Saturday, September 13, 2014

A meshed transparent-vdom using inter-vdom-linik fortigate

In this post we will look at a layer2  stacked aka meshed  vdom using a transparent vdom with a nat/routed-vdom.

This is setup is used when you have a  network segments that needs firewall protection, but do not want to  make any layer3 address changes. Please review previous meshed vdom here;
http://socpuppet.blogspot.com/2014/09/a-stacked-vdom-concept-with-fortigate.html

1st here's the topology;



As you can see custC vdom is  operating in a transparent mode with just 2 interfaces. The vdom is tied to the root-vdom using a inter-vdom-link.

First let's build our vdom for the custC and set the operation mode.

config system settings
    set comments "L2-vdom  SOCPUPPETS example  "
    set opmode transparent
    set manageip 10.199.199.2/255.255.255.0
end




Next we define one physical port into this custC-vdom. This could also have been an sub-interface ( 802.1q) on a trunk port.

config system interface
    edit "internal3"
        set vdom "custC"
        set type physical
        set alias "transparent interface inside"
    next
end


Okay now we need to define a  inter-vdom-link. Just like with the meshed routed vdoms, we place one side of the link into the root vdom,  and the other end into our l2-transparent vdom.

To keep this simple, I named this link transparent.
config system vdom-link
     edit "transparent"
        set type ethernet
    next
end

Tip, set the type as "ethernet" since we are going to bridge internal3 interfaces to it. The fortigate will also set  ethernet mac_address that you can customized if you  so desire. The default type is PPP.



Here's our inter-vdom-link name transparent0 and transparent1;



In true transparent installation & with real interfaces they typically will not have address assignment.  Since this firewall instance is stacked behind another layer3 device ( root-vdom firewall ) we have a layer3 interface addressed which is the gateway  for lan 10.199.199.0/24.


Now we can rock & roll.
 
1st we need to jump into the root-vdom and build our policy. We are going to simply allow all traffic and SNAT it via a interface overload on the WAN link.

( vdom root  firewall policy )

config firewall policy 
 edit 0 
        set srcintf "transparent0"
        set dstintf "virtual-wan-link"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
        set nat enable
 end

Next, we will create a dhcp-server within the  root vdom to dynamically assigned address to the layer2 vdom ( optional )

config sys dhcp server 
   edit 88
        set dns-service default
        set default-gateway 10.199.199.1
        set netmask 255.255.255.0
        set interface "transparent0"
            config ip-range
                edit 1
                    set start-ip 10.199.199.10
                    set end-ip 10.199.199.20
                next
            end

That pretty much takes care of our root-vdom configurations. Now we will switch to the  custC vdom and place an address  statements for the dhcp-server and local lan and a firewall policy

( custC vdom  address and firewall )

config firewall address
    edit "dhcp-server"
        set comment " transparent  dhcp server "
        set subnet 10.199.199.1 255.255.255.255
    next
    edit "10_199_199_0-NET"
        set comment "my local lan within the l2 domain socpuppets  http://socpuppet.blogspot.com "
        set subnet 10.199.199.0 255.255.255.0
    next
end

and our firewall policy;

config firewall policy
    edit 1
        set srcintf "internal3"
        set dstintf "transparent1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
    next
    edit 2
        set srcintf "transparent1"
        set dstintf "internal3"
        set srcaddr "dhcp-server"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "DHCP"
    next
end


Ensure that you secure the required firewall policies that you need for both directions.

Make sure you create a policy to allow traffic from outside to internal if your dhcp-server is hosted on the outside.



And finally  we execute a  trace route to ensure that all works;



Vdoms  &  inter-vdom-links can be fun and challenging. Departmentalizing the fortigate firewall is a feature that can be used for dedication of resources and relinquishing  operations and controls to a sub administration. 

keep points
  • be careful of the inter-vdom links numberings
  • transparent operations are just that "transparent"
  • firewall policies  for all traffic flows needs to be build across vdoms
  • look at each vdom as a firewall  that unique that happens to sit in the same physical hardware
  • leverage  802.1q tagging to avoid port exhausting
  • HA clustering and vdom balancing can be a plus for A-P  operations
  • All interfaces have the ability for ; packet dump, allowaccess, if-index, netflow/sflow,etc......
note: be aware of dhcp-server positioning and any firewall policies for  the dhcp offers

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


Posted by at

1 comment:

  1. UnknownFebruary 8, 2016 at 9:59 PM

    Hi Ken,

    Thank you very much on an informative tutorial. One question, how would the users on the transparent vdom be able to use resources(such as file server and printers) on the CustA vdom?

    Still a newbie at this kind of setup.

    Thank you and blessings!

    ReplyDelete

Subscribe to: Post Comments (Atom)