vdom and other side in the customer vdom.  The sub numbers will end in a  0 and 1 as shown in the system interfaces. make sure you pay very good attention to the numbers and where you assign them and the address. In this post the Zero ( 0 ) will be in  Root and One ( 1)  will be in the customer vdom.

( vdom interlink creation )

config system vdom-link
    edit "root2custA"
    next
    edit "root2custB"
    next
end


(  vdom interlink address   config sys interfaces  )

   edit "root2custA0"
        set vdom "root"
        set ip 192.168.10.1 255.255.255.252
        set allowaccess ping
        set type vdom-link
        set snmp-index 22
    next
    edit "root2custA1"
        set vdom "custA"
        set ip 192.168.10.2 255.255.255.252
        set allowaccess ping
        set type vdom-link
        set snmp-index 25
    next

    edit "root2custB0"
        set vdom "root"
        set ip 192.168.10.5 255.255.255.252
        set allowaccess ping
        set type vdom-link
        set snmp-index 27
    next

    edit "root2custB1"
        set vdom "custB"
        set ip 192.168.10.6 255.255.255.252
        set allowaccess ping
        set type vdom-link
        set snmp-index 28
    next


4th, after you have the vlink installed and configured, we will start the vdom policy configurations. These are simple to configured and you will need policies in ALL vdoms for allowing the traffic flows.

( root firewall address + policies )

config firewall address

 edit "custA"
        set uuid a435f472-39f9-51e4-3f01-2f63d976cc44
        set subnet 10.100.10.0 255.255.255.0
    next

    edit "custB"
        set uuid ad656096-39f9-51e4-0d06-ee9f8c992982
        set subnet 10.200.10.0 255.255.255.0
    next

end


config firewall policy
    edit 0
        set srcintf "root2custA0"
        set dstintf "virtual-wan-link"
        set srcaddr "custA"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
        set nat enable
    next

    edit 0
        set srcintf "root2custB0"
        set dstintf "virtual-wan-link"
        set srcaddr "custB"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
        set nat enable
    next

end 

 ( custA firewall address and policies )

config firewall policy
    edit 1
        set srcintf "internal1"
        set dstintf "root2custA1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
        set comments "custA-outbound"
    next

end

( and finally custB )

config firewall policy
    edit 1
        set srcintf "internal2"
        set dstintf "root2custB1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
        set comments "custB-outbound"
    next

end

NOTE: we are allowing all traffic with no nat enabled, NAt overload will be configured in the  root vdom 


5th, you need routing for traffic entering and exiting the vdoms and for the root-vdom to route traffic to the local subnets

( custA  static route )

config router static
    edit 1
        set device "root2custA1"
        set comment "default custA"
    next
end


(custB  static route )

config router static
    edit 1
        set device "root2custB1"
        set comment "default custB"
    next
end


( root vdom static route to the  customer vdom  subnets  using the inter-vdom-links  )

config router static
    edit 1002
        set dst 10.200.10.0 255.255.255.0
        set gateway 192.168.10.6
        set device "root2custB0"
    next

    edit 1001
        set dst 10.100.10.0 255.255.255.0
        set gateway 192.168.10.2
        set device "root2custA0"
    next

end

Finally some traceroute output to show that this all works;

( custA vdom )


( custB vdom )


Vdoms  &  inter-vdom-links can be fun and challenging. Departmentalizing the fortigate firewall is a feature that can be used for dedication of resources and relinquishing  operations and controls to a sub administration. 

keep points

  • be careful of the inter-vdom links numberings
  • ensure routing or a routing protocol is used
  • firewall for all traffic flows needs to be build across vdoms
  • SNAT and DNAT can be complex ( stay focus on what vdom your in )
  • look at each vdom as a firewall  that unique that happens to sit in the same physical hardware
  • leverage  802.1q tagging to avoid port exhausting
  • HA clustering and vdom balancing can be a plus for A-P  operations
  • All interfaces have the ability for ; packet dump, allowaccess, if-index, netflow/sflow,etc......
note: VIPs can be created on any of these segments , but the public facing  firewall will house any public address  that we map to our  customer servers or possible to a inside VIP.

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

7 comments:

  1. Taking your example as a starting point, if customer A wanted a static NAT, would this be done on the root VDOM?

    ReplyDelete
  2. It depends, but to answer it simplified the STATIC nat could be done at the EDGE to top-vdom that has uplink access or if the custA interface was public-routed it could be done at that point.

    It basically will be determine by the routing and address topology, but keep in mind all fwpolicies have to allow the traffic thru.


    So in this example vdom-custA will have a policy allowing it's internal out over the inter-vdom-link and root-vdom would have a policy allow the traffic in over the inter-vdom-link and then out whatever interface the traffic was destined for.

    ReplyDelete
  3. Nice doc Ken. We have similar setup:

    Internet ---- vdom-WAN ----- vdom-SVR ---- [SERVER-LAN]

    incoming traffic is natted to VIPs on vdom-WAN as it needs to hit servers on the SERVER-LAN.

    inter-vdom connectivity is via an unnumbered 0.0.0.0 link both ends.

    Problem is we can't see traffic hitting the server's.

    Rules are fine and so is routing on both vdoms.

    Are we missing something glaringly obvious?

    PS. Outbound traffic from the servers to internet works fine.

    ReplyDelete
  4. dalinhvuc buôn các mặt hàng gia dụng
    đoàn tàu despicable cho bé
    - Thiết kế theo mô hình một đoàn tàu đang chạy trên đường ray
    - Màu sắc tươi sáng, bắt mắt
    - Giúp trẻ phát triển các kỹ năng toàn diện
    - Sản phẩm làm từ nhựa an toàn cho trẻ
    - Sản phẩm dành cho trẻ trên 3 tuổi

    Balo mickey cho bé
    - Ba lô có kích thước vừa phải, không quá to để bé cảm thấy nặng, trễ vai. Chiếc ba lô xinh xắn này cực kỳ tiện dụng để đựng đồ khi cho bé mẫu giáo đi học, đi chơi.
    Màu sắc tươi sáng
    - Chiếc ba lô xinh xắn này cực kỳ tiện dụng cho bé trai và bé gái khi đi học, đi chơi với bố mẹ hay bạn bè. Chất liệu vải da gai không độc hại, vừa bảo vệ được đồ vật bên trong khỏi mưa ẩm, không bị mốc, ố, dễ lau chùi, vừa giúp bé giữ được ba lô sạch sẽ, lúc nào cũng như mới.

    Đồ chơi bóng rổ cho bé
    - Bộ đồ chơi bóng rổ - cho bé luyện tập thể thao vừa sức mỗi ngày
    Ngoài việc hỗ trợ rèn luyện thể chất, đồ chơi bóng rổ còn giúp các bé đang độ tuổi đi học có thêm thời gian thư giãn bổích sau những giờ học căng thẳng.
    - Bộ đồ chơi ném bóng rổ giúp bé vận động, chơi đùa thỏa thích và giúp bé phát triển chiều cao

    Hộp đựng đồ 1 nắp
    - Không gian nhà bạn đang có quá nhiều đồ lặt vặt mà bạn chưa biết cất ở đâu, hay chỉ đơn giản là bạn muốn cất bớt quầnáo, sách báo để cho cái tủ được rộng rãi và dễ dàng lấy đồ. Vậy thì hãy thử tham khảo chiếc hộp đựng đồ
    - Thiết kế nhỏ gọn, tiện dụng cho việc sắp xếp đồ một cách gọn gàng, ngăn nắp

    Bộ Đồ chơi bóng rổ cho bé
    Balo mickey cho bé dalinhvuc
    Balo mickey
    đoàn tàu đồ chơi despicable
    đoàn tàu despicable cho bé dalinhvuc
    Hộp đựng đồ được may bằng vải không dệt rất bền và dày giúp đồ luôn được bảo vệ an toàn, sạch sẽ
    Hộp đựng đồ 1 nắp dalinhvuc
    kệ để giày dép bằng gỗ 4 tầng
    Cân điện tử công nghệ cảm biến dalinhvuc
    Dép bông Smiling Cute
    giỏ lưới đựng quần áo

    ReplyDelete
  5. hi, how to link between vdomA and vdomB so that they can communicate each other.

    ReplyDelete