A meshed routed-vdom concept with fortigate

In this post we will look at a stacked ( meshed )  vdom routed concept. This is a means for the creation of vdoms for departmental isolation and with a share vdom that routes our traffic to the public wan.

This design is beneficial in that you can isolated roles and firewall function but yet have a gatekeeper-firewall  pe-se for that department. Each firewall vdom would  be Autonomous or
Sovereign. The vdoms can be full or partial meshed. This post will demonstrate a partial meshed.

 
1st what is a vdom ?

This feature is a fortinet term for " virtual domain " or simply put; "  a firewall Virtualization Technology" . Think of it in the same way of the cisco ASA contexts,  or  Juniper SRX virtual-routers. We defined  a community with a communities of policies, admin, resource-limits and interfaces that are isolated from each others.

1st here's the topology;

Vdom ROOT ( RED ) is our public facing virtual firewall that has access to the internet backbone.

Vdom custA & custB  are stacked behind the  Root-Vdom and relies on the root-vdom for all internet access. You can look at this as a firewall behind another firewall. In  the above drawing,  I placed one  physical interfaces for the local lan subnets in each  customer side vdom.

This concept is used in a lot  of hosted of enterprise communities. The number of possible vdoms would be determine by the chassis type and possible the number of physical interfaces you consume for a vdom. We will use  both real and virtual interfaces in this example for the 3 vdoms shown.

Root =   WAN virtual-link,  vlinkcustA2root and vlinkcustB2root,
custA = PORT1 , vlinkcustA2root
custB = PORT2 , vlinkcustB2root

The custA & custB will use these virtual-links as the gateways to internet. These interfaces could have been  etherchannels ,  Wifi-interfaces,  or 802.1q tagged subinterfaces. Each vdom custA&B have dhcp-sys-services installed for dynamic allocation.

I like to call this vdom setup a "stacked" approach.

Okay now  let's build this out. The setup is quite simple, but the 1st time you stumble into  the fortinet vdoms world you might want to  build a checklist of things to look at and do B4 you start.

NOTE: the organizing of your design & thoughts,  can save a lot of time, create less confusing, and reduce  errors/mistakes 

So plan ahead for the proposed design.

Okay let put some /30 address on the  vlinks that we will use for the 2 customer vdoms ( custA custB )

vlinkcustA2root   192.168.10.0/30 ( .1  + .2 )
vlinkcustB2root   192.168.10.4/30 ( .5  + .6 )

1step assuming your already in vdom cfg mode and have set the firewall up with vdom enabled.


note: All fortigate appliance minus the  smaller SOHO have the capability to install upto 10vdoms each. With the bigger chassis you can  install vdom license for 10< vdom

config sys global
  set vdom-admin enable
end

We  1st build  the additional  vdoms named ;  custA and custB

config vdom
    edit custA
     next
    edit custB
end

2nd step

We define these interfaces port1 and port2 for these vdoms custA and custB respectively

config global 
    config sys interface 
         edit interna1
             set vdom custA
         next 
         edit internal2
            set vdom  custB
end

NOTE: You have to have the vdom created before you can place a interface into it.

3rd

Okay now, we will apply our virtual-links cfgs. These are our virtual WAN-uplinks. This is used for inter-vdom traffic ( traffic between vdoms ) and can be looked at as a real interface except it's really virtual. Your clients would not know the difference btw. For all purpose it's a interface. So you can do packet captures, allowaccess, build firewall rules, etc....

Each vlink will have one side  addressed in the root-vdom and other side in the customer vdom.  The sub numbers will end in a  0 and 1 as shown in the system interfaces. make sure you pay very good attention to the numbers and where you assign them and the address. In this post the Zero ( 0 ) will be in  Root and One ( 1)  will be in the customer vdom.

( vdom interlink creation )

config system vdom-link
    edit "root2custA"
    next
    edit "root2custB"
    next
end

(  vdom interlink address   config sys interfaces  )

   edit "root2custA0"
        set vdom "root"
        set ip 192.168.10.1 255.255.255.252
        set allowaccess ping
        set type vdom-link
        set snmp-index 22
    next
    edit "root2custA1"
        set vdom "custA"
        set ip 192.168.10.2 255.255.255.252
        set allowaccess ping
        set type vdom-link
        set snmp-index 25
    next
    edit "root2custB0"
        set vdom "root"
        set ip 192.168.10.5 255.255.255.252
        set allowaccess ping
        set type vdom-link
        set snmp-index 27
    next
    edit "root2custB1"
        set vdom "custB"
        set ip 192.168.10.6 255.255.255.252
        set allowaccess ping
        set type vdom-link
        set snmp-index 28
    next

4th, after you have the vlink installed and configured, we will start the vdom policy configurations. These are simple to configured and you will need policies in ALL vdoms for allowing the traffic flows.

( root firewall address + policies )

config firewall address

 edit "custA"
        set uuid a435f472-39f9-51e4-3f01-2f63d976cc44
        set subnet 10.100.10.0 255.255.255.0
    next
    edit "custB"
        set uuid ad656096-39f9-51e4-0d06-ee9f8c992982
        set subnet 10.200.10.0 255.255.255.0
    next
end


config firewall policy
    edit 0
        set srcintf "root2custA0"
        set dstintf "virtual-wan-link"
        set srcaddr "custA"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
        set nat enable
    next
    edit 0
        set srcintf "root2custB0"
        set dstintf "virtual-wan-link"
        set srcaddr "custB"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
        set nat enable
    next
end 

 ( custA firewall address and policies )

config firewall policy
    edit 1
        set srcintf "internal1"
        set dstintf "root2custA1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
        set comments "custA-outbound"
    next
end

( and finally custB )

config firewall policy
    edit 1
        set srcintf "internal2"
        set dstintf "root2custB1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
        set comments "custB-outbound"
    next
end

NOTE: we are allowing all traffic with no nat enabled, NAt overload will be configured in the  root vdom 


5th, you need routing for traffic entering and exiting the vdoms and for the root-vdom to route traffic to the local subnets

( custA  static route )

config router static
    edit 1
        set device "root2custA1"
        set comment "default custA"
    next
end

(custB  static route )

config router static
    edit 1
        set device "root2custB1"
        set comment "default custB"
    next
end

( root vdom static route to the  customer vdom  subnets  using the inter-vdom-links  )

config router static
    edit 1002
        set dst 10.200.10.0 255.255.255.0
        set gateway 192.168.10.6
        set device "root2custB0"
    next
    edit 1001
        set dst 10.100.10.0 255.255.255.0
        set gateway 192.168.10.2
        set device "root2custA0"
    next
end

Finally some traceroute output to show that this all works;

( custA vdom )

( custB vdom )

Vdoms  &  inter-vdom-links can be fun and challenging. Departmentalizing the fortigate firewall is a feature that can be used for dedication of resources and relinquishing  operations and controls to a sub administration. 

keep points

• be careful of the inter-vdom links numberings
• ensure routing or a routing protocol is used
• firewall for all traffic flows needs to be build across vdoms
• SNAT and DNAT can be complex ( stay focus on what vdom your in )
• look at each vdom as a firewall  that unique that happens to sit in the same physical hardware
• leverage  802.1q tagging to avoid port exhausting
• HA clustering and vdom balancing can be a plus for A-P  operations
• All interfaces have the ability for ; packet dump, allowaccess, if-index, netflow/sflow,etc......

note: VIPs can be created on any of these segments , but the public facing  firewall will house any public address  that we map to our  customer servers or possible to a inside VIP.

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \