Sei sulla pagina 1di 148

www.fortinet.

com
FortiGate VLANs and VDOMs
Version 3.0
USER GUI DE
FortiGate VLANs and VDOMs User Guide
Version 3.0
6 February 2007
01-30004-0091-20070308
Copyright 2007 Fortinet, Inc. All rights reserved. No part of this
publication including text, examples, diagrams or illustrations may be
reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose,
without prior written permission of Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC,
FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat
Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-
Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer,
FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter,
FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of
Fortinet, Inc. in the United States and/or other countries. The names of
actual companies and products mentioned herein may be the trademarks
of their respective owners.
Contents
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 3
Contents
Introduction........................................................................................ 7
About FortiGate VLANs and VDOMs ............................................................... 7
About this document......................................................................................... 7
Document conventions.................................................................................. 7
FortiGate documentation.................................................................................. 8
Related documentation..................................................................................... 9
FortiManager documentation ........................................................................ 9
FortiClient documentation ........................................................................... 10
FortiMail documentation.............................................................................. 10
FortiAnalyzer documentation ...................................................................... 10
Fortinet Knowledge Center ......................................................................... 10
Comments on Fortinet technical documentation......................................... 10
Customer service and technical support ...................................................... 11
Introduction to VLANs and VDOMs................................................ 13
Overview of VLAN technology ....................................................................... 13
VLAN layer-2 switching............................................................................... 14
VLAN layer-3 routing................................................................................... 16
Rules for VLAN IDs ..................................................................................... 17
Overview of Virtual Domains.......................................................................... 18
Maximum number of VDOMs...................................................................... 18
Inter-VDOM routing..................................................................................... 18
Management VDOM ................................................................................... 19
Administration of virtual domains ................................................................ 19
Global and virtual domain settings .............................................................. 19
For more information................................................................................... 21
Using VLANs in NAT/Route mode.................................................. 23
Overview........................................................................................................... 23
Configuring FortiGate units in NAT/Route mode ......................................... 23
Adding VLAN subinterfaces ........................................................................ 24
Creating firewall policies ............................................................................. 25
Configuring routing...................................................................................... 25
Example configuration NAT/Route mode (simple) ....................................... 25
General configuration steps ........................................................................ 27
Configuring the FortiGate-800 unit .............................................................. 27
Configuring the Cisco switch to support VLAN tags.................................... 32
Testing the configuration............................................................................. 33
FortiGate VLANs and VDOMs Version 3.0 User Guide
4 01-30004-0091-20070308
Contents
Example configuration NAT/Route mode (complex).................................... 35
General configuration steps ........................................................................ 36
Configuring the FortiGate-800 unit.............................................................. 36
Configuring the FortiGate-800 IPSec VPN tunnel and encrypt policy......... 44
Configuring the VPN client .......................................................................... 48
Configuring the internal Cisco switch.......................................................... 49
Configuring the external Cisco switch......................................................... 50
Testing the configuration............................................................................. 51
Using VDOMs in NAT/Route mode................................................. 53
Overview........................................................................................................... 53
Getting started with VDOMs........................................................................... 53
Enabling virtual domain configuration......................................................... 53
Creating virtual domains ............................................................................. 54
Creating administrators for virtual domains ................................................ 55
Accessing virtual domains to configure them.............................................. 55
Configuring virtual domains........................................................................... 56
Changing the management VDOM............................................................. 56
Adding interfaces and VLAN subinterfaces to a virtual domain.................. 57
Configuring routing for a virtual domain...................................................... 58
Configuring firewall policies for a virtual domain......................................... 58
Configuring VPNs for a virtual domain........................................................ 59
Example VDOM configuration in NAT/Route mode (simple)....................... 59
General configuration steps ........................................................................ 60
Creating the virtual domains ....................................................................... 61
Configuring the FortiGate-800 external and DMZ interfaces ...................... 61
Configuring the ABCdomain VDOM............................................................ 63
Configuring the DEFdomain VDOM............................................................ 66
Configuring the Cisco switch....................................................................... 70
Testing the configuration............................................................................. 71
Example VDOM configuration in NAT/Route mode (complex).................... 73
General configuration steps ........................................................................ 75
Creating the virtual domains ....................................................................... 75
Configuring the ABCdomain VDOM............................................................ 76
Configuring the Commercial VDOM............................................................ 82
Configuring the Cisco switch....................................................................... 92
Testing the configuration............................................................................. 93
Using VLANs and VDOMs in Transparent mode .......................... 95
Overview........................................................................................................... 95
VLANs and virtual domains......................................................................... 95
Configuring the FortiGate unit in Transparent mode................................... 96
Adding VLAN subinterfaces ........................................................................ 96
Creating firewall policies ............................................................................. 97
Contents
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 5
Example configuration Transparent mode (simple)..................................... 98
General configuration steps ........................................................................ 99
Configuring the FortiGate-800 unit .............................................................. 99
Configuring the Cisco switch..................................................................... 104
Configuring the Cisco router ..................................................................... 104
Testing the configuration........................................................................... 106
Example configuration Transparent mode (multiple virtual domains)..... 107
Configuring global items............................................................................ 107
Creating virtual domains ........................................................................... 110
Configuring the ABCdomain...................................................................... 111
Configuring the DEFdomain...................................................................... 115
Configuring the XYZdomain...................................................................... 120
Configuring the Cisco switch..................................................................... 124
Testing the configuration........................................................................... 125
Inter-VDOM routing........................................................................ 127
Overview......................................................................................................... 127
Benefits of inter-VDOM routing.................................................................... 127
Freeing up physical interfaces .................................................................. 127
Faster than physical interfaces ................................................................. 128
Continuing to use secure firewall policies ................................................. 128
More flexible configurations ...................................................................... 128
Getting started with inter-VDOM routing..................................................... 129
Advanced inter-VDOM issues....................................................................... 130
Advanced routing over inter-VDOM links .................................................. 130
HA virtual clusters and inter-VDOM links .................................................. 130
FortiManager and inter-VDOMs.................................................................... 131
Inter-VDOM Configurations .......................................................................... 132
Stand alone VDOM configuration.............................................................. 132
Independent VDOMs configuration........................................................... 132
Management VDOM configuration............................................................ 133
Meshed VDOM configuration.................................................................... 134
Inter-VDOM planning..................................................................................... 135
Avoiding Problems with VLANs ................................................... 137
Overview......................................................................................................... 137
Asymmetric routing....................................................................................... 137
Layer 2 traffic ................................................................................................. 138
ARP traffic ................................................................................................. 138
NetBIOS.......................................................................................................... 140
STP forwarding.............................................................................................. 140
Too many VLAN interfaces........................................................................... 141
FortiGate VLANs and VDOMs Version 3.0 User Guide
6 01-30004-0091-20070308
Contents
Index................................................................................................ 143
Introduction About FortiGate VLANs and VDOMs
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 7
Introduction
This chapter introduces you to FortiGate VLANs and VDOMs and the following
topics:
About FortiGate VLANs and VDOMs
About this document
FortiGate documentation
Related documentation
Customer service and technical support
About FortiGate VLANs and VDOMs
Virtual Local Area Networks (VLANs) and Virtual Domains (VDOMs) multiply the
capabilities of your FortiGate unit. VLANs increase the number of network
interfaces beyond the physical connections on the unit. VDOMs enable the unit to
function as multiple independent units with common administration.
About this document
This document describes how to implement IEEE 802.1Q VLAN technology on
FortiGate units operating in both NAT/Route and Transparent mode. It also
describes how to use FortiGate VDOMs to provide separate network protection,
routing and VPN configurations for multiple organizations.
This document contains the following chapters:
Introduction to VLANs and VDOMs
Using VLANs in NAT/Route mode
Using VDOMs in NAT/Route mode
Using VLANs and VDOMs in Transparent mode
Inter-VDOM routing
Avoiding Problems with VLANs
Each of the Using sections contains detailed example configurations.
Document conventions
The following document conventions are used in this guide:
In the examples, private IP addresses are used for both private and public IP
addresses.
Notes and Cautions are used to provide important information:
Note: Highlights useful additional information.
FortiGate VLANs and VDOMs Version 3.0 User Guide
8 01-30004-0091-20070308
FortiGate documentation Introduction
Typographic conventions
FortiGate documentation uses the following typographical conventions:
FortiGate documentation
Information about FortiGate products is available from the following guides:
FortiGate QuickStart Guide
Provides basic information about connecting and installing a FortiGate unit.
FortiGate Installation Guide
Describes how to install a FortiGate unit. Includes a hardware reference,
default configuration information, installation procedures, connection
procedures, and basic configuration procedures. Choose the guide for your
product model number.
FortiGate Administration Guide
Provides basic information about how to configure a FortiGate unit, including
how to define FortiGate protection profiles and firewall policies; how to apply
intrusion prevention, antivirus protection, web content filtering, and spam
filtering; and how to configure a VPN.
FortiGate online help
Provides a context-sensitive and searchable version of the Administration
Guide in HTML format. You can access online help from the web-based
manager as you work.
!
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Convention Example
Keyboard input In the Gateway Name field, type a name for the remote VPN
peer or client (for example, Central_Office_1).
Code examples config sys global
set ips-open enable
end
CLI command syntax config firewall policy
edit id_integer
set http_retry_count <retry_integer>
set natip <address_ipv4mask>
end
Document names FortiGate Administration Guide
File content <HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Menu commands Go to VPN > IPSEC > Phase 1 and select Create New.
Program output Welcome!
Variables <address_ipv4>
Introduction Related documentation
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 9
FortiGate CLI Reference
Describes how to use the FortiGate CLI and contains a reference to all
FortiGate CLI commands.
FortiGate Log Message Reference
Available exclusively from the Fortinet Knowledge Center, the FortiGate Log
Message Reference describes the structure of FortiGate log messages and
provides information about the log messages that are generated by FortiGate
units.
FortiGate High Availability Overview and FortiGate High Availability User
Guide
These documents contain in-depth information about the FortiGate High
Availability (HA) feature and the FortiGate clustering protocol.
FortiGate IPS User Guide
Describes how to configure the FortiGate Intrusion Prevention System settings
and how the FortiGate IPS deals with some common attacks.
FortiGate IPSec VPN User Guide
Provides step-by-step instructions for configuring IPSec VPNs using the web-
based manager.
FortiGate SSL VPN User Guide
Compares FortiGate IPSec VPN and FortiGate SSL VPN technology, and
describes how to configure web-only mode and tunnel-mode SSL VPN access
for remote users through the web-based manager.
FortiGate PPTP VPN User Guide
Explains how to configure a PPTP VPN using the web-based manager.
FortiGate Certificate Management User Guide
Contains procedures for managing digital certificates including generating
certificate requests, installing signed certificates, importing CA root certificates
and certificate revocation lists, and backing up and restoring installed
certificates and private keys.
Related documentation
Additional information about Fortinet products is available from the following
related documentation.
FortiManager documentation
FortiManager QuickStart Guide
Explains how to install the FortiManager Console, set up the FortiManager
Server, and configure basic settings.
FortiManager System Administration Guide
Describes how to use the FortiManager System to manage FortiGate devices.
FortiManager System online help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the FortiManager Console as you work.
FortiGate VLANs and VDOMs Version 3.0 User Guide
10 01-30004-0091-20070308
Related documentation Introduction
FortiClient documentation
FortiClient Host Security User Guide
Describes how to use FortiClient Host Security software to set up a VPN
connection from your computer to remote networks, scan your computer for
viruses, and restrict access to your computer and applications by setting up
firewall policies.
FortiClient Host Security online help
Provides information and procedures for using and configuring the FortiClient
software.
FortiMail documentation
FortiMail Administration Guide
Describes how to install, configure, and manage a FortiMail unit in gateway
mode and server mode, including how to configure the unit; create profiles and
policies; configure antispam and antivirus filters; create user accounts; and set
up logging and reporting.
FortiMail online help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the web-based manager as you work.
FortiMail Web Mail Online Help
Describes how to use the FortiMail web-based email client, including how to
send and receive email; how to add, import, and export addresses; and how to
configure message display preferences.
FortiAnalyzer documentation
FortiAnalyzer Administration Guide
Describes how to install and configure a FortiLog unit to collect FortiGate and
FortiMail log files. It also describes how to view FortiGate and FortiMail log
files, generate and view log reports, and use the FortiLog unit as a NAS server.
FortiAnalyzer online help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the web-based manager as you work.
Fortinet Knowledge Center
The most recent Fortinet technical documentation is available from the Fortinet
Knowledge Center. The knowledge center contains short how-to articles, FAQs,
technical notes, product and feature guides, and much more. Visit the Fortinet
Knowledge Center at http://kc.forticare.com.
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to techdoc@fortinet.com.
Introduction Customer service and technical support
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 11
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that your
Fortinet systems install quickly, configure easily, and operate reliably in your
network.
Please visit the Fortinet Technical Support web site at http://support.fortinet.com
to learn about the technical support services that Fortinet provides.
FortiGate VLANs and VDOMs Version 3.0 User Guide
12 01-30004-0091-20070308
Customer service and technical support Introduction
Introduction to VLANs and VDOMs Overview of VLAN technology
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 13
Introduction to VLANs and VDOMs
Virtual Local Area Networks (VLANs) and Virtual Domains (VDOMs) multiply the
capabilities of your FortiGate unit. VLANs use ID tags added to network frames to
increase the number of network interfaces beyond the physical connections on
the FortiGate unit. VDOMs enable the unit to function as multiple independent
units with common administration. Both can provide added network security.
Using VLANs, a single FortiGate unit can provide security services and control
connections between multiple security domains. Using VDOMs, a single FortiGate
unit can serve multiple organizations. It can provide separate firewall policies and,
in NAT/Route mode, completely separate routing and VPN configurations for each
organization.
This document describes how to implement IEEE 802.1Q Virtual LAN (VLAN)
technology on FortiGate units operating in both NAT/Route and Transparent
mode. Example configurations illustrate how VLANs can be implemented
between FortiGate units and other 802.1Q-compliant devices, such as Cisco
switches and routers. This document also describes how to implement virtual
domains (VDOMs) and presents example configurations to illustrate how VDOMs
can be implemented on FortiGate units.
The information in this document applies to all FortiGate units. All FortiGate
models support VLANs and VDOMs.
This document contains the following sections:
Overview of VLAN technology
Overview of Virtual Domains
Using VLANs in NAT/Route mode
Using VDOMs in NAT/Route mode
Using VLANs and VDOMs in Transparent mode
Inter-VDOM routing
Avoiding Problems with VLANs
Each of the Using sections contains detailed example configurations.
Overview of VLAN technology
A LAN consists of network broadcast domains. A network broadcast domain
includes all the computers that receive a packet broadcast from any computer in
the broadcast domain. Switches automatically forward the packets to all ports on
that switch, whereas by default routers separate broadcast domains by not
automatically forwarding network broadcast packets. If a network has only
switches and no routers, that network is considered one broadcast domain no
matter how large it is.
FortiGate VLANs and VDOMs Version 3.0 User Guide
14 01-30004-0091-20070308
Overview of VLAN technology Introduction to VLANs and VDOMs
Virtual LANs (VLANs) use ID tags to logically separate devices on a LAN into
smaller broadcast domains. Each VLAN is its own broadcast domain. Smaller
broadcast domains reduce traffic and increase network security. The IEEE
802.1Q standard defines VLANs. Layer 2 and layer 3 devices must be 802.1Q-
compliant to support VLANs. For more information see VLAN layer-2 switching
on page 14 and VLAN layer-3 routing on page 16.
VLANs reduce the size of the broadcast domains by only forwarding packets to
ports that are part of that VLAN, or part of a trunk link. Trunk links form switch-
switch or switch-router connections and forward all VLAN traffic. This enables a
VLAN to include devices that are on the network but physically distant from each
other.
Any virtual domain can have a maximum of 255 interfaces in NAT or TP mode.
This includes VLANs, other virtual interfaces, and physical interfaces. To have
more than 255 interfaces configured you need to configure multiple VDOMs with
many interfaces on each.
A good example of when to use VLANs is an accounting department within a
company. The accounting computers can be located in different buildings (main
and branch offices). However, accounting computers need to communicate with
each other frequently and require increased security. VLANs allow the accounting
data to only be sent only to accounting computers and connect accounting
computers in different locations as if they were on the same physical subnet.
The VLAN ID tags used to define VLANs are a 4-byte frame extension that is
applied by switches and routers to every packet sent and received by the devices
in the VLAN. Workstations and desktop computers are not an active part of the
VLAN process - all the VLAN tagging and tag removal is done after the packet has
left the computer. For more information see Rules for VLAN IDs on page 17.
VLAN layer-2 switching
Switches are generally 802.1Q compliant - they are layer-2 devices. Layer-2
refers to the second layer of the OSI networking model - the Data Link layer.
FortiGate units act as layer-2 switches when they are in Transparent Mode. They
simply tag and forward the VLAN traffic or receive and remove the tag from it.
A VLAN can have any number of physical interfaces assigned to it. Physical
interfaces can be assigned to multiple VLANs. Typically two or more physical
interfaces are assigned to a VLAN - at least one for incoming and one for outgoing
traffic. Multiple VLANs can be configured on the FortiGate unit, including trunk
links.
Trunk links are connections between switches or routers that pass all VLAN traffic
along so that it can reach other parts of the network. This does not flood the
network with traffic because switches and routers only deliver traffic to the VLAN it
is addressed to.
Layer-2 VLAN example
To better understand VLAN operation, lets look at what happens to a data frame
on a network that uses VLANs.
Note: This guide uses the term packet to refer to both layer-2 frames, and layer-3 packets.
Introduction to VLANs and VDOMs Overview of VLAN technology
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 15
Two 8-port switches are configured to support 2 VLANs on a network. Subnet 1 is
connected to switch A and subnet 2 is connected to switch B. On switch A, ports 1
through 4 are part of VLAN 100. Port 8 on both switches is connected to an
802.1Q trunk link. Switch A's other ports (ports 5 through 7) belong to VLAN 200.
On switch B, ports 4 and 5 are part of VLAN 100 and port 6 is part of VLAN 200.
There are unassigned ports on switch B.
Figure 1: Example VLAN layer-2 switching configuration
Let's follow a data frame sent from a computer on subnet 1 that is part of VLAN
100.
A computer on port 1 of switch A sends a data frame over the network. Switch A
tags the data frame with a VLAN 100 ID tag upon arrival because port 1 is part of
VLAN 100. Switch A forwards the tagged data frame to the other VLAN 100 ports
- ports 2 through 4. Switch A also forwards the data frame to the 802.1Q trunk link
(port 8) so other parts of the network that may contain VLAN 100 groups will
receive VLAN 100 traffic.
This data frame is not forwarded to the other ports on switch A because they are
not part of VLAN 100. This increases security and decreases network traffic.
Switch B receives the data frame over the trunk link (port 8). There are VLAN 100
ports on switch B (ports 4 and 5) and the data frame is forwarded to those ports.
As with switch A, the data frame is not delivered to VLAN 200
If there were no VLAN 100 ports on switch B, the switch would not forward the
data frame and it would stop there.
Figure 2: Example VLAN Layer-2 packet delivery
Switch A
VLAN 100 VLAN 200
Ports 1 - 4
802.1Q trunk link
Ports 5 - 7
Port 1
Port 8
Branch Office
VLAN 100
Ports 4, 5
VLAN 200
Switch B
Port 6
Port 8
Main Office
Switch A
VLAN 100 VLAN 200
Ports 1 - 4
802.1Q trunk link
Ports 5 - 7
Port 1
Frame with
VLAN ID tag

Frame
Port 8
Frame
Branch Office
VLAN 100
Ports 4, 5
VLAN 200
Switch B
Port 6
Port 8

Frame
Main Office
FortiGate VLANs and VDOMs Version 3.0 User Guide
16 01-30004-0091-20070308
Overview of VLAN technology Introduction to VLANs and VDOMs
Before a switch forwards the data frame to an end destination, it removes the
VLAN 100 ID tag. The sending computer and the receiving computers are not
aware of any VLAN tagging on the data frame. When any computer receives that
data frame, it appears as a normal data frame.
VLAN layer-3 routing
Routers are layer-3 devices. Layer-3 refers to the third layer of the OSI networking
model - the Network layer. FortiGate units act as layer-3 devices when they are in
NAT/Route mode. As with layer-2, FortiGate units acting as layer-3 devices are
802.1Q-compliant.
The main difference between layer-2 and layer-3 devices is how they process
VLAN tags. Layer-2 switches just add, read and remove the tags - they do not
alter the tags or do any other high level actions. Layer-3 routers not only add, read
and remove tags but they analyze the data frame and its contents. This analysis
allows layer-3 routers to change the VLAN tag if it is appropriate and send the
data frame out on a different VLAN
In a layer-3 environment, the 802.1Q-compliant router receives the data frame
and assigns a VLAN ID. The router then forwards the data frame to other
members of the same VLAN broadcast domain. The broadcast domain can
include local ports, layer-2 devices and layer-3 devices such as routers and
firewalls. When a layer-3 device receives the data frame, the device removes the
VLAN tag and examines its contents to decide what to do with the data frame. The
layer-3 device considers:
source and destination addresses
protocol
port number
The data frame may be forwarded to another VLAN, sent to a regular non-VLAN-
tagged network or just forwarded to the same VLAN as a layer-2 switch would do.
It may be discarded if that is the proper firewall policy action.
Layer-3 VLAN Example
In the configuration for this example, subnet 1 is the same as the layer-2 previous
example. In subnet 2, VLAN 300 is on port 5 of switch B. The FortiGate unit is
connected to switch B on port 1 and the trunk link connects the FortiGate units
port 3 to switch A. The other ports on switch B are unassigned. This configuration
is shown in Figure 3 on page 17.
Introduction to VLANs and VDOMs Overview of VLAN technology
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 17
Figure 3: Example VLAN layer-3 routing
This example explains how traffic originating on VLAN 100 arrives at a destination
on VLAN 300. Layer-2 switches alone cannot accomplish this, but a layer-3 router
can do it. Lets follow a data frame going from VLAN 100 at the Branch Office to
VLAN 300 on at the Main Office.
As in the layer-2 example, the VLAN 100 computer sends the data frame to switch
A and a VLAN 100 tag is added. Switch A forwards the tagged data frame to the
FortiGate unit over the 802.1Q trunk link. The FortiGate unit removes the VLAN
100 tag and uses the content of the data frame to select the correct firewall policy.
In this case, the FortiGate units firewall policy allows the data frame to go to
VLAN 300. It goes to all VLAN 300 interfaces, but in the example there is only one
- port 1 on the FortiGate unit. Before the data frame leaves the FortiGate unit, the
VLAN subinterface adds a VLAN ID 300 tag.
The FortiGate unit then forwards the data frame to switch B. Switch B removes
the VLAN ID 300 tag because this is the last hop and forwards the data frame to
the computer on port 5.
In this example a data frame arrives at the FortiGate unit tagged as VLAN 100
and after checking its content, the FortiGate unit retags the data frame for VLAN
300. It is this change from VLAN 100 to VLAN 300 that requires a layer-3 routing
device, in this case the FortiGate unit. Layer-2 switches cannot perform this
change.
Rules for VLAN IDs
Layer-2 switches and layer-3 devices add VLAN ID tags to the traffic as it arrives
and remove them before they deliver the traffic to its final destination. Devices like
PCs and servers on the network do not require any special configuration for
VLANs.
On a layer-2 switch, you can only have one VLAN subinterface per physical
interface, unless that interface is configured as a trunk link. Trunk links can
transport more than one VLANs traffic to other parts of the network.
On a FortiGate unit, multiple VLANs can be added to the same physical interface.
However, VLAN subinterfaces added to the same physical interface cannot have
the same VLAN ID or IP addresses on the same subnet. You can add VLAN
subinterfaces with the same VLAN ID to different physical interfaces.
Switch A
VLAN 100 VLAN 200
Ports 1 - 4
802.1Q trunk link
Ports 5 - 7
Port 1
Port 8
Branch Office Main Office
Port 3
Switch B
VLAN 300
Port 1
VLAN 300
Port 5
FortiGate unit
Port 1
FortiGate VLANs and VDOMs Version 3.0 User Guide
18 01-30004-0091-20070308
Overview of Virtual Domains Introduction to VLANs and VDOMs
Creating VLAN subinterfaces with the same VLAN ID does not create any internal
connection between them. For example a VLAN ID of 300 on port1 and VLAN ID
of 300 on port2 are allowed, but they are not connected.Their relationship is the
same as between any two FortiGate network interfaces.
Overview of Virtual Domains
Virtual Domains provide a way to divide your FortiGate unit and operate it as
multiple separate units. You can configure and manage interfaces, VLAN
subinterfaces, zones, firewall policies, routing and VPN configurations separately
for each virtual domain. This separation simplifies configuration because you do
not have to manage as many routes or firewall policies at one time.
One application of this capability is to use a single FortiGate unit to provide routing
and network protection for several organizations. Each organization has its own
network interfaces (physical or virtual), routing requirements and network
protection rules. By default, communication between organizations is possible
only if both allow access to an external network such as the internet. The chapter,
Using VDOMs in NAT/Route mode on page 53 provides two examples of this
application.
When a packet enters a virtual domain, it is confined to that virtual domain. In a
given domain, you can only create firewall policies for connections between VLAN
subinterfaces or zones in the virtual domain. The packet never crosses virtual
domain borders.
Maximum number of VDOMs
If virtual domain configuration is enabled on your FortiGate unit and you log on as
the default admin administrator, you can go to System > Status and look at Virtual
Domain in the License Information section to see the maximum number of virtual
domains supported on yourFortiGate unit. By default, your FortiGate unit supports
a maximum of 10 VDOMs in any combination of NAT/Route and Transparent
modes. For FortiGate models numbered 3000 and higher, you can purchase a
license key to increase the maximum number to 25, 50, 100 or 250 VDOMs. For
more information see Creating virtual domains on page 54.
Inter-VDOM routing
FortiOS v3.0 MR1 introduced a new feature called inter-VDOM routing. When
configured, this feature allows traffic to pass between VDOMs without having to
leave the FortiGate unit on a physical interface and return on a different physical
interface. This feature also allows you to determine the level of inter-VDOM
routing varying from having only 2 VDOMs with limited interaction to having all
VDOMs fully inter-connected. All traffic between VDOMs must pass through
firewall policies as it does with all external interface connections.
The command to configure this feature, called vdom-link, is only available in the
CLI. Inter-VDOM routing is not available from the web-manager GUI. This topic is
dealt with in Inter-VDOM routing on page 127 and the VDOM-admin chapter in
the FortiOS CLI Reference.
Introduction to VLANs and VDOMs Overview of Virtual Domains
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 19
Management VDOM
All management traffic leaves the FortiGate unit through the management VDOM.
This includes all external logging, remote management and other Fortinet
services. By default the management VDOM is the root VDOM. You can change
this to another VDOM so management traffic will originate from the new VDOM.
For more information see Changing the management VDOM on page 56.
Administration of virtual domains
You can manage virtual domains using either one common administrator or
multiple separate administrators for each VDOM.
The FortiGate default administrator account is the admin administration account.
It is a common administrator that can access all of the virtual domains on the
FortiGate unit. You cannot delete the admin administration account.
You can use the admin administration account to create regular administrator
accounts and assign them to VDOMs. Each regular administrator account can
only configure its own VDOM. Global properties affect all VDOMs. Access to
global properties is available only through the admin administration account.
Access profiles configure read-only or read/write access for all administrators.
Administrators can have access to:
This makes it possible for you to have administrators for different services on
each VDOM. For example you can have one administrator responsible for logs
and reporting on a VDOM, while another administrator is responsible for security
policies on that same VDOM. For more information on access profiles, see the
FortiOS Administration Guide.
When you are configuring VDOMs using the admin administration account, the
web-based manager shows which VDOM you are editing at the bottom of the left
menu with the label Current VDOM:. If you are configuring global properties, there
is no virtual domain indicator.
Global and virtual domain settings
When working with virtual domains, it is important to remember which settings
belong exclusively to the virtual domain and which apply to the entire FortiGate
unit. The following list of items are in the order they appear in the web-manager
interface.
Settings exclusive to virtual domains
The following configuration settings are exclusively part of a virtual domain and
are not shared between virtual domains:
system configuration logs and reporting
security policy user authorization
administrator configuration FortiGuard Update
configuration backup/restore
FortiGate VLANs and VDOMs Version 3.0 User Guide
20 01-30004-0091-20070308
Overview of Virtual Domains Introduction to VLANs and VDOMs
System settings Zones
DHCP services
Operation mode (NAT/Route or Transparent)
Management IP (Transparent mode)
Router configuration all
Firewall settings Policies
Addresses
Service groups and custom services
Schedules
Virtual IPs
IP pools
User settings Users
User groups
RADIUS and LDAP servers
VPN settings IPSec
PPTP
SSL
L2TP
Policy Download
IM settings Statistics
User lists and policies
Introduction to VLANs and VDOMs Overview of Virtual Domains
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 21
Settings shared by all virtual domains
Virtual domains share the following global settings with other processes on the
FortiGate unit:
For more information
Detailed information and procedures involving virtual domains are provided in the
Using VDOMs in NAT/Route mode and Using VLANs and VDOMs in
Transparent mode chapters.
System settings Physical interfaces and VLAN subinterfaces
(Each physical interface or VLAN subinterface belongs to
only one VDOM. Each VDOM can use or configure only its
own interfaces.)
DNS settings
Host name
System time
Firmware version
Idle and authentication timeout
Web-based manager language
LCD panel PIN, where applicable
Dead gateway detection
HA configuration
SNMP configuration
Replacement messages
Administrators
Access profiles
FortiManager configuration
Configuration backup and restore
FDN update configuration
Bug reporting
Firewall settings Predefined services
Protection Profiles
IPS settings all
Antivirus settings all
Web filter configuration all
Spam filter
configuration
all
Logging configuration
and log reports
all
FortiGate VLANs and VDOMs Version 3.0 User Guide
22 01-30004-0091-20070308
Overview of Virtual Domains Introduction to VLANs and VDOMs
Using VLANs in NAT/Route mode Overview
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 23
Using VLANs in NAT/Route mode
Overview
In NAT/Route mode the FortiGate unit functions as a layer-3 device. In this mode,
it controls the flow of packets between VLANs and can also remove VLAN tags
from incoming VLAN packets. The FortiGate unit can also forward untagged
packets to other networks, such as the Internet.
In NAT/Route mode, the FortiGate unit supports VLAN trunk links with IEEE
802.1Q-compliant switches (or routers). The trunk link transports VLAN tagged
packets between physical subnets or networks. When you add VLAN sub-
interfaces to the FortiGate physical interfaces, the VLANs have IDs that match the
VLAN IDs of packets on the trunk link. The FortiGate unit directs packets with
VLAN IDs to sub-interfaces with matching IDs.
Normally the FortiGate unit's internal interface is connected to a VLAN trunk and
the external interface connects to an untagged Internet router. In this
configuration the FortiGate unit can apply different policies for traffic on each
VLAN connected to the internal interface.
You can define VLAN sub-interfaces on all FortiGate physical interfaces. However
if multiple virtual domains are configured on the FortiGate unit, you will only have
access to the physical interfaces on your virtual domain. The FortiGate unit can
tag packets leaving on a VLAN subinterface. It can also remove VLAN tags from
incoming packets and add a different VLAN tag to outgoing packets.
Configuring FortiGate units in NAT/Route mode
You can access FortiGate unit's web-based manager (GUI) with a supported web
browser that connects to a FortiGate interface. The interface must be configured
for administrative access. Use HTTPS to access the address of the interface. All
FortiGate units have administrative access enabled by default on the default
interface. On the FortiGate 800 the default interface is the Internal interface. For
the examples presented in this chapter, the default interface has an address of
192.168.1.99. If you need more information, refer to the Quick Start Guide or
Installation Guide that came with your FortiGate unit.
In this chapter, we assume you have not enabled VDOM configuration on your
FortiGate unit. If have enabled it, you will need to navigate to the global or VDOM
configuration as needed before following each procedure.
This document does not explain how to configure the protection profiles for virus
scanning, web filtering and spam filtering. Your FortiGate unit documentation
explains Protection profiles.
FortiGate VLANs and VDOMs Version 3.0 User Guide
24 01-30004-0091-20070308
Configuring FortiGate units in NAT/Route mode Using VLANs in NAT/Route mode
There are several essential steps to configuring your FortiGate unit for VLANs:
Adding VLAN subinterfaces
Creating firewall policies
Configuring routing
Adding VLAN subinterfaces
You add VLAN subinterfaces to the physical interface that receives VLAN-tagged
packets.
FortiGate interfaces cannot have overlapping IP addresses. That is, the IP
addresses of all interfaces must be on different subnets. This rule applies to both
physical interfaces and to VLAN subinterfaces.
Each VLAN subinterface must be configured with its own IP address and
netmask. The subinterface VLAN ID can be any number between 1 and 4096. The
VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE
802.1Q-compliant router. If the IDs do not match, the subinterface will not recieve
the VLAN tagged traffic.
To add a VLAN subinterface in NAT/Route mode
1 If VDOMs are enabled and you are not in the root VDOM, select << Global.
2 Go to System > Network > Interface.
3 Select Create New to add a VLAN subinterface.
4 Enter a Name to identify the VLAN subinterface.
5 From the Interface list, select the physical interface that receives the VLAN
packets intended for this VLAN subinterface.
6 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
7 Configure the VLAN subinterface settings as you would for any FortiGate
interface.
8 Select OK to save your changes.
The FortiGate unit adds the new VLAN subinterface to the interface that you
selected in step 5.
To view the new VLAN subinterface, select the blue arrow next to the parent
physical interface. This will expand to display all VLAN subinterfaces on this
physical interface. If there is no blue arrow displayed, there are no subinterfaces
on this physical interface.
Note: If you are unable to change your existing configurations to prevent IP overlap, enter
the CLI command config system global and set ip-overlap enable to allow IP
address overlap. If you enter this command, multiple VLAN interfaces can have an IP
address that is part of a subnet used by another interface. This command is recommended
for advanced users only.
Using VLANs in NAT/Route mode Example configuration NAT/Route mode (simple)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 25
Creating firewall policies
Firewall policies permit communication between the FortiGate units network
interfaces based on source and destination IP addresses. Optionally, you can limit
communication to particular times and services.
You need firewall policies to permit packets to pass from the VLAN interface
where they enter the FortiGate unit to the interface where they exit. Each VLAN
requires you create a firewall policy for each of the following permitted
connections the VLAN will be using:
from the VLAN to an external network
to the VLAN from an external network
from the VLAN to another VLAN in the same virtual domain on the FortiGate
unit
to the VLAN from another VLAN in the same virtual domain on the FortiGate
unit
The packets on each VLAN are subject to antivirus and antispam scans as they
pass through the FortiGate unit.
To add firewall policies for VLAN subinterfaces
1 Go to Firewall > Address.
2 Select Create New to add firewall addresses that match the source and
destination IP addresses of VLAN packets.
3 Go to Firewall > Policy.
4 Add firewall policies as required.
Configuring routing
In the simplest case, you need to configure a default route for packets with
external destinations to the gateway of an external network. In more complex
cases, you might have to configure different routes based on packet source and
destination addresses. Routing is explained in the FortiGate Administration Guide
and the CLI Reference documentation.
As with firewalls, you need to configure routes for VLANs. VLANs need routing
and a gateway configured to send and recieve packets outside their local subnet.
Depending on the network you are connecting to it can be static or dynamic
routing. Dynamic routing can be routing information protocol (RIP), border
gateway protocol (BGP), open shortest path first (OSPF), or multicast.
If you enable protocols like SSH, PING, TELNET, HTTPS and HTTP on the VLAN
you can use them to confirm that routing is properly configured. Enabling logging
on the interfaces can also help locate any possible issues.
Example configuration NAT/Route mode (simple)
Figure 4 shows a simplified NAT/Route mode VLAN configuration. In this
example, FortiGate internal interface connects to a Cisco 2950 VLAN switch using
an 802.1Q trunk and is configured with two VLAN subinterfaces (VLAN 100 and
VLAN 200). The external interface connects to the Internet and is not configured
with VLAN subinterfaces.
FortiGate VLANs and VDOMs Version 3.0 User Guide
26 01-30004-0091-20070308
Example configuration NAT/Route mode (simple) Using VLANs in NAT/Route mode
Figure 4: FortiGate unit in NAT/Route mode
When the Cisco switch receives packets from VLAN 100 and VLAN 200, it applies
VLAN ID tags and forwards the packets to local ports and across the trunk to the
FortiGate unit. The FortiGate unit has policies that allow traffic to flow between the
VLANs and from the VLANs to the external network.
This section describes how to configure a FortiGate 800 unit and a Cisco Catalyst
2950 switch for this example network topology. Cisco configuration commands
used in this section are IOS commands. It is assumed that both the FortiGate 800
and the Cisco 2950 switch are installed, connected and basic configuration has
been completed. On the switch you will need to be able to access the CLI to enter
commands. Refer to the manuals for each unit for more information.
VLAN Switch
VLAN 100 Network
10.1.1.0
VLAN 200 Network
10.1.2.0
Untagged packets
VLAN 100 VLAN 200
Fa 0/9
Fa 0/3
Fa 0/24
802.1Q trunk
FortiGate unit
External port
172.16.21.2
Internal port
192.168.110.126
Internet
Using VLANs in NAT/Route mode Example configuration NAT/Route mode (simple)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 27
General configuration steps
The following steps provide an overview of configuring and testing the hardware
used in this example. The steps are explained in detail later in this section.
1 Configuring the FortiGate-800 unit
Configuring the external interface
Add two VLAN subinterfaces to the Internal network interface.
Add Firewall addresses and address ranges for the internal and external
networks.
Add firewall policies to allow:
the VLAN networks to access each other.
the VLAN networks to access the external network.
2 Configuring the Cisco switch to support VLAN tags
3 Testing the configuration.
Configuring the FortiGate-800 unit
Use the FortiGate web-based manager to configure the FortiGate-800 unit.
Alternately the CLI can be used.
Configuring the FortiGate unit includes:
Configuring the external interface
Adding VLAN subinterfaces
Adding the firewall addresses
Adding firewall policies
Configuring the external interface
The FortiGate units external interface will be the path to the Internet for our
network.
Configuring the external interface can be completed through the web-based
manager or the CLI.
To configure the external interface - web-based manager
1 If VDOMs are enabled and you are not in the root VDOM, select << Global.
2 Go to System > Network > Interface.
3 Select the Edit icon for the external interface.
4 Enter the following information for the external interface and select OK:
To configure the external interface - CLI
config system interface
edit external
set mode static
set ip 172.16.21.2 255.255.255.0
end
Addressing mode Manual
IP/Netmask 172.16.21.2/255.255.255.0
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
28 01-30004-0091-20070308
Example configuration NAT/Route mode (simple) Using VLANs in NAT/Route mode
Adding VLAN subinterfaces
This step creates the VLANs on the FortiGate physical interfaces. The rest of this
example is configuring the VLAN behavior on the FortiGate unit, configuring the
switches to treat the VLANs the same way as the FortiGate unit and testing that all
of the settings are correct.
Adding VLAN subinterfaces can be completed through the web-based manager,
or the CLI.
To add VLAN subinterfaces - web-based manager
1 If VDOMs are enabled and you are not in the root VDOM, select << Global.
2 Go to System > Network > Interface.
3 Select Create New.
4 Enter the following information for VLAN_100 and select OK:
5 Select Create New.
6 Enter the following information for VLAN_200 and select OK:
Figure 5: VLAN subinterfaces
Name VLAN_100
Interface internal
VLAN ID 100
Addressing mode Manual
IP/Netmask 10.1.1.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Configure other fields as required.
Name VLAN_200
Interface internal
VLAN ID 200
Addressing mode Manual
IP/Netmask 10.1.2.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Configure other fields as required.
Using VLANs in NAT/Route mode Example configuration NAT/Route mode (simple)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 29
To add VLAN subinterfaces - CLI
config system interface
edit VLAN_100
set interface internal
set vlanid 100
set mode static
set ip 10.1.1.1 255.255.255.0
set allowaccess https ping telnet
next
edit VLAN_200
set interface internal
set vlanid 200
set mode static
set ip 10.1.2.1 255.255.255.0
set allowaccess https ping telnet
end
Adding the firewall addresses
You need to define the addresses of the VLAN subnets for use in firewall policies.
The FortiGate unit provides one default address, all, that you can use when a
firewall policy applies to all addresses as a source or destination of a packet.
In this example, the _Net part of the address name indicates a range of
addresses instead of a unique address. When choosing firewall address names
keep them informative and unique, but short.You can select the web-based
manager or the CLI to add firewall addresses.
To add the firewall addresses - web-based manager
1 Go to Firewall > Address.
2 Select Create New.
3 Enter the following information and select OK:
4 Select Create New.
5 Enter the following information and select OK:
Figure 6: Firewall addresses
Address Name VLAN_100_Net
Type Subnet/IP Range
Subnet / IP Range 10.1.1.0/255.255.255.0
Address Name VLAN_200_Net
Type Subnet/IP Range
Subnet / IP Range 10.1.2.0/255.255.255.0
FortiGate VLANs and VDOMs Version 3.0 User Guide
30 01-30004-0091-20070308
Example configuration NAT/Route mode (simple) Using VLANs in NAT/Route mode
To add the firewall addresses - CLI
config firewall address
edit VLAN_100_Net
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next
edit VLAN_200_Net
set type ipmask
set subnet 10.1.2.0 255.255.255.0
end
Adding the firewall policies
Once you have assigned addresses to the VLANs, you need to configure firewall
policies for them using either the web-based manager or the CLI. This will allow
packets to pass from one VLAN to another and to the Internet.
If you do not wish to allow all services on a VLAN, you can create a firewall policy
for each service you want to allow. This example allows all services.
To add the firewall policies - web-based manager
1 Go to Firewall > Policy.
2 Select Create New.
3 Enter the following information and select OK:
4 Select Create New.
Source
Interface/Zone VLAN_100
Address Name VLAN_100_Net
Destination
Interface/Zone VLAN_200
Address Name VLAN_200_Net
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Using VLANs in NAT/Route mode Example configuration NAT/Route mode (simple)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 31
5 Enter the following information and select OK:
6 Select Create New.
7 Enter the following information and select OK:
8 Select Create New.
9 Enter the following information and select OK:
Source
Interface/Zone VLAN_200
Address Name VLAN_200_Net
Destination
Interface/Zone VLAN_100
Address Name VLAN_100_Net
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Source
Interface/Zone VLAN_100
Address Name VLAN_100_Net
Destination
Interface/Zone external
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Source
Interface/Zone VLAN_200
Address Name VLAN_200_Net
Destination
Interface/Zone external
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
32 01-30004-0091-20070308
Example configuration NAT/Route mode (simple) Using VLANs in NAT/Route mode
To add the firewall policies - CLI
config firewall policy
edit 1
set srcintf VLAN_100
set dstintf VLAN_200
set srcaddr VLAN_100_Net
set dstaddr VLAN_200_Net
set schedule always
set service ANY
set action accept
set nat enable
set status enable
next
edit 2
set srcintf VLAN_200
set dstintf VLAN_100
set srcaddr VLAN_200_Net
set dstaddr VLAN_100_Net
set schedule always
set service ANY
set action accept
set nat enable
set status enable
next
edit 3
set srcintf VLAN_100
set dstintf external
set srcaddr VLAN_100_Net
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
next
edit 4
set srcintf VLAN_200
set dstintf external
set srcaddr VLAN_200_Net
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
end
Configuring the Cisco switch to support VLAN tags
On the Cisco Catalyst 2950 ethernet switch, you need to define VLANs 100 and
200 in the VLAN database and then add a configuration file to define the VLAN
subinterfaces and the 802.1Q trunk interface.
Using VLANs in NAT/Route mode Example configuration NAT/Route mode (simple)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 33
One method to configure a Cisco switch is to connect over a serial connection to
the console port and enter the commands at the CLI. Another method is to
designate one interface on the switch as the management interface and use a
web browser to connect to the switchs graphical interface. For details on
connecting and configuring your Cisco switch, refer to the installation and
configuration manuals for the switch.
The switch used in this example is a Cisco Catalyst 2950 switch. The commands
used are IOS commands. Refer to the switch manual for help with these
commands.
To configure the VLAN subinterfaces and the trunk interfaces
Add this file to the Cisco switch:
!
interface FastEthernet0/3
switchport access vlan 100
!
interface FastEthernet0/9
switchport access vlan 200
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
The switch has the following configuration:
Testing the configuration
Use diagnostic commands (tracert, ping) to test traffic routed through the
FortiGate unit and the Cisco switch. Testing includes:
Testing traffic from VLAN 100 to VLAN 200
Testing traffic from VLAN 100 to the external network
Testing traffic from VLAN 100 to VLAN 200
In this example, a route is traced between the two internal networks. The route
target is a host on VLAN 200.
From VLAN 100, access a command prompt and enter this command:
C:\>tracert 10.1.2.2
Tracing route to 10.1.2.2 over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 10.1.1.1
2 <10 ms <10 ms <10 ms 10.1.2.2
Trace complete.
Port 0/3 VLAN ID 100
Port 0/9 VLAN ID 200
Port 0/24 802.1Q trunk
Note: To complete the setup, configure devices on VLAN 100 and VLAN 200 with default
gateways. The default gateway for VLAN 100 is the FortiGate VLAN 100 subinterface. The
default gateway for VLAN 200 is the FortiGate VLAN 200 subinterface.
FortiGate VLANs and VDOMs Version 3.0 User Guide
34 01-30004-0091-20070308
Example configuration NAT/Route mode (simple) Using VLANs in NAT/Route mode
Figure 7: Example trace route from VLAN 100 to VLAN 200
Testing traffic from VLAN 100 to the external network
In this example, a route is traced from an internal network to the external network.
The route target is the external network interface of the FortiGate-800 unit.
From VLAN 100, access a command prompt and enter this command:
C:\>tracert 172.16.21.2
Tracing route to 172.16.83.1 over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 10.1.1.1
2 <10 ms <10 ms <10 ms 172.16.21.2
Trace complete.
Figure 8: Example trace route from VLAN 100 to the external network
Switch
VLAN 200 Network
10.1.2.2
FortiGate-800 unit
VLAN 100
subinterface
10.1.1.1
VLAN 200
subinterface
10.1.2.1
VLAN 100 Network
10.1.1.2
tracert
Switch
FortiGate-800 unit
VLAN 100
subinterface
10.1.1.1
VLAN 100 Network
tracert
Internet
External
interface
30.1.1.21
Using VLANs in NAT/Route mode Example configuration NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 35
Example configuration NAT/Route mode (complex)
In this example, a FortiGate-800 unit operates in NAT/Route mode. Its network
interfaces are configured as follows:
The internal interface is configured with two VLAN subinterfaces: VLAN 10 for
the Local users network and VLAN 20 for the Finance network. The internal
interface connects to a Cisco 2950 switch using an 801.1Q trunk.
The external interface is configured with two VLAN subinterfaces: VLAN 30 for
the ATT ISP network and VLAN 40 for the XO ISP network. The internal
interface connects to a Cisco 2950 switch using an 801.1Q trunk.
The FortiGate-800 is configured with firewall policies that control the flow of traffic
between networks. The Finance network is the most secure network. It allows
outbound traffic to all other networks, but it does not allow inbound traffic. The
Local users network allows outbound traffic to the external networks (ATT ISP and
XO ISP), inbound traffic from the Finance network and a single inbound
connection from a VPN client on the ATT ISP network.
This section describes how to configure a FortiGate-800 unit and two 802.1Q-
compliant switches for the example network topology shown in Figure 9.
Figure 9: Example VLAN topology (FortiGate unit in NAT/Route mode)
Cisco 2950 Switch
(Internal)
Local users network
192.168.10.0
Finance network
192.168.20.0
VLAN 10 VLAN 20
Fa 0/9 Fa 0/3
Fa 0/24
802.1Q
trunk
FortiGate-800 unit
External
Internal
VLAN 10
VLAN 20
Cisco 2950 Switch
(External)
Fa 0/9
Fa 0/24
Fa 0/3
XO ISP
ATT ISP
802.1Q
trunk
VLAN 30
VLAN 40
VLAN 30
VLAN 40
Internet
VPN client
FortiGate VLANs and VDOMs Version 3.0 User Guide
36 01-30004-0091-20070308
Example configuration NAT/Route mode (complex) Using VLANs in NAT/Route mode
General configuration steps
The following steps break down the NAT/Route mode complex configuration
example into smaller sections, each with a number of smaller procedures.
1 Configuring the FortiGate-800 unit
2 Configuring the FortiGate-800 IPSec VPN tunnel and encrypt policy
3 Configuring the VPN client
4 Configuring the internal Cisco switch
5 Configuring the external Cisco switch
6 Testing the configuration
Configuring the FortiGate-800 unit
Start the web-based manager or use the CLI to configure the FortiGate-800 unit.
Configuring the FortiGate unit includes:
Adding the VLAN subinterfaces Local-LAN, Finance, ATT-ISP and XO-ISP
Adding a default route
Adding the firewall addresses
Adding the firewall policies
Adding the VLAN subinterfaces
Select either the web-based manager or the CLI to add VLAN subinterfaces.
To add the VLAN subinterfaces - web-based manager
1 If VDOMs are enabled and you are not in the root VDOM, select << Global.
2 Go to System > Network > Interface.
3 Select Create New.
4 Enter the following information for the Local users network and select OK:
5 Select Create New.
6 Enter the following information for the Finance network and select OK:
Name Local-LAN
Interface internal
VLAN ID 10
Addressing mode Manual
IP/Netmask 192.168.10.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Name Finance
Interface internal
VLAN ID 20
Addressing mode Manual
IP/Netmask 192.168.20.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Using VLANs in NAT/Route mode Example configuration NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 37
7 Select Create New.
8 Enter the following information for the ATT ISP network and select OK:
9 Select Create New.
10 Enter the following information for the XO ISP network and select OK:
Figure 10: VLAN subinterfaces
Name ATT-ISP
Interface external
VLAN ID 30
Addressing mode Manual
IP/Netmask 30.1.1.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Name XO-ISP
Interface external
VLAN ID 40
Addressing mode Manual
IP/Netmask 40.1.1.1/255.255.255.0
Access HTTPS, PING, TELNET
FortiGate VLANs and VDOMs Version 3.0 User Guide
38 01-30004-0091-20070308
Example configuration NAT/Route mode (complex) Using VLANs in NAT/Route mode
To add the VLAN subinterfaces - CLI
config system interface
edit Local-LAN
set interface internal
set vlanid 10
set mode static
set ip 192.168.10.1 255.255.255.0
set allowaccess https ping telnet
next
edit Finance
set interface internal
set vlanid 20
set mode static
set ip 192.168.20.1 255.255.255.0
set allowaccess https ping telnet
next
edit ATT-ISP
set interface external
set vlanid 30
set mode static
set ip 30.1.1.1 255.255.255.0
set allowaccess https ping telnet
next
edit XO-ISP
set interface external
set vlanid 40
set mode static
set ip 40.1.1.1 255.255.255.0
set allowaccess https ping telnet
end
Adding a default route
Default routes need to be added to the ISP connections. They are weighted
differently using the distance metric. This means traffic will use ATT-ISP by
default.
Select either the web-based manager or the CLI to add a default route.
To add a default route - web-based manager
1 Go to Router > Static > Static Route.
2 Select Create New to add a new route.
Note: If you wanted both ISPs to be used interchangeably, i.e. for load balancing by
session, three things have to be in place: their distances have to be equal, their priorities
have to be equal and load balancing must be turned on. This configuration is an equal cost
For more information on these settings, see the FortiGate CLI Reference.
Using VLANs in NAT/Route mode Example configuration NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 39
3 Enter the following information to add a default route to ATT-ISP for network traffic
leaving the external interface and select OK:
4 Enter the following information to add a secondary default route to XO-ISP for
network traffic leaving the external interface and select OK:
To add a default route - CLI
config router static
edit 1
set device ATT-ISP
set gateway 30.1.1.2
set distance 10
next
edit 2
set device XO-ISP
set gateway 40.1.1.2
set distance 20
end
Adding the firewall addresses
Before you can configure firewall policies to control inter-VLAN and VLAN-internet
traffic, you need to assign firewall addresses. These define the subnets where the
firewall policies are applied.
Select either the web-based manager or the CLI to add the firewall addresses.
To add the firewall addresses - web-based manager
1 Go to Firewall > Address.
2 Select Create New.
3 Enter the following information and select OK:
4 Select Create New.
Destination IP/Mask 0.0.0.0/0.0.0.0
Gateway 30.1.1.2
Device ATT-ISP
Distance 10
Destination IP/Mask 0.0.0.0/0.0.0.0
Gateway 40.1.1.2
Device XO-ISP
Distance 20
Address Name Local_users
Type Subnet/IP Range
IP Range/Subnet 192.168.10.0/255.255.255.0
FortiGate VLANs and VDOMs Version 3.0 User Guide
40 01-30004-0091-20070308
Example configuration NAT/Route mode (complex) Using VLANs in NAT/Route mode
5 Enter the following information and select OK:
Figure 11: firewall addresses
To add the firewall addresses - CLI
config firewall address
edit Local_users
set type ipmask
set subnet 192.168.10.0 255.255.255.0
next
edit Finance_users
set type ipmask
set subnet 192.168.20.0 255.255.255.0
end
Adding the firewall policies
Firewall policies allow VLAN traffic to move to other VLANs and the internet.
Select either the web-based manager or the CLI to add the firewall policies.
To add the firewall policies - web-based manager
1 Go to Firewall > Policy.
2 Select Create New.
3 Enter the following information and select OK:
4 Go to Firewall > Policy.
5 Select Create New.
Address Name Finance_users
Type Subnet/IP Range
IP Range/Subnet 192.168.20.0/255.255.255.0
Source
Interface/Zone Finance
Address Name Finance_users
Destination
Interface/Zone ATT-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Using VLANs in NAT/Route mode Example configuration NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 41
6 Enter the following information and select OK:
7 Go to Firewall > Policy.
8 Select Create New.
9 Enter the following information and select OK:
10 Go to Firewall > Policy.
11 Select Create New.
Source
Interface/Zone Finance
Address Name Finance_users
Destination
Interface/Zone XO-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Source
Interface/Zone Finance
Address Name Finance_users
Destination
Interface/Zone Local-LAN
Address Name Local_users
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
42 01-30004-0091-20070308
Example configuration NAT/Route mode (complex) Using VLANs in NAT/Route mode
12 Enter the following information and select OK:
13 Go to Firewall > Policy.
14 Select Create New.
15 Enter the following information and select OK:
The list of firewall policies looks like this:
Source
Interface/Zone Local-LAN
Address Name Local_users
Destination
Interface/Zone ATT-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Source
Interface/Zone Local-LAN
Address Name Local_users
Destination
Interface/Zone XO-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Using VLANs in NAT/Route mode Example configuration NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 43
To add the firewall policies - CLI
config firewall policy
edit 1
set srcintf Finance
set dstintf ATT-ISP
set srcaddr Finance_users
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
next
edit 2
set srcintf Finance
set dstintf XO-ISP
set srcaddr Finance_users
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
next
edit 3
set srcintf Finance
set dstintf Local-LAN
set srcaddr Finance_users
set dstaddr Local_users
set schedule always
set service ANY
set action accept
set nat enable
set status enable
next
edit 4
set srcintf Local-LAN
set dstintf ATT-ISP
set srcaddr Local_users
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
end
FortiGate VLANs and VDOMs Version 3.0 User Guide
44 01-30004-0091-20070308
Example configuration NAT/Route mode (complex) Using VLANs in NAT/Route mode
edit 5
set srcintf Local-LAN
set dstintf XO-ISP
set srcaddr Local_users
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
end
Configuring the FortiGate-800 IPSec VPN tunnel and encrypt policy
In this example, one user is allowed to connect to the Local user network through
a VPN tunnel from an external dial-up connection. To enable this, you need to do
the following:
Configure the VPN gateway.
Configure the VPN tunnel.
Define the IP address for the VPN user on the Local users network.
Add the encrypt firewall policy to enable the connection.
Configuring the VPN gateway
VPN IPSec tunnels are typically a two phase process. The VPN gateway is the
first phase.
Select either the web-based manager or the CLI to configure the VPN gateway.
To configure the VPN gateway - web-based manager
1 Go to VPN > IPSEC Tunnel > Auto Key.
2 Select Create Phase 1 and then select Advanced.
Using VLANs in NAT/Route mode Example configuration NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 45
3 Enter the following information, then select OK:
To configure the VPN gateway - CLI
config vpn ipsec phase1
edit Dialup_tunnel
set type dynamic
set mode aggressive
set authmethod psk
set psksecret <pre-shared key>
set proposal 3des-sha1 3des-md5
set dhgrp 5
set keylife 28800
end
Configuring the VPN tunnel
With the VPN gateway configured, the VPN tunnel can be configured. The VPN
tunnel is Phase 2.
Select either the web-based manager or the CLI to configure the VPN tunnel.
To configure the VPN tunnel - web-based manager
1 Go to VPN > IPSEC > Phase 2.
2 Select Create New and then select Advanced.
Name Dialup_tunnel
Remote Gateway Dialup User
Local Interface ATT-ISP
Mode Aggressive
Authentication Method Preshared key
Pre-shared key The key must contain at least 6 printable characters and
should only be known by network administrators. For
optimum protection against currently known attacks, the
key should consist of a minimum of 16 randomly chosen
alphanumeric characters.
The client must use the same pre-shared key.
Advanced Select Advanced to configure the following options. The
values shown here are the defaults and should not need to
be changed.
P1 Proposal 1-Encryption 3DES, Authentication SHA1
2-Encryption 3DES, Authentication MD5
DH Group 5
Keylife 28800 (seconds)
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
46 01-30004-0091-20070308
Example configuration NAT/Route mode (complex) Using VLANs in NAT/Route mode
3 Enter the following information, then select OK:
To configure the VPN tunnel - CLI
config vpn ipsec phase2
edit Dialup-client
set phase1name Dialup_tunnel
set proposal 3des-sha1 3des-md5
set replay enable
set pfs enable
set dhgrp 5
set keylife_type seconds
set keylifeseconds 1800
set keepalive enable
end
Defining the VPN user IP address
The destination address used in the firewall policy determines the acceptable
source address range for the remote VPN user. To allow the user to use the VPN
from any host, the firewall policy could specify the all firewall address. This
example requires that the remote user can only use the ATT-ISP network.
To define the VPN user IP address- web-based users
1 Go to Firewall > Address > Address.
2 Select Create New.
Name Dialup-client
Phase 1 Dialup_tunnel
Advanced Select Advanced to configure the following options.
P2 Proposal 1-Encryption 3DES, Authentication SHA1
2-Encryption 3DES, Authentication MD5
Enable replay
detection
Select
Enable perfect
forward secrecy
Select
DH Group 5
Keylife 1800 seconds
Autokey Keep Alive Select
DHCP-IPsec Clear
Quick Mode Selector
Source address
Source port
Destination address
Destination port
Protocol
Configure other fields as required.
Using VLANs in NAT/Route mode Example configuration NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 47
3 Enter the following information and select OK:
To define the VPN user IP address - CLI
config firewall address
edit VIP_IP
set type ipmask
set start_ip 30.1.1.0 255.255.255.0
end
Adding the encrypt policy
Select either the web-based manager or the CLI to add the encrypt policy.
To add the encrypt policy- web-based manager
1 Go to Firewall > Policy.
2 Select Create New.
3 Enter the following information, then select OK:
4 Place the policy in the policy list above non-encrypt policies. If there is more than
one encrypt policy in the list, place the more specific ones above the more general
ones with similar source and destination addresses.
Address Name ATT-net
Type Subnet/IP Range
IP Range/Subnet 30.1.1.0/255.255.255.0
Source
Interface/Zone Local-LAN
Address Name Local_users
Destination
Interface/Zone ATT-ISP
Address Name ATT-net
Schedule Always
Service ANY
Action IPSEC
VPN Tunnel
Allow inbound Select
Allow outbound Clear
Inbound NAT Select
Outbound NAT Clear
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
48 01-30004-0091-20070308
Example configuration NAT/Route mode (complex) Using VLANs in NAT/Route mode
To add the encrypt policy - CLI
config firewall policy
edit 6
set srcintf Local-LAN
set dstintf ATT-ISP
set srcaddr Local_users
set dstaddr ATT-net
set schedule always
set service ANY
set action ipsec
set vpntunnel Dialup-clientset inbound enable
set outbound disable
set natinbound enable
set natoutbound disable
set vpntunnel Dialup_tunnel
set status enable
end
Configuring the VPN client
The Local users network allows a single inbound connection from a VPN client on
the ATT ISP network.
This example shows how to configure FortiClient for this purpose.
Creating a new VPN connection
1 Start FortiClient.
2 Go to VPN > Connections and select Add.
Figure 12: New VPN Connection
3 Type a name for the connection in the Connection Name field.
4 In the Remote Gateway IP address box, enter 30.1.1.1.
5 In the Remote Network address box, enter 192.168.10.0/255.255.255.0.
6 From the Authentication Method box select Preshared Key.
7 Type the pre-shared key in the Pre-Shared Key field.
Note: The pre-shared key must match the FortiGate authentication key.
Using VLANs in NAT/Route mode Example configuration NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 49
8 Select Advanced.
Figure 13: Advanced Settings
9 Select Acquire virtual IP address and then select Config.
The Virtual IP Acquisition dialog box opens.
10 Select Manually Set.
11 Enter the following information and select OK.
12 Select OK and then select OK again to complete configuration of the VPN
connection.
Configuring the internal Cisco switch
On the Cisco Catalyst 2950 ethernet switch connected to the internal interface,
you need to define VLANs 10 and 20 in the VLAN database and then add a
configuration file to define the VLAN subinterfaces and the 802.1Q trunk interface.
This example uses Cisco IOS commands.
IP 30.1.1.0
Subnet mask 255.255.255.0
FortiGate VLANs and VDOMs Version 3.0 User Guide
50 01-30004-0091-20070308
Example configuration NAT/Route mode (complex) Using VLANs in NAT/Route mode
Configuring the VLAN subinterfaces and the trunk interfaces
Add this file to the Cisco switch connected to the internal interface:
!
interface FastEthernet0/3
switchport access vlan 10
!
interface FastEthernet0/9
switchport access vlan 20
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
The switch has the following configuration:
Configuring the external Cisco switch
On the Cisco Catalyst 2900 ethernet switch connected to the external interface,
you need to define VLANs 30 and 40 in the VLAN database and then add a
configuration file to define the VLAN subinterfaces and the 802.1Q trunk interface.
This example uses Cisco IOS commands.
Configuring the VLAN subinterfaces and the trunk interfaces
Add this file to the Cisco switch connected to the external interface:
!
interface FastEthernet0/3
switchport access vlan 30
!
interface FastEthernet0/9
switchport access vlan 40
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
Port 0/3 VLAN ID 10
Port 0/9 VLAN ID 20
Port 0/24 802.1Q trunk
Note: To complete the setup, configure devices on VLAN 10 and VLAN 20 with default
gateways. The default gateway for VLAN 10 is the FortiGate VLAN 10 subinterface. The
default gateway for VLAN 20 is the FortiGate VLAN 20 subinterface.
Using VLANs in NAT/Route mode Example configuration NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 51
The switch has the following configuration:
Testing the configuration
Use diagnostic commands (tracert, ping) to test traffic routed through the
FortiGate unit and the Cisco switch.
The traffic route tests include:
testing traffic from VLAN 20 to VLAN 10
testing traffic from VLAN 20 to the external network
Testing traffic from VLAN 20 to VLAN 10
In this example, a route is traced between the two internal networks. The route
target is a host on the Local users network (VLAN 10).
From the Finance network, access a command prompt and enter this command:
C:\>tracert 192.168.10.2
Tracing route to 192.168.10.2 over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 192.168.20.1
2 <10 ms <10 ms <10 ms 192.168.10.2
Trace complete.
Figure 14: Example trace route from VLAN 20 to VLAN 10
Port 0/3 VLAN ID 30
Port 0/9 VLAN ID 40
Port 0/24 802.1Q trunk
Note: To complete the setup, configure devices on VLAN 30 and VLAN 40 with default
gateways. The default gateway for VLAN 30 is the FortiGate VLAN 30 subinterface. The
default gateway for VLAN 40 is the FortiGate VLAN 40 subinterface.
Switch
Local users network
192.168.10.2
FortiGate-800 unit
VLAN 20
subinterface
192.168.20.1
VLAN 10
subinterface
192.168.10.1
Finance Network
tracert
VLAN 20 VLAN 10
FortiGate VLANs and VDOMs Version 3.0 User Guide
52 01-30004-0091-20070308
Example configuration NAT/Route mode (complex) Using VLANs in NAT/Route mode
Testing traffic from VLAN 10 to the external network
In this example, a route is traced from VLAN 10 on an internal network to the
external network. The route target is the external network interface of the
FortiGate-800 unit.
From the Local users network (VLAN 10), access a command prompt and enter
this command:
C:\>tracert 172.16.21.2
Tracing route to 172.16.21.2 over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 192.168.10.1
2 <10 ms <10 ms <10 ms 172.16.21.2
Trace complete.
Figure 15: Example trace route from VLAN 10 to the external network
Switch
FortiGate-800 unit
VLAN 10
subinterface
192.168.10.1
VLAN 10
tracert
Internet
External
interface
172.16.21.1
Local users network
Using VDOMs in NAT/Route mode Overview
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 53
Using VDOMs in NAT/Route mode
Overview
Virtual Domains (VDOMs) split your FortiGate unit into multiple separate units so
that it can serve multiple organizations. Each VDOM has separate routing and
firewall policies. Each interface, physical or virtual, belongs exclusively to one
virtual domain. This simplifies administration because you can see only the
interfaces, routing tables and firewall policies for the VDOM you are configuring.
This chapter contains the following sections:
Getting started with VDOMs
Configuring virtual domains
Example VDOM configuration in NAT/Route mode (simple)
Example VDOM configuration in NAT/Route mode (complex)
Getting started with VDOMs
To configure your FortiGate unit for operation with multiple virtual domains, you
will be:
Enabling virtual domain configuration
Creating virtual domains
Creating administrators for virtual domains
Accessing virtual domains to configure them
Enabling virtual domain configuration
Using the default admin administration account, you can enable multiple VDOM
operation on the FortiGate unit.
To enable virtual domain configuration
1 Log in to the web-based manager as admin.
2 Go to System > Status.
3 Under System Information, select Enable under Virtual Domain.
4 Confirm your selection when prompted.
The FortiGate unit logs off your session. You can now log in again as admin.
FortiGate VLANs and VDOMs Version 3.0 User Guide
54 01-30004-0091-20070308
Getting started with VDOMs Using VDOMs in NAT/Route mode
When Virtual Domain Configuration is enabled, the web-based manager and the
CLI are changed as follows:
Global and per-VDOM configurations are separated.
Only the admin account can view or configure global options.
The admin account can configure all VDOM configurations.
Regular administrators can configure only the VDOM to which they are
assigned.
By default, there is no password for admin. To improve security, you should set a
password. Optionally, you can also rename the admin account. For more
information on this see the user sections of FortiGate Administration Guide.
Creating virtual domains
Only the admin administrator account can create VDOMs. By default, the
FortiGate unit has one fixed virtual domain named root, which you cannot delete
or rename. You can create additional VDOMs and name them as you like.
To create virtual domains
1 Log in as admin.
2 Select System > VDOM.
3 Select Create New.
4 Enter the name for your new virtual domain select OK. The name must not exceed
11 characters, and cannot contain spaces.
You can verify the new VDOM was created by refreshing the VDOM screen and
confirming it is in the list of virtual domains. You can repeat Steps 3 and 4 for each
VDOM that you want to create.
By default, your FortiGate unit supports a maximum of 10 VDOMs in any
combination of NAT/Route and Transparent modes. For FortiGate models
numbered 3000 and higher, you can purchase a license key to increase the
maximum number to 25, 50, 100 or 250 VDOMs.
To obtain a VDOM license key
1 Record your FortiGate unit serial number. You can find the serial number in the
web-based manager on the System > Status page under System Information.
2 Send the serial number to Fortinet customer support and request a license key for
25, 50, 100 or 250 VDOMs.
3 When you receive your license key, in the web-based manager, go to System >
Status under License and select License next to VDOMs Allowed.
4 In the License Key field, enter the 32-character license key you received from
Fortinet.
5 Select Apply.
You can verify the new VDOM license by going to System Status under Global
Configuration. There under License Information, Virtual Domains shows the new
maximum number of VDOMs allowed.
Using VDOMs in NAT/Route mode Getting started with VDOMs
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 55
Creating administrators for virtual domains
Only the admin administrator account can create regular administrator accounts
and assign each of them to a VDOM.
To create administrators for virtual domains
1 Log in as admin.
2 Go to System > Admin > Administrators.
3 Select Create New.
The New Administrator dialog box opens.
4 From the Virtual Domain list, select the VDOM that this administrator will control.
5 Configure the remaining settings of the administrator account. See the System
Admin chapter of the FortiGate Administration Guide for detailed information.
6 Select OK.
The newly-created administrator can access the FortiGate unit only through a
network interface that belongs to the assigned VDOM or through the Console
interface. The network interface must be configured to allow management access,
such as HTTPS and SSH.
Accessing virtual domains to configure them
Only the admin administrator account can access all of the virtual domains on the
FortiGate unit. A regular administrator account can access and configure only its
own VDOM and must connect to an interface in that VDOM.
Management systems such as SNMP, logging, alert email, updates using the FDN
and setting system time using NTP all use addresses and routing in the root
virtual domain to communicate with the network. They can only connect to
network resources that can communicate with the root virtual domain.
To access a virtual domain as admin
1 Log in as admin.
2 Select System > VDOM.
From here you can select a specific VDOM to configure.
Figure 16: List of virtual domains
3 Select the name of the virtual domain that you want to configure and select
Switch.
The the system network page for that virtual domain opens.
The bottom of the left menu displays the currently selected virtual domain name,
unless only the root domain exists.
FortiGate VLANs and VDOMs Version 3.0 User Guide
56 01-30004-0091-20070308
Configuring virtual domains Using VDOMs in NAT/Route mode
4 When you are finished configuring the VDOM, you can
Select << Global to return to the Virtual Domain Configuration page.
Log out.
To access a virtual domain as a regular administrator
1 Connect to a FortiGate unit interface that belongs to the VDOM that you want to
configure.
To configure the root VDOM using the CLI, you can also connect to the Console
connector.
2 Log in using an administrator account that belongs to the VDOM.
The main web-based manager page opens. From here you can access VDOM-
specific settings.
Configuring virtual domains
To configure VDOMs on your FortiGate unit, you may be:
Changing the management VDOM
Adding interfaces and VLAN subinterfaces to a virtual domain
Configuring routing for a virtual domain
Configuring firewall policies for a virtual domain
Configuring VPNs for a virtual domain
Changing the management VDOM
By default the management VDOM is the root domain. When other VDOMs are
configured on your FortiGate unit, management traffic can be moved to them.
Management traffic is generally any traffic that originates from the FortiGate unit.
This includes:
DNS lookups
logging to FortiAnalyzer, syslog or webtrend
FortiGuard service
sending alert emails
network time protocol traffic (ntpd)
sending SNMP traps
quarantining suspicious files and email
Before you change the management VDOM, ensure that virtual domain
configuration is selected. To be able to connect to remote services such as NTP
and FortiGuard services, the management domain requires an interface
connected to the Internet.
Note: You cannot change the management VDOM if any administrators are using RADIUS
authentication.
Using VDOMs in NAT/Route mode Configuring virtual domains
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 57
To change the management VDOM from the web based manager
These steps will change the management VDOM from root to a virtual domain
named mgmt_vdom.
1 Select System > VDOM.
2 Select mgmt_vdom - the VDOM that will be the new management VDOM.
3 Select Management to apply the change.
To change the management VDOM from the CLI
configuration global
configuration system global
set management-vdom mgmt_vdom
end
Management traffic will now originate from the new management VDOM
mgmt_vdom.
Adding interfaces and VLAN subinterfaces to a virtual domain
A virtual domain must contain at least two interfaces. These can be physical
interfaces or VLAN interfaces. By default all physical interfaces are in the root
virtual domain and when you create a new VLAN, the default virtual domain is
root.
To add a VLAN subinterface to a virtual domain
1 If you are not in the root virtual domain, select << Global.
2 Go to System > Network > Interface.
3 Select Create New to add a VLAN subinterface.
4 Enter a Name to identify the VLAN subinterface.
5 Select the physical interface that receives the VLAN packets intended for this
VLAN subinterface. The interface can be on a different VDOM from the VLAN.
6 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
7 Select the virtual domain to add this VLAN subinterface to.
8 Configure the VLAN subinterface settings as you would for any FortiGate unit
interface.
9 Select OK to save your changes.
You will see the new VLAN subinterface added the interface that you selected in
step 5. It will appear as a + icon that when selected expands to show all
subinterfaces on that interface.
To move an existing interface to another virtual domain
1 If you are not in the root virtual domain, select << Global.
2 Go to System > Network > Interface.
3 Select Edit for the physical interface you want to move.
4 From the Virtual Domain list, select the new VDOM of the interface.
FortiGate VLANs and VDOMs Version 3.0 User Guide
58 01-30004-0091-20070308
Configuring virtual domains Using VDOMs in NAT/Route mode
5 Select OK.
The interface moves to the selected virtual domain. Firewall IP pools and virtual
IPs added for this interface are deleted. You should manually delete any routes
that include this interface.
To add a zone to a virtual domain
1 Go to System > VDOM.
2 Select the virtual domain to edit, and select Switch.
3 Go to System > Network > Zone.
4 Choose the virtual domain to add zones to.
5 Select Create new.
Configuring routing for a virtual domain
Routing is VDOM-specific. Each VDOM should have at least a default static route
configured. You can configure dynamic routing for each VDOM, with other VDOMs
as neighbors. For more information see the Dynamic Routing chapter of the
FortiOS Administration Guide.
To configure routing for a virtual domain
1 Log in as admin, and go to System > VDOM.
2 Select the VDOM to edit, and select Switch.
3 Go to System > Router.
4 Configure routing for the current virtual domain as required.
The routing you define applies only to network traffic entering interfaces belonging
to this virtual domain.
Configuring firewall policies for a virtual domain
Each VDOM must have its own firewall policies. This includes adding firewall
addresses and configuring firewall policies. For more information see the firewall
chapter of the FortiGate Administration Guide.
To add firewall addresses to a virtual domain
1 Log in as admin, and go to System > VDOM.
2 Select the VDOM to configure, and select Switch.
3 Go to Firewall > Address.
4 Add new firewall addresses, address ranges and address groups to the current
virtual domain.
To configure firewall policies for a virtual domain
1 Log in as admin, and go to System > VDOM.
2 Select the VDOM to configure, and select Switch.
3 Go to Firewall > Policy.
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (simple)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 59
4 Select Create new to add firewall policies to the current virtual domain.
Your firewall policies can involve only the interfaces, zones and firewall addresses
that are in the current virtual domain. The firewall policies that you add are only
visible when you are viewing the current virtual domain. Network traffic accepted
by the interfaces and VLAN subinterfaces in this virtual domain is controlled by
the firewall policies in this virtual domain
Configuring VPNs for a virtual domain
Configurations for IPSec Tunnel, IPSec Interface, PPTP and SSL are VDOM-
specific. However, certificates are shared by all virtual domains. For more
information see the VPN chapter of FortiGate Administration Guide
To configure VPN for a virtual domain
1 Log in as admin, and go to System > VDOM.
2 Select the VDOM to configure, and select Switch.
3 Go to VPN.
4 Configure IPSec Tunnel, IPSec Interface, PPTP and SSL as required.
Example VDOM configuration in NAT/Route mode (simple)
Figure 17 shows a simplified NAT/Route mode VLAN configuration in which a
FortiGate unit provides Internet access with real time network protection for two
organizations. Inside the FortiGate unit, each organization has its own virtual
domain, enabling separate configuration of network protection profiles.
A Cisco 2950 VLAN switch combines the LANs of the two organizations into an
802.1Q trunk that connects to the Internal interface of the FortiGate-800 unit.
There are two VLAN subinterfaces on the Internal interface, VLAN 100 and VLAN
200.
The external and DMZ interfaces of the FortiGate unit connect to the Internet
through different ISPs, one for each organization. These interfaces are not
configured with VLAN subinterfaces.
FortiGate VLANs and VDOMs Version 3.0 User Guide
60 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (simple) Using VDOMs in NAT/Route mode
Figure 17: FortiGate unit in Nat/Route mode
When the switch receives packets from VLAN 100 and VLAN 200, it applies the
proper VLAN ID tags and forwards the packets across the trunk link to the
FortiGate unit. The FortiGate unit is a layer-3 device - it has policies that allow
traffic to flow from VLAN 100 to the external network and from VLAN 200 to the
DMZ network.
This section describes how to configure a FortiGate-800 unit and a Cisco 2950
switch for this example network topology.
General configuration steps
While this example may not be labelled complex, it is not trivial. This section is a
list of steps that provide a brief overview. It describes topics which the following
sections will cover in detail.
To generally configure the FortiGate-800 unit and the Cisco switch.
1 Create virtual domains.
2 Configure the FortiGate-800 external and DMZ interfaces.
VLAN Switch
ABC Inc.
10.1.1.0
DEF Inc.
10.1.2.0
VLAN 100 VLAN 200
Fa 0/9
Fa 0/3
Fa 0/24
802.1Q
trunk
FortiGate unit
External
Internal
VLAN 100
VLAN 200
ISP2
ISP1
Internet
DMZ
10.1.1.2 10.1.2.2
30.1.1.21 40.1.1.2
30.1.1.2
40.1.1.32
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (simple)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 61
3 Configure each virtual domain on the FortiGate-800 unit:
Add a VLAN subinterface to the Internal network interface.
Add Firewall addresses and address ranges for the internal and external
networks.
Add a firewall policy to allow the VLAN to access the external network.
Configure the default route to the ISP.
4 Configure the Cisco switch to support VLAN tags.
5 Test the implementation.
Creating the virtual domains
In this example, two new virtual domains are created: ABCdomain for company
ABC and DEFdomain for company DEF. You can create them either with the web-
based manager or through the CLI.
To create the virtual domains - web-based manager
1 Log in as admin.
2 Go to System > VDOM, and select Create New.
3 Enter ABCdomain and select OK.
4 Select Create New.
5 Enter DEFdomain and select OK.
To create the virtual domains - CLI
config vdom
edit ABCdomain
next
edit DEFdomain
end
Configuring the FortiGate-800 external and DMZ interfaces
Start the FortiGate web-based manager to configure the FortiGate-800 unit.
Select Global Configuration. This section configures the interfaces for each
company and their connections to the Internet.
Configuring the external interface
Now you will configure the external interface using either the web-based manager,
or through the CLI.
To configure the external interface - web-based manager
1 Log in as admin.
2 Go to System > Network > Interface.
3 Select Edit on the external interface.
Note: If you cannot change the VDOM of an network interface it is because something is
referring to that interface that needs to be deleted. Once all the references are deleted the
interface will be available to switch to a different VDOM. For example a common reference
to the external interface is the default static route entry.
FortiGate VLANs and VDOMs Version 3.0 User Guide
62 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (simple) Using VDOMs in NAT/Route mode
4 Enter the following information for the external interface and select OK:
To configure the external interface - CLI
config global
config system interface
edit external
set vdom ABCdomain
set mode static
set ip 30.1.1.21 255.255.255.0
end
end
Configuring the DMZ interface
Next, configure the DMZ interface either with the web-based manager or the CLI.
To configure the DMZ interface - web-based manager
1 Log in as admin.
2 Go to System > Network > Interface.
3 Select Edit on the external interface.
4 Enter the following information for the external interface and select OK:
To configure the DMZ interface - CLI
config global
config system interface
edit dmz/ha
set vdom DEFdomain
set mode static
set ip 40.1.1.32 255.255.255.0
end
end
Virtual domain ABCdomain
Addressing mode Manual
IP/Netmask 30.1.1.21/255.255.255.0
Configure other fields as required.
Virtual domain DEFdomain
Addressing mode Manual
IP/Netmask 40.1.1.32/255.255.255.0
Configure other fields as required.
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (simple)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 63
Configuring the ABCdomain VDOM
In this example, the ABCdomain VDOM is used for company ABC. You configure
it with a VLAN subinterface for VLAN_100 and a firewall policy to allow connection
to the External interface.
Adding the VLAN interface will provide a way to send and recieve packets to
the VDOM. Interfaces are part of the global configuration.
Adding the firewall policy will allow connection to the external interface and
limit unwanted traffic. A firewall policy applies only to one VDOM.
Adding the VLAN subinterface
VLAN 100 is how ABC Inc. communicates with the outside world. Make sure that
access protocols such as HTTPS are added. Otherwise, ABC Inc. will not be able
to manage their VDOM.
To add the VLAN 100 subinterface
1 Log in as admin.
2 Go to System > Network > Interface.
3 Select Create New.
4 Enter the following information for VLAN_100 and select OK:
Figure 18: ABCdomain VDOM interfaces and subinterfaces
Name VLAN_100
Interface internal
VLAN ID 100
Virtual Domain ABCdomain
Addressing mode Manual
IP/Netmask 10.1.1.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
64 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (simple) Using VDOMs in NAT/Route mode
To add the VLAN_100 subinterface - CLI
config global
config system interface
edit VLAN_100
set interface internal
set vlanid 100
set vdom ABCdomain
set mode static
set ip 10.1.1.1 255.255.255.0
set allowaccess https ping telnet
end
end
Adding ABCdomain firewall addresses
You need to define the addresses of the VLAN subnets for use in firewall policies.
The FortiGate unit provides one default address, all, that you can use when a
firewall policy applies to all addresses as a source or destination of a packet.
To add ABCdomain firewall addresses - web-based manager
1 Log in as admin.
2 Go to System > VDOM.
3 Select ABCdomain, and select Switch.
4 Go to Firewall > Address.
5 Select Create New.
6 Enter the following information and select OK:
Figure 19: ABCdomain VDOM firewall addresses
To add the ABCdomain VDOM firewall addresses - CLI
config vdom
edit ABCdomain
config firewall address
edit VLAN_100_Net
set type ipmask
set subnet 10.1.1.0 255.255.255.0
end
Address Name VLAN_100_Net
Type Subnet/IP Range
IP Range/Subnet 10.1.1.0/255.255.255.0
Interface VLAN_100
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (simple)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 65
Adding the ABCdomain firewall policy
Next you will add the ABCdomain firewall policy using either the web-based
manager or the CLI.
To add the ABCdomain firewall policy - web-based manager
1 Go to Firewall > Policy.
2 Select Create New.
3 Enter the following information and select OK:
Figure 20: ABCdomain VDOM firewall policy
To add the firewall policy - CLI
config firewall policy
edit 1
set srcintf VLAN_100
set dstintf external
set srcaddr VLAN_100_Net
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
end
Source
Interface/Zone VLAN_100
Address Name VLAN_100_Net
Destination
Interface/Zone External
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
66 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (simple) Using VDOMs in NAT/Route mode
Adding a default route
You need to define a default route to direct packets to the ISP if their destination is
outside of the VLAN 100 subnet.
To add a default route - web-based manager
1 Go to Router > Static.
2 Select Create New to add a new route.
3 Enter the following information to add a default route to ISP1 for network traffic
leaving the external interface and select OK:
Figure 21: ABCdomain VDOM routing table
To add a default route - CLI
config router static
edit 1
set device external
set gateway 30.1.1.2
end
Configuring the DEFdomain VDOM
In this example, the DEFdomain VDOM is used for company DEF. You configure it
with a VLAN subinterface for VLAN_200 and a firewall policy to allow connection
to the External interface. Interfaces are part of the global configuration. Firewall
policies apply to each VDOM.
Adding the VLAN_200 subinterface
VLAN_200 is how DEF Inc. communicates with the outside world. Make sure that
access protocols are added. Otherwise DEF Inc. will not be able to manage their
VDOM.
To add the VLAN_200 subinterface - web-based manager
1 Log in as admin.
2 Go to System > Network > Interface.
3 Select Create New.
Destination IP/Mask 0.0.0.0/0.0.0.0
Device external
Gateway 30.1.1.2
Distance 10
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (simple)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 67
4 Enter the following information for VLAN_200 and select OK:
Figure 22: DEFdomain interfaces and subinterfaces
Note that in the above figure VLAN_100 has no delete icon. That is because of
the firewall policy that was added to it. Before being able to delete VLAN_100 you
will have to first delete that firewall policy.
To add VLAN 200 subinterface - CLI
config global
config system interface
edit VLAN_200
set interface internal
set vlanid 200
set vdom DEFdomain
set mode static
set ip 10.1.2.1 255.255.255.0
set allowaccess https ping telnet
end
end
Adding the DEFdomain firewall address
You need to define addresses for use in firewall policies. In this example, the
DEFdomain VDOM needs an address for the VLAN 200 subnet and the all
address.
To add the DEFdomain firewall address - web-based manager
1 Log in as admin.
2 Go to System > VDOM.
3 Select DEFdomain, and select Switch.
Name VLAN_200
Interface internal
VLAN ID 200
Virtual Domain DEFdomain
Addressing mode Manual
IP/Netmask 10.1.2.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
68 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (simple) Using VDOMs in NAT/Route mode
4 Go to Firewall > Address.
5 Select Create New.
6 Enter the following information and select OK:
Figure 23: Firewall addresses for DEFdomain
To add the DEFdomain firewall address - CLI
config vdom
edit DEFdomain
config firewall address
edit VLAN_200_Net
set type ipmask
set subnet 10.1.2.0 255.255.255.0
end
Adding the DEFdomain firewall policy
The DEFdomain firewall policy allows all traffic. This configuration is an example.
To add the DEFdomain firewall policy - web-based manager
1 Log in as admin.
2 Go to System > VDOM.
3 Select DEFdomain, and select Switch.
4 Go to Firewall > Policy.
5 Select Create New.
Address Name VLAN_200_Net
Type Subnet/IP Range
IP Range/Subnet 10.1.2.0/255.255.255.0
Interface VLAN_200
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (simple)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 69
6 Enter the following information and select OK:
Figure 24: DEFdomain firewall policy
To add the DEFdomain firewall policy - CLI
config firewall policy
edit 1
set srcintf VLAN_200
set dstintf dmz/ha
set srcaddr VLAN_200_Net
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
end
Adding a default route
You need to define a default route to direct packets to the ISP if their destination is
outside of the VLAN 200 subnet.
To add a default route - web-based manager
1 Log in as admin.
2 Go to System > VDOM.
3 Select DEFdomain, and select Switch.
4 Go to Router > Static.
5 Select Create New to add a new route.
Source
Interface/Zone VLAN_200
Address Name VLAN_200_Net
Destination
Interface/Zone dmz/ha
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
70 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (simple) Using VDOMs in NAT/Route mode
6 Enter the following information to add a default route to ISP2 for network traffic
leaving the external interface and select OK:
Figure 25: DEFdomain routing table
To add a default route - CLI
config router static
edit 1
set device external
set gateway 40.1.1.2
end
Configuring the Cisco switch
On the Cisco Catalyst 2950 ethernet switch, you need to define VLANs 100 and
200 in the VLAN database and then add a configuration file to define the VLAN
subinterfaces and the 802.1Q trunk interface.
Configuring the VLAN subinterfaces and the trunk interfaces
Add this file to the Cisco switch:
!
interface FastEthernet0/3
switchport access vlan 100
!
interface FastEthernet0/9
switchport access vlan 200
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
The switch has the following configuration:
Destination IP/Mask 0.0.0.0/0.0.0.0
Gateway 40.1.1.2
Device dmz/ha
Distance 10
Port 0/3 VLAN ID 100
Port 0/9 VLAN ID 200
Port 0/24 802.1Q trunk
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (simple)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 71
Testing the configuration
Use diagnostic commands (tracert, ping) to test traffic routed through the
FortiGate unit and the Cisco switch.
Testing traffic from VLAN 100 to the external network
In this example, a route is traced from an internal network to the external network.
The route target is the external network interface of the FortiGate-800 unit.
From VLAN 100, access a command prompt and enter this command:
C:\>tracert 30.1.1.21
Tracing route to 30.1.1.21 over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 10.1.1.1
2 <10 ms <10 ms <10 ms 30.1.1.21
Trace complete.
Figure 26: Example trace route from VLAN 100 to the external network
Testing traffic from VLAN 200 to the DMZ network
In this example, a route is traced from an internal network to the external network.
The route target is the DMZ network interface of the FortiGate-800 unit.
From a computer on VLAN 200, access an MS Windows command prompt and
enter the following command.
C:\>tracert 40.1.1.32
Tracing route to 40.1.1.32 over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 10.1.2.1
2 <10 ms <10 ms <10 ms 40.1.1.32
Trace complete.
Note: To complete the setup, configure devices on VLAN 100 and VLAN 200 with default
gateways. The default gateway for VLAN 100 is the FortiGate unit VLAN 100 subinterface.
The default gateway for VLAN 200 is the FortiGate unit VLAN 200 subinterface.
Switch
FortiGate-800 unit
VLAN 100
subinterface
10.1.1.1
VLAN 100 Network
tracert
Internet
External
interface
30.1.1.21
FortiGate VLANs and VDOMs Version 3.0 User Guide
72 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (simple) Using VDOMs in NAT/Route mode
Figure 27: Example trace route from VLAN 200 to the DMZ network
Switch
FortiGate-800 unit
VLAN 200
subinterface
10.1.2.1
VLAN 200 network
tracert
Internet
DMZ
interface
40.1.1.32
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 73
Example VDOM configuration in NAT/Route mode (complex)
In this example, a FortiGate-800 unit operates in NAT/Route mode, serving two
organizations. Two virtual domains are used. The ABCdomain domain serves a
school with student and instructor networks. The second domain, Commercial,
serves a business that has product development and sales networks. The internal
and external interfaces of the FortiGate unit are connected to Cisco switches
through 801.1Q trunks that carry the traffic for both virtual domains.
Figure 28 illustrates this network topology, with the Commercial domain network
connections in red. The remainder of this chapter describes how to configure a
FortiGate-800 unit and Cisco Catalyst 2950 ethernet switches for this topology.
The ABCdomain domain is configured as follows:
The internal interface is configured with two VLAN subinterfaces: VLAN 10 for
the students network and VLAN 20 for the instructors network.
The external interface is configured with a VLAN subinterface, VLAN 30, for
the ATT-ISP network.
Firewall policies allow both the instructors and students networks to access the
internet through the ATT-ISP network. For students there is a more strict
protection profile governing their online activities.
A firewall policy allows instructors access to the students network.
The Commercial domain is configured as follows:
The internal interface is configured with two VLAN subinterfaces: VLAN 80 for
the Sales network and VLAN 90 for the Development network.
The external interface is configured with two VLAN subinterfaces, VLAN 40
and VLAN 50, for access to the Internet via the redundant XO-ISP and XS-ISP
networks.
Firewall policies allow access to the Internet through the XO-ISP and XS-ISP
networks from both Sales and Development networks.
Firewall policies allow access from the Sales network to the Development
network and from the Development network to the Sales network.
You might have noticed that the Student network and the Development network
have the same network address ranges. This does not cause a problem because
the two address ranges reside in different virtual domains.
FortiGate VLANs and VDOMs Version 3.0 User Guide
74 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode
Figure 28: Example VLAN/VDOM topology (FortiGate unit in NAT/Route mode)
Student network
192.168.10.0
Development network
192.168.10.0
VLAN 10
Fa 0/9
Fa 0/3
Fa 0/24
802.1Q trunk
FortiGate unit
External
Internal
VLAN 40
VLAN 50
XO
ISP
ATT
ISP
XS
ISP
Fa 0/3
Fa 0/9
Fa 0/19
Internet
VLAN 30 VLAN 40 VLAN 50
Cisco 2900 Switch
(external)
Fa 0/24
VLAN 30
Cisco 2900 Switch
(internal)
VLAN 10
VLAN 20
VLAN 80
VLAN 90
802.1Q trunk
Fa 0/4
Instructors network
192.168.20.0
VLAN 20
Fa 0/14
Sales network
192.168.15.0
VLAN 90
VLAN 80
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 75
General configuration steps
This example has many parts that need to be configured. This is a brief overview
of the steps involved. These steps are covered in more detail in the following
sections. Note that the procedures are intended to follow one another, and for that
reason do not repeat the login and go to steps each time.
1 Create the Commercial domain.
2 Configure the ABCdomain domain:
Add the VLAN subinterfaces.
Configure a default route.
Add firewall addresses for the networks connected to the VLANs.
Add firewall policies to allow:
the instructors network to access the students network
the instructors network to access the external network
the students network to access the external network with a strict protection
profile
3 Configure the Commercial domain:
Add the VLAN subinterfaces.
Configure a default route and a secondary default route.
Add firewall addresses for the VLANs.
Add firewall policies to allow:
the development network to access the sales network
the sales network to access the development network
the sales network to access the external network
the development network to access the external network
4 Configure the Cisco switches.
5 Test the implementation.
Creating the virtual domains
In this example, two virtual domains are created: ABCdomain for the school and
Commercial for the business.
To create the virtual domains - web-based manager
1 Log in as admin.
2 Go to System > VDOM and select Create New.
3 Enter ABCdomain and select OK.
4 Select Create New.
5 Enter Commercial and select OK.
To create the virtual domains - CLI
config vdom
edit ABCdomain
next
edit Commercial
end
FortiGate VLANs and VDOMs Version 3.0 User Guide
76 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode
Configuring the ABCdomain VDOM
In this example, the ABCdomain VDOM is used to serve a school. You configure
two VLAN subinterfaces on the Internal interface and one on the External
interface. A firewall policy allows connections from the internal VLANs to the
VLAN on the External interface.
Selecting the ABCdomain virtual domain
Before you follow the rest of the procedures for configuring the ABCdomain
VDOM, you must ensure that the current domain is ABCdomain.
To select the ABCdomain virtual domain - web-based manager
1 Go to System > VDOM.
2 Select the ABCdomain VDOM, and select Switch.
To select the ABCdomain virtual domain - CLI
config vdom
edit ABCdomain
Adding the VLAN subinterfaces
In the ABCdomain VDOM, you need two VLAN subinterfaces on the internal
physical interface to receive the VLAN 10 and VLAN 20 packets from the students
and instructors networks. You need a VLAN subinterface on the external interface
to send packets to the ATT-ISP network on VLAN 30.
To add the VLAN subinterfaces - web-based manager
1 Select << Global if you are not in the root domain.
2 Go to System > Network > Interface.
3 Select Create New.
4 Enter the following information for the students network and select OK:
5 Select Create New.
Name students
Type VLAN
Interface internal
VLAN ID 10
Virtual Domain ABCdomain
Addressing mode Manual
IP/Netmask 192.168.10.1/255.255.255.0
Configure other fields as required.
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 77
6 Enter the following information for the instructors network and select OK:
7 Select Create New.
8 Enter the following information for the ATT ISP network and select OK:
Figure 29: VLAN subinterfaces for ABCdomain VDOM
Name instructors
Type VLAN
Interface internal
VLAN ID 20
Virtual Domain ABCdomain
Addressing mode Manual
IP/Netmask 192.168.20.1/255.255.255.0
Configure other fields as required.
Name ATT-ISP
Type VLAN
Interface external
VLAN ID 30
Virtual Domain ABCdomain
Addressing mode Manual
IP/Netmask 30.1.1.1/255.255.255.0
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
78 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode
To add the VLAN subinterfaces - CLI
config system interface
edit students
set interface internal
set vlanid 10
set vdom ABCdomain
set mode static
set ip 192.168.10.1 255.255.255.0
next
edit instructors
set interface internal
set vlanid 20
set vdom ABCdomain
set mode static
set ip 192.168.20.1 255.255.255.0
edit ATT-ISP
set interface external
set vlanid 30
set vdom ABCdomain
set mode static
set ip 30.1.1.1 255.255.255.0
end
Adding a default route
You need to define a default route for packets with destinations that are not on the
FortiGate unit networks connected to the ABCdomain VDOM. The simplest way to
do this is to set the ISP gateway address as the route for all packets leaving the
VLAN subinterface that is connected to the ISP.
To add a default route - web-based manager
1 Go to System > VDOM.
2 Select ABCdomain, and select Switch.
3 Go to Router > Static.
4 Select Create New to add a new route.
5 Enter the following information to add a default route to ATT-ISP for network traffic
leaving the external interface from the ABCdomain domain and select OK:
To add a default route - CLI
config router static
edit 1
set device ATT-ISP
set gateway 30.1.1.2
next
end
Destination IP/Mask 0.0.0.0/0.0.0.0
Device ATT-ISP
Gateway 30.1.1.2
Distance 10
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 79
Adding the firewall addresses
You need to define the addresses of the ABCdomain VDOM subnets for use in
firewall policies. In the ABCdomain VDOM, the FortiGate unit provides one default
address, all, that you can use when a firewall policy applies to all addresses as a
source or destination of a packet. In other VDOMs, you have to create this
address.
To add firewall addresses - web-based manager
1 Go to Firewall > Address.
2 Select Create New.
3 Enter the following information and select OK:
4 Select Create New.
5 Enter the following information and select OK:
Figure 30: Firewall addresses for ABCdomain domain
To add firewall addresses - CLI
config firewall address
edit all
set subnet 0.0.0.0 0.0.0.0
next
edit student_net
set subnet 192.168.10.0 255.255.255.0
next
edit instructor_net
set subnet 192.168.20.0 255.255.255.0
end
Address Name student_net
Type Subnet/IP Range
IP Range/Subnet 192.168.10.0/255.255.255.0
Interface Any
Address Name instructor_net
Type Subnet/IP Range
IP Range/Subnet 192.168.20.0/255.255.255.0
Interface Any
FortiGate VLANs and VDOMs Version 3.0 User Guide
80 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode
Adding the firewall policies
Each internal network needs a policy to permit it to access the ATT-ISP network
for connection to the Internet. By choosing different protection profiles in each
policy, the two groups of users can be subject to different levels of web filtering,
web category filtering and content logging. For simplicity, this example uses the
pre-configured protection profiles strict and scan. You can modify these or
create custom protection profiles as needed.
To add firewall policies - web-based manager
1 Go to Firewall > Policy.
2 Select Create New.
3 Enter the following information and select OK:
4 Select Create New.
5 Enter the following information and select OK:
6 Select Create New.
Source
Interface/Zone students
Address Name student_net
Destination
Interface/Zone ATT-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Protection profile strict
Configure other fields as required.
Source
Interface/Zone instructors
Address Name instructor_net
Destination
Interface/Zone ATT-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Protection profile scan
Configure other fields as required.
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 81
7 Enter the following information and select OK:
The list of firewall policies looks like this:
Figure 31: Firewall policies for ABCdomain VDOM
Source
Interface/Zone instructors
Address Name instructor_net
Destination
Interface/Zone students
Address Name student_net
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
82 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode
To add firewall policies - CLI
config firewall policy
edit 1
set srcintf students
set dstintf ATT-ISP
set srcaddr student_net
set dstaddr all
set action accept
set schedule always
set service ANY
set profile_status enable
set profile strict
set nat enable
next
edit 2
set srcintf instructors
set dstintf ATT-ISP
set srcaddr instructor_net
set dstaddr all
set action accept
set schedule always
set service ANY
set nat enable
next
edit 3
set srcintf instructors
set dstintf students
set srcaddr student_net
set dstaddr student_net
set action accept
set schedule always
set service ANY
set nat enable
next
end
Configuring the Commercial VDOM
The Commercial VDOM serves a company with development and sales networks.
The VLANs on the Commercial VDOM organize traffic from the departments, and
make sure only computers on that VLAN receive the traffic. They also help with
routing through the multiple ISP connections, in effect load balancing.
Start the web-based manager to configure the FortiGate-800 unit.
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 83
Selecting the Commercial VDOM
Before you follow the rest of the procedure for configuring the Commercial
domain, you must ensure that the current domain is Commercial.
To select the Commercial VDOM - web-based manager
1 Select << Global if you are not in the root domain.
2 Go to System > VDOM.
3 Select the Commercial virtual domain, and select Switch.
To select the Commercial VDOM - CLI
config vdom
edit Commercial
Adding the VLAN subinterfaces
In the Commercial VDOM, you need two VLAN subinterfaces on the internal
physical interface to receive VLAN 80 and VLAN 90 packets from the Sales and
Development networks. You need two VLAN subinterfaces on the external
interface to send packets to the XO-ISP network on VLAN 40, and to send
packets to the XS-ISP network on VLAN 50.
To add the VLAN subinterfaces - web-based manager
1 Go to System > Network > Interface.
2 Select Create New.
3 Enter the following information for the Sales network and select OK:
4 Select Create New.
5 Enter the following information for the Development network and select OK:
6 Select Create New.
Name Sales
Type VLAN
Interface internal
VLAN ID 80
Virtual Domain Commercial
Addressing mode Manual
IP/Netmask 192.168.15.1/255.255.255.0
Configure other fields as required.
Name Development
Type VLAN
Interface internal
VLAN ID 90
Virtual Domain Commercial
Addressing mode Manual
IP/Netmask 192.168.10.1/255.255.255.0
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
84 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode
7 Enter the following information for the XO ISP network and select OK:
8 Select Create New.
9 Enter the following information for the XS ISP network and select OK:
Figure 32: 4 VLAN subinterfaces for Commercial VDOM
Name XO-ISP
Type VLAN
Interface external
VLAN ID 40
Virtual Domain Commercial
Addressing mode Manual
IP/Netmask 40.1.1.1/255.255.255.0
Configure other fields as required.
Name XS-ISP
Interface external
VLAN ID 50
Virtual Domain Commercial
Addressing mode Manual
IP/Netmask 145.1.1.1/255.255.255.0
Configure other fields as required.
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 85
To add the VLAN subinterfaces - CLI
config system interface
edit Sales
set interface internal
set vlanid 80
set vdom Commercial
set mode static
set ip 192.168.15.1 255.255.255.0
next
edit Development
set interface internal
set vlanid 90
set vdom Commercial
set mode static
set ip 192.168.10.1 255.255.255.0
next
edit XO-ISP
set interface external
set vlanid 40
set vdom Commercial
set mode static
set ip 40.1.1.1 255.255.255.0
next
edit XS-ISP
set interface external
set vlanid 50
set vdom Commercial
set mode static
set ip 145.1.1.1 255.255.255.0
end
Adding a default route
You need to define a default static route for packets with destinations that are not
on the FortiGate units networks. The simplest way to do this is to set the ISP
gateway address as the route for all packets leaving the VLAN subinterface
connected to the ISP. As this example includes redundant ISPs, you also define a
route to the secondary ISP with a greater distance. The FortiGate unit will send
packets over this route only if the default route is not available. This is the
behavior we want - a main and a backup connection to the Internet.
You can configure dynamic routing if you want to, but that is beyond the scope of
this example. For this example we will configure static routing.
To add a default route - web-based manager
1 Go to System > VDOM.
2 Select the Commercial virtual domain, and select Switch.
3 Go to Router > Static.
4 Select Create New to add a new route.
FortiGate VLANs and VDOMs Version 3.0 User Guide
86 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode
5 Enter the following information to add a default route to XO-ISP for network traffic
leaving the external interface from the Commercial domain and select OK:
6 Select Create New to add a new route.
7 Enter the following information to add a secondary default route to XS-ISP for
network traffic leaving the external interface from the Commercial domain and
select OK:
To add a default route - CLI
config router static
edit 1
set device XO-ISP
set gateway 40.1.1.2
set distance 10
next
edit 2
set device XS-ISP
set gateway 145.1.1.2
set distance 20
end
Adding the firewall addresses
You need to define the addresses of the Commercial VDOM subnets for use in
firewall policies. In the ABCdomain VDOM, the FortiGate unit provides one default
address, all, that you can use when a firewall policy applies to all addresses as a
source or destination of a packet. In other VDOMs, you have to create this
address.
To add the firewall addresses - web-based manager
1 Go to Firewall > Address.
2 Select Create New.
3 Enter the following information and select OK:
4 Select Create New.
Destination IP/Mask 0.0.0.0/0.0.0.0
Gateway 40.1.1.2
Device XO-ISP
Distance 10
Destination IP/Mask 0.0.0.0/0.0.0.0
Gateway 145.1.1.2
Device XS-ISP
Distance 20
Address Name all
Type Subnet/IP Range
IP Range/Subnet 0.0.0.0/0.0.0.0
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 87
5 Enter the following information and select OK:
6 Select Create New.
7 Enter the following information and select OK:
Figure 33: Firewall addresses for Commercial domain
To add the firewall addresses - CLI
config firewall address
edit all
set subnet 0.0.0.0 0.0.0.0
next
edit development_net
set subnet 192.168.10.0 255.255.255.0
next
edit sales_net
set subnet 192.168.15.0 255.255.255.0
next
end
Adding the firewall policies
Firewall policies limit the types of traffic in one direction or between two specific
networks. For example you might allow instant message programs within the
company for collaboration, but not allow them over the internet due to potential
time wasting and resource limitations. But you would likely allow all HTTP traffic in
both directions between all the networks. Due to these different behaviors it is
common to have more than one firewall policy between the same networks.
Generally you want to allow all traffic from your ISP to your FortiGate unit. You can
then establish firewall policies to prevent unwanted traffic from entering your
internal network. Any traffic coming from the internal networks must pass through
a firewall before leaving on the external network, so an extra layer would be
redundant.
Each internal network needs a policy to permit it to access the XO-ISP and XS-
ISP networks for connection to the Internet. Also, each internal network needs a
policy to allow it to connect to the other internal network.
Address Name development_net
Type Subnet/IP Range
IP Range/Subnet 192.168.10.0/255.255.255.0
Address Name sales_net
Type Subnet/IP Range
IP Range/Subnet 192.168.15.0/255.255.255.0
FortiGate VLANs and VDOMs Version 3.0 User Guide
88 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode
To add the firewall policies - web-based manager
1 Go to Firewall > Policy.
2 Select Create New.
3 Enter the following information and select OK:
4 Select Create New.
5 Enter the following information and select OK:
6 Select Create New.
Source
Interface/Zone Sales
Address Name sales_net
Destination
Interface/Zone XO-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Protection profile scan
Configure other fields as required.
Source
Interface/Zone Sales
Address Name sales_net
Destination
Interface/Zone XS-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Protection profile scan
Configure other fields as required.
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 89
7 Enter the following information and select OK:
8 Select Create New.
9 Enter the following information and select OK:
10 Select Create New.
11 Enter the following information and select OK:
Source
Interface/Zone Development
Address Name development_net
Destination
Interface/Zone XO-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Protection profile scan
Configure other fields as required.
Source
Interface/Zone Development
Address Name development_net
Destination
Interface/Zone XS-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Protection profile scan
Configure other fields as required.
Source
Interface/Zone Sales
Address Name sales_net
Destination
Interface/Zone Development
Address Name development_net
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
90 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode
12 Select Create New.
13 Enter the following information and select OK:
The list of firewall policies looks like this:
Figure 34: Firewall policies for Commercial VDOM
To add the firewall policies - CLI
config firewall policy
edit 1
set srcintf Sales
set dstintf XO-ISP
set srcaddr sales_net
set dstaddr all
set action accept
set schedule always
set service ANY
set profile_status enable
set profile strict
set nat enable
next
edit 2
set srcintf Sales
set dstintf XS-ISP
set srcaddr sales_net
set dstaddr all
set action accept
set schedule always
Source
Interface/Zone Development
Address Name development_net
Destination
Interface/Zone Sales
Address Name sales_net
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 91
set service ANY
set profile_status enable
set profile strict
set nat enable
next
edit 3
set srcintf Development
set dstintf XO-ISP
set srcaddr development_net
set dstaddr all
set action accept
set schedule always
set service ANY
set profile_status enable
set profile strict
set nat enable
next
edit 4
set srcintf Development
set dstintf XS-ISP
set srcaddr development_net
set dstaddr all
set action accept
set schedule always
set service ANY
set profile_status enable
set profile strict
set nat enable
next
edit 5
set srcintf Sales
set dstintf Development
set srcaddr sales_net
set dstaddr development_net
set action accept
set schedule always
set service ANY
set nat enable
next
edit 6
set srcintf Development
set dstintf Sales
set srcaddr development_net
set dstaddr sales_net
set action accept
set schedule always
set service ANY
set nat enable
end
Note: To complete the setup, configure devices on the VLANs with default gateways. The
default gateway for VLAN 10 is the FortiGate VLAN 10 subinterface. The default gateway
for VLAN 20 is the FortiGate VLAN 20 subinterface and so on.
FortiGate VLANs and VDOMs Version 3.0 User Guide
92 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode
Configuring the Cisco switch
Now to add a configuration file to each of Cisco Catalyst 2950 ethernet switches.
The configuration file defines the VLAN subinterfaces and the 802.1Q trunk
interface on the switch. If the switch is not properly configured, it will be the broken
link in the network and VLANs will not pass any traffic.
For more information on configuring your Cisco switch, please consult the manual
for your CIsco switch.
Configuring the VLAN subinterfaces and the trunk interfaces
You want to configure different interfaces on the Cisco switches to pass spiffiest
VLAN traffic. If the switch is not properly configured, there will be no traffic on the
network.
Add this file to the Cisco switch connected to the FortiGate-800 internal interface:
!
interface FastEthernet0/3
switchport access vlan 10
!
interface FastEthernet0/4
switchport access vlan 20
!
interface FastEthernet0/14
switchport access vlan 80
!
interface FastEthernet0/16
switchport access vlan 90
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
The switch has the following configuration:
Port 0/3 VLAN ID 10
Port 0/4 VLAN ID 20
Port 0/14 VLAN ID 80
Port 0/16 VLAN ID 90
Port 0/24 802.1Q trunk
Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 93
Add this file to the Cisco switch connected to the FortiGate-800 external interface:
!
interface FastEthernet0/3
switchport access vlan 30
!
interface FastEthernet0/9
switchport access vlan 40
!
interface FastEthernet0/19
switchport access vlan 50
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
The switch has the following configuration:
Testing the configuration
You can use simple diagnostic commands (tracert, ping) to test traffic routed
through the FortiGate unit and the Cisco switches.
Testing traffic from instructors network to student network
In this example, a route is traced from the instructors network to the student
network. The route target is a host on the student network.
From the instructors network, access an MS Windows command prompt and
enter this command:
C:\>tracert 192.168.10.2
Tracing route to 192.168.10.2 over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 192.168.20.1
2 <10 ms <10 ms <10 ms 192.168.10.2
Trace complete.
Port 0/3 VLAN ID 30
Port 0/9 VLAN ID 40
Port 0/19 VLAN ID 50
Port 0/24 802.1Q trunk
FortiGate VLANs and VDOMs Version 3.0 User Guide
94 01-30004-0091-20070308
Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode
Figure 35: Example trace route from VLAN 20 to VLAN 10
Other tests
Using the preceding method, you can also test traffic from the Development
network to the Sales network and vice-versa, as well as traffic from each of the
internal networks to locations on the Internet.
Switch
Student network
192.168.10.2
FortiGate-800 unit
VLAN 20
subinterface
192.168.20.1
VLAN 10
subinterface
192.168.10.1
Instructors Network
tracert
VLAN 20
VLAN 10
Using VLANs and VDOMs in Transparent mode Overview
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 95
Using VLANs and VDOMs in
Transparent mode
Overview
In Transparent mode, the FortiGate unit can provide services such as antivirus
scanning, web filtering, spam filtering and intrusion protection to traffic on an IEEE
802.1Q VLAN trunk. You can insert the FortiGate unit operating in Transparent
mode into the trunk without making changes to your network. In a typical
configuration, the FortiGate internal interface accepts VLAN packets on a VLAN
trunk from a VLAN switch or router connected to internal VLANs. The FortiGate
external interface forwards tagged packets through another trunk to an external
VLAN switch or router connected to external networks or the Internet. You can
configure the FortiGate unit to apply different policies for traffic on each VLAN in
the trunk.
To pass VLAN traffic through the FortiGate unit, you add two VLAN subinterfaces
with the same VLAN ID, one to the internal interface and the other to the external
interface. You then create a firewall policy to permit packets to flow from the
internal VLAN interface to the external VLAN interface. If required, you create
another firewall policy to permit packets to flow from the external VLAN interface
to the internal VLAN interface. Network protection, such as spam filtering, web
filtering and anti-virus scanning, are applied through the protection profile
specified in each firewall policy.
For each VLAN you are protecting with the FortiGate unit, you need to define a
pair of VLAN subinterfaces and the necessary firewall policies. Usually in
Transparent mode you do not permit packets to move between different VLANs.
When the FortiGate unit receives a VLAN tagged packet at a physical interface,
the packet is directed to the VLAN subinterface with the matching VLAN ID. The
VLAN tag is removed from the packet and the FortiGate unit then applies firewall
policies in the same way as it does for non-VLAN packets. If the packet exits the
FortiGate unit through a VLAN subinterface, the VLAN ID for that subinterface is
added to the packet and the packet is sent to the corresponding physical
interface.
VLANs and virtual domains
When you add each VLAN subinterface, you associate it with a virtual domain. By
default the FortiGate configuration includes one virtual domain, named root and
you can add as many VLAN subinterfaces as you require to this virtual domain.
Any virtual domain can have a maximum of 255 interfaces in NAT or TP mode.
This includes VLANs, other virtual interfaces, and physical interfaces. To have
more than 255 interfaces configured you need to configure multiple VDOMs with
many interfaces on each.
FortiGate VLANs and VDOMs Version 3.0 User Guide
96 01-30004-0091-20070308
Configuring the FortiGate unit in Transparent mode Using VLANs and VDOMs in Transparent mode
You can add more virtual domains if you want to separate groups of VLAN
subinterfaces into virtual domains. When using a FortiGate unit to serve multiple
organizations, this simplifies administration because you see only the firewall
policies for the VDOM you are configuring. For information on adding and
configuring virtual domains, see Getting started with VDOMs on page 53.
One essential application of virtual domains is to prevent problems caused when a
FortiGate unit is connected to a layer-2 switch that has a global MAC table.
FortiGate units normally forward ARP requests to all interfaces, including VLAN
subinterfaces. It is then possible for the switch to receive duplicate ARP packets
on different VLANs. Some layer-2 switches reset when this happens. As ARP
requests are only forwarded to interfaces in the same virtual domain, you can
solve this problem by creating a virtual domain for each VLAN. For an example of
this type of configuration, see Example configuration Transparent mode (multiple
virtual domains) on page 107.
Configuring the FortiGate unit in Transparent mode
There are two essential steps to configure of your FortiGate unit to work with
VLANs:
Add VLAN subinterfaces
Create firewall policies
You can also configure the protection profiles that govern virus scanning, web
filtering and spam filtering. Protection profiles are covered in the documentation
for your FortiGate unit.
In Transparent mode, you can access the FortiGate unit web-based manager by
connecting to an interface configured for administrative access and using HTTPS
to access the management IP address. On the FortiGate-800 used as an example
in this document, administrative access is enabled by default on the Internal
interface and the default management IP address is 10.10.10.1. If you need more
information, see the Quick Start Guide or Installation Guide for your unit.
The procedures in this section assume that you have not enabled VDOM
configuration. If VDOM configuration is enabled, you need to navigate to the
global or VDOM configuration as needed before following each procedure.
Adding VLAN subinterfaces
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the
IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number
between 1 and 4096. You add VLAN subinterfaces to the physical interface that
receives VLAN-tagged packets.
To add VLAN subinterfaces in Transparent mode
1 Go to System > Network > Interface.
2 Select Create New to add a VLAN subinterface.
3 Enter a Name to identify the VLAN subinterface.
4 Select the physical interface that receives the VLAN packets intended for this
VLAN subinterface.
Using VLANs and VDOMs in Transparent mode Configuring the FortiGate unit in Transparent mode
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 97
5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
6 Select the virtual domain to which to add this VLAN subinterface.
7 Configure other settings as required.
8 Select OK to save your changes.
The FortiGate unit adds the new subinterface to the interface that you selected.
9 Repeat Step 2 through Step 8, but choose the physical interface through which
the VLAN packets exit the FortiGate unit. Use the same VLAN ID and VDOM as
before.
10 For each of the VLAN subinterfaces you added, select Bring Up to start the
interface.
Creating firewall policies
Firewall policies permit communication between the FortiGate unit network
interfaces based on source and destination IP addresses. Optionally, you can limit
communication to particular times and services.
In Transparent mode, the FortiGate unit subjects the packets on each VLAN to
antivirus and antispam scanning as they pass through the unit. You need firewall
policies to permit packets to pass from the VLAN interface where they enter the
unit to the VLAN interface where they exit the unit. If there are no firewall policies
configured, no packets will be allowed to pass from one interface to another.
To add firewall policies for VLAN subinterfaces
1 Go to Firewall > Address.
2 Select Create New to add firewall addresses that match the source and
destination IP addresses of VLAN packets.
3 Go to Firewall > Policy.
4 Select Create New.
5 From the Source Interface/Zone list, select the VLAN interface where packets
enter the unit.
6 From the Destination Interface/Zone list, select the VLAN interface where packets
exit the unit.
7 Select the Source and Destination Address names.
8 Select Protection Profile and select the profile from the list.
9 Configure other settings as required.
10 Select OK.
FortiGate VLANs and VDOMs Version 3.0 User Guide
98 01-30004-0091-20070308
Example configuration Transparent mode (simple) Using VLANs and VDOMs in Transparent mode
Example configuration Transparent mode (simple)
In this example, the FortiGate-800 unit is operating in Transparent mode. The
FortiGate-800 unit is configured with two VLANs, one with an ID of 100 and the
other with ID 200. The Internal and External physical interfaces each have two
VLAN subinterfaces, one for VLAN 100 and one for VLAN 200.
The FortiGate unit is connected to a Cisco 2900 switch on its internal network
interface and to a Cisco 2620 router on its external network interface. The switch
and the router add VLAN IDs to packets and then forward the packets to the
FortiGate unit. When the FortiGate units receives a tagged packet, it directs it from
one VLAN subinterface to another.
For example, when the switch receives a packet from VLAN 100, it adds VLAN ID
100 and forwards the packet to VLAN subinterface 100 on the internal network
interface on the FortiGate unit. The FortiGate unit directs the packet to VLAN
subinterface 100 on the external network interface. From here the packet is
forwarded to the router.
This section describes how to configure a FortiGate-800 unit, a Cisco switch and a
Cisco router, for the example network topology shown in Figure 36.
Figure 36: Example VLAN topology (FortiGate unit in Transparent mode)
Internet
VLAN router
VLAN 1
VLAN 2
VLAN 100
VLAN switch
802.1Q trunk
FortiGate-300 unit
in Transparent mode
VLAN switch
VLAN 200
Fa0/3
10.1.1.2
10.1.2.2
802.1Q trunk
VLAN 1
VLAN 2
Fa0/9
Internal
External
Fa0/24
10.1.1.1
10.1.2.1
Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (simple)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 99
General configuration steps
1 Configure the FortiGate-800 unit.
Add four VLAN subinterfaces:
VLAN ID 100 added to internal and external network interfaces
VLAN ID 200 added to internal and external network interfaces
Add firewall policies to allow:
the VLAN networks to access the external network.
the external network to access the VLAN networks.
2 Configure the Cisco switch to support VLAN tags.
3 Configure the Cisco router to support VLAN tags.
4 Test the implementation.
Configuring the FortiGate-800 unit
Start the FortiGate web-based manager to configure the FortiGate-800 unit.
Adding VLAN subinterfaces
For each VLAN, you need to create a VLAN subinterface on the internal interface
and another one on the external interface, both with the same VLAN ID.
To add VLAN subinterfaces - web-based manager
1 Go to System > Network > Interface.
2 Select Create New.
3 Enter the following information and select OK:
4 Select Create New.
5 Enter the following information and select OK:
6 Select Create New.
Table 1:
Name VLAN_100_int
Interface internal
VLAN ID 100
Configure other settings as required.
Table 2:
Name VLAN_100_ext
Interface external
VLAN ID 100
Configure other settings as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
100 01-30004-0091-20070308
Example configuration Transparent mode (simple) Using VLANs and VDOMs in Transparent mode
7 Enter the following information and select OK:
8 Select Create New.
9 Enter the following information and select OK:
Figure 37: VLAN subinterfaces
To add VLAN subinterfaces - CLI
config system interface
edit VLAN_100_int
set status down
set interface internal
set vlanid 100
next
edit VLAN_100_ext
set status down
set interface external
set vlanid 100
next
edit VLAN_200_int
set status down
set interface internal
set vlanid 200
next
edit VLAN_200_ext
set status down
set interface external
set vlanid 200
end
Name VLAN_200_int
Interface internal
VLAN ID 200
Configure other settings as required.
Name VLAN_200_ext
Interface external
VLAN ID 200
Configure other settings as required.
Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (simple)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 101
Adding the firewall policies
Firewall policies allow packets to travel from the VLAN_100_int interface to the
VLAN_100_ext interface and from the VLAN_200_int interface to the
VLAN_200_ext interface.
To add the firewall policies - web-based manager
1 Go to Firewall > Policy.
2 Select Create New.
3 Enter the following information and select OK:
4 Select Create New.
5 Enter the following information and select OK:
6 Go to Firewall > Policy.
7 Select Create New.
Source
Interface/Zone VLAN_100_int
Address Name all
Destination
Interface/Zone VLAN_100_ext
Address Name all
Schedule Always
Service ANY
Action ACCEPT
Configure other fields as required.
Source
Interface/Zone VLAN_100_ext
Address Name all
Destination
Interface/Zone VLAN_100_int
Address Name all
Schedule Always
Service ANY
Action ACCEPT
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
102 01-30004-0091-20070308
Example configuration Transparent mode (simple) Using VLANs and VDOMs in Transparent mode
8 Enter the following information and select OK:
9 Select Create New.
10 Enter the following information and select OK:
Figure 38: Firewall policies for VLANs
Source
Interface/Zone VLAN_200_int
Address Name all
Destination
Interface/Zone VLAN_200_ext
Address Name all
Schedule Always
Service ANY
Action ACCEPT
Configure other fields as required.
Source
Interface/Zone VLAN_200_ext
Address Name all
Destination
Interface/Zone VLAN_200_int
Address Name all
Schedule Always
Service ANY
Action ACCEPT
Configure other fields as required.
Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (simple)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 103
To add the firewall policies - CLI
config firewall policy
edit 1
set srcintf VLAN_100_int
set dstintf VLAN_100_ext
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 2
set srcintf VLAN_100_ext
set dstintf VLAN_100_int
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 3
set srcintf VLAN_200_int
set dstintf VLAN_200_ext
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 4
set srcintf VLAN_200_ext
set dstintf VLAN_200_int
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
end
FortiGate VLANs and VDOMs Version 3.0 User Guide
104 01-30004-0091-20070308
Example configuration Transparent mode (simple) Using VLANs and VDOMs in Transparent mode
Configuring the Cisco switch
On the Cisco Catalyst 2900 ethernet switch, you need to define VLANs 100 and
200 in the VLAN database and then add a configuration file to define the VLAN
subinterfaces and the 802.1Q trunk interface.
Configuring the VLAN subinterfaces and the trunk interfaces
Add this file to the Cisco switch:
interface FastEthernet0/3
switchport access vlan 100
!
interface FastEthernet0/9
switchport access vlan 200
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
The switch has the following configuration:
Configuring the Cisco router
Add a configuration file to the Cisco Multiservice 2620 ethernet router. The file
defines the VLAN subinterfaces and the 802.1Q trunk interface on the router. (The
802.1Q trunk is the physical interface on the router.)
Configuring the VLAN subinterfaces and the trunk interfaces
Add this file to the Cisco router:
!
interface FastEthernet0/0
!
interface FastEthernet0/0.1
encapsulation dot1Q 100
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 200
ip address 10.1.2.1 255.255.255.0
Port 0/3 VLAN ID 100
Port 0/9 VLAN ID 200
Port 0/24 802.1Q trunk
Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (simple)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 105
!
The router has the following configuration:
Port 0/0.1 VLAN ID 100
Port 0/0.2 VLAN ID 200
Port 0/0 802.1Q trunk
Note: To complete the setup, configure devices on VLAN 100 and VLAN 200 with default
gateways. The default gateway for VLAN 100 is the Cisco router VLAN 100 subinterface.
The default gateway for VLAN 200 is the Cisco router VLAN 200 subinterface.
FortiGate VLANs and VDOMs Version 3.0 User Guide
106 01-30004-0091-20070308
Example configuration Transparent mode (simple) Using VLANs and VDOMs in Transparent mode
Testing the configuration
Use diagnostic commands (tracert, ping) to test traffic routed through the
network.
Testing traffic from VLAN 100 to VLAN 200
In this example, a route is traced between the two internal networks. The route
target is a host on VLAN 200.
From VLAN 100, access a command prompt and enter this command:
C:\>tracert 10.1.2.2
Tracing route to 10.1.2.2 over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 10.1.1.1
2 <10 ms <10 ms <10 ms 10.1.2.2
Trace complete.
Figure 39: Example trace route from VLAN 100 to VLAN 200
Switch
10.1.2.2
FortiGate-300 unit
10.1.1.2
tracert
VLAN 100
VLAN 200
Router
10.1.1.1 10.1.1.2
External
Internal
Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 107
Example configuration Transparent mode (multiple virtual
domains)
In this example, the FortiGate-800 unit provides network protection to three
organizations that quite different policies for incoming and outgoing traffic. This
requires that they have different firewall policies and protection profiles. Although
this might be achieved without using virtual domains, the administration is simpler
using the virtual domains to view and configure only one organizations policies at
a time.
The procedures in this section assume that you have enabled virtual domain
configuration on your FortiGate unit. For more information, see Getting started
with VDOMs on page 53.
Figure 40: Transparent mode operation with multiple domains
Configuring global items
Some components of the protection profiles that you create are global, rather than
per-domain.
Creating schedules
The FortiGate-800 unit in this example serves organizations that are all
businesses that vary their policies according to the time of day. For simplicity, this
example assumes that they all have the same lunch hours. It would be possible to
accommodate different definitions of lunchtime by creating multiple schedules
tailored to the needs of each organization.
Internet
Untagged packets
Router
VLAN_100_ext
VLAN_200_ext
VLAN_300_ext
ABC Inc
VLAN ID = 100
VLAN Switch 2
VLAN Trunk
FortiGate unit
in Transparent mode
VLAN Switch 1
VLAN Trunk
XYZ Inc.
VLAN = 300
DEF Inc
VLAN ID = 200
Fa0/3
Fa0/6
Internal
External
VLAN_100_int
VLAN_200_int
VLAN_300_int
Fa0/8
Fa0/1 Fa0/5
Fa0/2
FortiGate VLANs and VDOMs Version 3.0 User Guide
108 01-30004-0091-20070308
Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode
To create a recurring schedule for lunchtime - web-based manager
1 Go to Firewall > Schedule > Recurring.
2 Select Create New.
3 Enter Lunch as the name for the schedule.
4 Select Monday, Tuesday, Wednesday, Thursday and Friday.
5 Set the Start time as 11:45 and set the Stop time as 14:00.
6 Select OK.
To create a recurring schedule for lunchtime - CLI
config firewall schedule recurring
edit Lunch
set day monday tuesday wednesday thursday friday
saturday
set start 11:45
set end 14:00
end
Creating protection profiles
The FortiGate-800 provides pre-configured protection profiles: strict, scan, web
and unfiltered. This example also requires custom protection profiles to take
advantage of the FortiGate content blocking features. Protection profiles are
global, but you can create as many as you need to cover the requirements of
different organizations.
This example creates the following protection profiles:
Profile name Description Used by
BusinessOnly Antivirus, spam filtering, banned word
list, IPS. Web category filtering designed
to prevent non-business activity.
ABC Inc., DEF Inc.
Lunch Antivirus, spam filtering, banned word
list, IPS. Relaxed web category filtering
to allow some general-interest web
browsing during lunch hour.
ABC Inc., DEF Inc.
Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 109
To create the BusinessOnly protection profile - web-based manager
1 Go to Firewall > Protection Profile.
2 Select Create New.
3 Enter BusinessOnly as the Profile Name.
4 Select Anti-Virus and enable Virus Scan for HTTP, FTP, IMAP, POP3 and SMTP.
5 Select Web Category Filtering and enable category block.
Configure categories as follows:
6 Select Spam Filtering and enable RBL & ORDBL check for IMAP, POP3 and
SMTP.
7 Select Banned word check for IMAP, POP3 and SMTP.
8 For Spam action, select tagged for IMAP and POP3, discard for SMTP.
9 Select IPS and enable IPS Signature and IPS Anomaly.
10 Select OK.
To create the BusinessOnly protection profile - CLI
config firewall profile
edit BusinessOnly
set ftp scan
set http scan catblock
set imap scan fragmail spamrbl bannedword
set pop3 scan fragmail spamrbl bannedword
set smtp scan fragmail spamrbl bannedword
set ips signature anomaly
set cat_allow 49-50-51-52-53
set cat_deny g01-g02-g03-g04-g05-g06-g08
end
To create the Relaxed protection profile - web-based manager
1 Go to Firewall > Protection Profile.
2 Select Create New.
3 Enter Relaxed as the Profile Name.
4 Select Anti-Virus and enable Virus Scan for HTTP, FTP, IMAP, POP3 and SMTP.
5 Select Web Category Filtering and enable category block.
Configure categories as follows:
Potentially Liable (group) Block
Objectionable or Controversial (group) Block
Potentially Non-productive (group) Block
Potentially Bandwidth Consuming (group) Block
Potentially Security Violating (group) Block
General Interest (group) Block
Business Oriented Allow
Other Block
FortiGate VLANs and VDOMs Version 3.0 User Guide
110 01-30004-0091-20070308
Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode
6 Select Spam Filtering and enable RBL & ORDBL check for IMAP, POP3 and
SMTP.
7 Select Banned word check for IMAP, POP3 and SMTP.
8 For Spam action, select tagged for IMAP and POP3, discard for SMTP.
9 Select IPS and enable IPS Signature and IPS Anomaly.
10 Select OK.
To create the Relaxed protection profile - CLI
config firewall profile
edit Relaxed
set ftp scan
set http scan catblock
set imap scan
set pop3 scan
set smtp scan spamrbl
set ips anomaly
set ips signature
set cat_allow g06-g07-g08
set cat_deny g01-g02-g05
set cat_monitor g03-g04
end
Creating virtual domains
The FortiGate-800 supports 10 virtual domains. The root domain is the default
domain. It cannot be deleted or renamed. In this example, the root domain is not
used. New virtual domains are created for company ABC, company DEF and
company XYZ.
To create the virtual domains - web-based manager
1 Log in as admin.
2 Select Create New.
3 Type ABCdomain and select OK.
4 Select Create New.
5 Type DEFdomain and select OK.
6 Select Create New.
7 Type XYZdomain and select OK.
Potentially Liable (group) Block
Objectionable or Controversial (group) Block
Potentially Non-productive (group) Monitor
Potentially Bandwidth Consuming (group) Monitor
Potentially Security Violating (group) Block
General Interest (group) Allow
Business Oriented Allow
Others Allow
Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 111
To create the virtual domains - CLI
config system vdom
edit ABCdomain
next
edit DEFdomain
next
edit XYZdomain
end
Configuring the ABCdomain
This section describes how to add VLAN subinterfaces and configure firewall
policies for the ABCdomain VDOM.
Adding VLAN subinterfaces
You need to create a VLAN subinterface on the internal interface and another one
on the external interface, both with the same VLAN ID.
To add VLAN subinterfaces - web-based manager
1 Go to System > Network > Interface.
2 Select Create New.
3 Enter the following information and select OK:
4 Select Create New.
5 Enter the following information and select OK:
Figure 41: Interfaces for ABCdomain
Name VLAN_100_int
Interface internal
VLAN ID 100
Virtual Domain ABCdomain
Configure other settings as required.
Name VLAN_100_ext
Interface external
VLAN ID 100
Virtual Domain ABCdomain
Configure other settings as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
112 01-30004-0091-20070308
Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode
To add the VLAN subinterfaces - CLI
config system interface
edit VLAN_100_int
set interface internal
set vlanid 100
set vdom ABCdomain
next
edit VLAN_100_ext
set interface external
set vlanid 100
set vdom ABCdomain
end
Selecting the ABCdomain VDOM
Before you follow the rest of the procedure for configuring VLAN 100, you must
ensure that the current domain is ABCdomain.
To select the ABCdomain VDOM - web-based manager
1 Go to System > Virtual domain > Virtual domains.
2 Select Change following the current virtual domain name above the table.
3 Choose the ABCdomain VDOM.
To select the ABCdomain VDOM - CLI
config vdom
edit ABCdomain
Creating service groups
ABC Inc. does not want their employees to use online chat or gaming software. To
simplify the creation of firewall policies for this purpose, you create a service
group that contains all of the services you want to restrict. A firewall policy can
manage only one service or one group.
To create a games and chat service group - web-based manager
1 Go to Firewall > Service > Group.
2 Select Create New.
3 Type games-chat in the Group Name field.
4 For each of AOL, IRC, NetMeeting, Quake, SIP-MSNmessenger and Talk, select
the service in the Available Services list and select the right arrow to add it to the
Members list.
5 Select OK.
To create a games and chat service group - CLI
config firewall service group
edit games-chat
set member IRC NetMeeting QUAKE SIP-MSNmessenger AOL
TALK
end
Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 113
Configuring ABCdomain firewall addresses
The all address is present by default in the root domain. In other domains, you
must create it.
To configure ABCdomain firewall addresses - web-based manager
1 Go to Firewall > Address > Address.
2 Select Create New.
3 Type new in the Address Name field.
4 Type 0.0.0.0/0.0.0.0 in the IP Range/Subnet field.
5 Select OK.
To configure ABCdomain firewall addresses - CLI
config firewall address
edit all
set type ipmask
set subnet 0.0.0.0 0.0.0.0
end
Configuring ABCdomain firewall policies
Firewall policies allow packets to travel from the VLAN 100 interface to the
external interface subject to the restrictions of the protection profile.
To configure ABCdomain firewall policies - web-based manager
1 Go to Firewall > Policy > Policy.
2 Select Create New.
3 Enter the following information and select OK:
This policy prevents the use of network games or chat programs during business
hours.
Interface/Zone Source VLAN_100_int
Interface/Zone Destination VLAN_100_ext
Address Name Source all
Address Name Destination all
Schedule BusinessDay
Service games-chat
Action DENY
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
114 01-30004-0091-20070308
Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode
4 Enter the following information and select OK:
This policy relaxes the web category filtering during lunch hour.
5 Enter the following information and select OK:
This policy provides rather strict web category filtering during business hours.
Figure 42: ABCdomain firewall policies
To configure ABCdomain firewall policies - CLI
config firewall policy
edit 1
set srcintf VLAN_100_int
set dstintf VLAN_100_ext
set srcaddr all
set dstaddr all
set schedule BusinessDay
set service games-chat
next
edit 2
Interface/Zone Source VLAN_100_int
Interface/Zone Destination VLAN_100_ext
Address Name Source all
Address Name Destination all
Schedule Lunch
Service HTTP
Action ACCEPT
Protection Profile Relaxed
Configure other fields as required.
Interface/Zone Source VLAN_100_int
Interface/Zone Destination VLAN_100_ext
Address Name Source all
Address Name Destination all
Schedule BusinessDay
Service HTTP
Action ACCEPT
Protection Profile BusinessOnly
Configure other fields as required.
Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 115
set srcintf VLAN_100_int
set dstintf VLAN_100_ext
set srcaddr all
set dstaddr all
set action accept
set schedule Lunch
set service HTTP
set profile_status enable
set profile Relaxed
next
edit 3
set srcintf VLAN_100_int
set dstintf VLAN_100_ext
set srcaddr all
set dstaddr all
set action accept
set schedule BusinessDay
set service HTTP
set profile_status enable
set profile BusinessOnly
end
Configuring the DEFdomain
This section describes how to add VLAN subinterfaces and configure firewall
policies for the DEFdomain VDOM.
Adding VLAN subinterfaces
You need to create a VLAN subinterface on the internal interface and another one
on the external interface, both with the same VLAN ID.
To add VLAN subinterfaces - web-based manager
1 Go to System > Network > Interface.
2 Select Create New.
3 Enter the following information and select OK:
4 Select Create New.
5 Enter the following information and select OK:
Name VLAN_200_int
Interface internal
VLAN ID 200
Virtual Domain DEFdomain
Configure other settings as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
116 01-30004-0091-20070308
Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode
Figure 43: Interfaces for DEFdomain
To add the VLAN subinterfaces - CLI
config system interface
edit VLAN_200_int
set interface internal
set vlanid 200
set vdom DEFdomain
next
edit VLAN_200_ext
set interface external
set vlanid 200
set vdom DEFdomain
end
Selecting the DEFdomain VDOM
Before you follow the rest of the procedure for configuring VLAN 200, you must
ensure that the current domain is DEFdomain.
To select the DEFdomain VDOM - web-based manager
1 Go to System > Virtual domain > Virtual domains.
2 Select Change following the current virtual domain name above the table.
3 Choose the DEFdomain VDOM.
To select the DEFdomain VDOM - CLI
config vdom
edit DEFdomain
Creating service groups
DEF Inc. does not want their employees to use online gaming software or any
online chat software except NetMeeting, which they use for net conferencing. To
simplify the creation of a firewall policy for this purpose, you create a service
group that contains all of the services you want to restrict. A firewall policy can
manage only one service or one group. The administrator decided to simply name
this group Games although it also restricts chat software.
Name VLAN_200_ext
Interface external
VLAN ID 200
Virtual Domain DEFdomain
Configure other settings as required.
Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 117
To create a games service group - web-based manager
1 Go to Firewall > Service > Group.
2 Select Create New.
3 Type Games in the Group Name field.
4 For each of AOL, IRC, Quake, SIP-MSNmessenger and Talk, select the service in
the Available Services list and select the right arrow to add it to the Members list.
5 Select OK.
To create a games and chat service group - CLI
config firewall service group
edit Games
set member IRC QUAKE SIP-MSNmessenger AOL TALK
end
Configuring DEFdomain firewall addresses
The all address is present by default in the root domain. In other domains, you
must create it.
To configure DEFdomain firewall addresses - web-based manager
1 Go to Firewall > Address > Address.
2 Select Create New.
3 Type new in the Address Name field.
4 Type 0.0.0.0/0.0.0.0 in the IP Range/Subnet field.
5 Select OK.
To configure DEFdomain firewall addresses - CLI
config firewall address
edit all
set type ipmask
set subnet 0.0.0.0 0.0.0.0
end
Configuring DEFdomain firewall policies
Firewall policies allow packets to travel from the VLAN 200 interface to the
external interface subject to the restrictions of the protection profile.
To configure DEFdomain firewall policies - web-based manager
1 Go to Firewall > Policy > Policy.
2 Select Create New.
3 Enter the following information and select OK:
FortiGate VLANs and VDOMs Version 3.0 User Guide
118 01-30004-0091-20070308
Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode
This policy prevents the use of network games or chat programs (except
NetMeeting) during business hours.
4 Enter the following information and select OK:
This policy relaxes the web category filtering during lunch hour.
5 Enter the following information and select OK:
This policy provides rather strict web category filtering during business hours.
6 Enter the following information and select OK:
Interface/Zone Source VLAN_200_int
Interface/Zone Destination VLAN_200_ext
Address Name Source all
Address Name Destination all
Schedule BusinessDay
Service games-chat
Action DENY
Configure other fields as required.
Interface/Zone Source VLAN_200_int
Interface/Zone Destination VLAN_200_ext
Address Name Source all
Address Name Destination all
Schedule Lunch
Service HTTP
Action ACCEPT
Protection Profile Relaxed
Configure other fields as required.
Interface/Zone Source VLAN_200_int
Interface/Zone Destination VLAN_200_ext
Address Name Source all
Address Name Destination all
Schedule BusinessDay
Service HTTP
Action ACCEPT
Protection Profile BusinessOnly
Configure other fields as required.
Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 119
Because it is last in the list, this policy applies to the times and services not
covered in preceding policies. This means that outside of regular business hours
the Relaxed protection profile applies to email and web browsing and that online
chat and games are permitted. DEF Inc. needs this policy because its employees
sometimes work overtime. The other companies in this example maintain fixed
hours and dont want any after-hours internet access.
Figure 44: DEFdomain firewall policies
To configure DEFdomain firewall policies - CLI
config firewall policy
edit 1
set srcintf VLAN_200_int
set dstintf VLAN_200_ext
set srcaddr all
set dstaddr all
set schedule BusinessDay
set service Games
set action deny
next
edit 2
set srcintf VLAN_200_int
set dstintf VLAN_200_ext
set srcaddr all
set dstaddr all
set action accept
set schedule Lunch
set service HTTP
set profile_status enable
set profile Relaxed
next
edit 3
Interface/Zone Source VLAN_200_int
Interface/Zone Destination VLAN_200_ext
Address Name Source all
Address Name Destination all
Schedule always
Service ANY
Action ACCEPT
Protection Profile Relaxed
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
120 01-30004-0091-20070308
Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode
set srcintf VLAN_200_int
set dstintf VLAN_200_ext
set srcaddr all
set dstaddr all
set action accept
set schedule BusinessDay
set service HTTP
set profile_status enable
set profile BusinessOnly
next
edit 4
set srcintf VLAN_200_int
set dstintf VLAN_200_ext
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
set profile_status enable
set profile Relaxed
end
Configuring the XYZdomain
This section describes how to add VLAN subinterfaces and configure firewall
policies for the XYZdomain VDOM.
Adding VLAN subinterfaces
You need to create a VLAN subinterface on the internal interface and another one
on the external interface, both with the same VLAN ID.
To add VLAN subinterfaces - web-based manager
1 Go to System > Network > Interface.
2 Select Create New.
3 Enter the following information and select OK:
4 Select Create New.
5 Enter the following information and select OK:
Name VLAN_300_int
Interface internal
VLAN ID 300
Virtual Domain XYZdomain
Configure other settings as required.
Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 121
Figure 45: Interfaces for XYZdomain
To add the VLAN subinterfaces - CLI
config system interface
edit VLAN_300_int
set interface internal
set vlanid 300
set vdom XYZdomain
next
edit VLAN_300_ext
set interface external
set vlanid 300
set vdom XYZdomain
end
Selecting the XYZdomain VDOM
Before you follow the rest of the procedure for configuring VLAN 300, you must
ensure that the current domain is XYZdomain.
To select the XYZdomain VDOM - web-based manager
1 Go to System > Virtual domain > Virtual domains.
2 Select Change following the current virtual domain name above the table.
3 Choose the XYZdomain VDOM.
To select the XYZdomain VDOM - CLI
config vdom
edit XYZdomain
Creating service groups
XYZ Inc. wants network protection for email and web services. To simplify creation
of firewall policies, you can create a email service group for POP3, IMAP and
SMTP and a web service group for HTTP, HTTPS and FTP.
To create an email service group - web-based manager
1 Go to Firewall > Service > Group.
Name VLAN_300_ext
Interface external
VLAN ID 300
Virtual Domain XYZdomain
Configure other settings as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
122 01-30004-0091-20070308
Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode
2 Select Create New.
3 Type Email in the Group Name field.
4 For each of POP3, IMAP and SMTP, select the service in the Available Services
list and select the right arrow to add it to the Members list.
5 Select OK.
To create an email service group - CLI
config firewall service group
edit Email
set member POP3 IMAP SMTP
end
To create a web service group - web-based manager
1 Go to Firewall > Service > Group.
2 Select Create New.
3 Type Web in the Group Name field.
4 For each of HTTP, HTTPS and FTP, select the service in the Available Services
list and select the right arrow to add it to the Members list.
5 Select OK.
To create an email service group - CLI
config firewall service group
edit Web
set member HTTP HTTPS FTP
end
Configuring XYZdomain firewall addresses
The all address is present by default in the root domain. In other domains, you
must create it.
To configure XYZdomain firewall addresses - web-based manager
1 Go to Firewall > Address > Address.
2 Select Create New.
3 Type new in the Address Name field.
4 Type 0.0.0.0/0.0.0.0 in the IP Range/Subnet field.
5 Select OK.
To configure XYZdomain firewall addresses - CLI
config firewall address
edit all
set type ipmask
set subnet 0.0.0.0 0.0.0.0
end
Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 123
Configuring XYZdomain firewall policies
Firewall policies allow packets to travel from the VLAN 300 interface to the
external interface subject to the restrictions of the protection profile.
To configure XYZdomain firewall policies - web-based manager
1 Go to Firewall > Policy > Policy.
2 Select Create New.
3 Enter the following information and select OK:
This policy provides network protection for email using the default strict protection
profile. The administrator must also set up the antivirus, web filter and spam filter
settings. These procedures are not described in this document.
4 Enter the following information and select OK:
This policy provides network protection for HTTP, HTTPS and FTP using the
default web protection profile. The administrator must also set up the antivirus and
web filter settings. These procedures are not described in this document.
Figure 46: XYZdomain firewall policies
Interface/Zone Source VLAN_300_int
Interface/Zone Destination VLAN_300_ext
Address Name Source all
Address Name Destination all
Schedule always
Service Email
Action ACCEPT
Protection Profile strict
Configure other fields as required.
Interface/Zone Source VLAN_300_int
Interface/Zone Destination VLAN_300_ext
Address Name Source all
Address Name Destination all
Schedule always
Service Web
Action ACCEPT
Protection Profile web
Configure other fields as required.
FortiGate VLANs and VDOMs Version 3.0 User Guide
124 01-30004-0091-20070308
Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode
To configure XYZdomain firewall policies - CLI
config firewall policy
edit 1
set srcintf VLAN_300_int
set dstintf VLAN_300_ext
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service Email
set profile_status enable
set profile strict
next
edit 2
set srcintf VLAN_300_int
set dstintf VLAN_300_ext
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service Web
set profile_status enable
set profile web
end
Configuring the Cisco switch
On the Cisco Catalyst 2900 ethernet switches, you need to define the VLANs 100,
200 and 300 in the VLAN database and then add configuration files to define the
VLAN subinterfaces and the 802.1Q trunk interface.
Configuring switch 1
Add this file to Cisco VLAN switch 1:
!
interface FastEthernet0/1
switchport access vlan 100
!
interface FastEthernet0/2
switchport access vlan 200
!
interface FastEthernet0/5
switchport access vlan 300
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains)
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 125
Switch 1 has the following configuration:
Configuring switch 2
Add this file to Cisco VLAN switch 2:
interface FastEthernet0/3
switchport
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
Switch 1 has the following configuration:
Testing the configuration
Use diagnostic commands (tracert, ping) to test traffic routed through the
network.
Testing traffic from VLAN 100 to the Internet
In this example, a route is traced from VLANs to a host on the Internet. The route
target is www.fortinet.com.
1 From a host on VLAN 100, access a command prompt and enter this command:
C:\>tracert www.fortinet.com
Tracing route to www.fortinet.com [128.242.109.135]
over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 172.20.120.2
...
14 172 ms 141 ms 140 ms 128.242.109.135
Trace complete.
2 Repeat for VLAN 200 and VLAN 300.
Port 0/1 VLAN ID 100
Port 0/2 VLAN ID 200
Port 0/3 VLAN ID 300
Port 0/6 802.1Q trunk
Port 0/1 VLAN ID 100
Port 0/2 VLAN ID 200
Port 0/3 VLAN ID 300
Port 0/6 802.1Q trunk
FortiGate VLANs and VDOMs Version 3.0 User Guide
126 01-30004-0091-20070308
Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode
Inter-VDOM routing Overview
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 127
Inter-VDOM routing
Overview
In the past VDOMs were separate from each other. There was no internal
communication between them. Any communication between VDOMs had to leave
on a physical interface and re-enter the FortiGate unit on another physical
interface.
Inter-VDOM routing changes this. With the introduction of inter-VDOM links in
FortiOS v3.0 MR1, VDOMs can communicate internally without using additional
physical interfaces. FortiManager units support inter-VDOM routing on managed
FortiGate units starting with FortiManager v3.0 MR1.
This chapter contains the following sections:
Benefits of inter-VDOM routing
Getting started with inter-VDOM routing
Advanced inter-VDOM issues
FortiManager and inter-VDOMs
Inter-VDOM Configurations
Inter-VDOM planning
Benefits of inter-VDOM routing
Inter-VDOM routing has a number of benefits over independent VDOM routing.
These benefits include:
Freeing up physical interfaces
Faster than physical interfaces
Continuing to use secure firewall policies
More flexible configurations
Freeing up physical interfaces
Tying up physical interfaces on the FortiGate unit presents a problem. With a
limited number of interfaces available, configuration options for the old style of
communication between VDOMs are very limited.
FortiGate VLANs and VDOMs Version 3.0 User Guide
128 01-30004-0091-20070308
Benefits of inter-VDOM routing Inter-VDOM routing
For example a FortiGate-800 has 8 ports and if they are assigned 2 per VDOM
(one each for external and internal traffic) we can only have 4 VDOMs at most
configured, not the 10 VDOMs the license will allow. Adding even one additional
interface per VDOM to be used for inter-VDOM communication and we are down
to only 2 VDOMs for that configuration, since it would required 9 interfaces for 3
VDOMs. Even using one physical interface for both external traffic and inter-
VDOM communication would severely lower the available bandwidth for external
traffic on that interface.
With the introduction of inter-VDOM routing, traffic can travel between VDOMs
internally, freeing up physical interfaces for external traffic. Using the above
example we can use the 4 VDOM configuration and all the interfaces will have
their full bandwidth.
Faster than physical interfaces
Internal interfaces have the advantage over physical interfaces in that they are
faster. Their speed depends on the CPU and its load. That means that an inter-
VDOM link interface will be faster than a outbound physical interface connected to
another inbound physical interface.
While one virtual interface with normal traffic would be considerably faster than on
a physical interface, the more traffic and more internal interfaces you configure,
the slower they will become until they are slower than the physical interfaces.
CPU load can come from other sources such as AV or content scanning. This
produces the same effect - internal interfaces such as inter-VDOM links will be
slower.
Continuing to use secure firewall policies
VDOMs help to separate traffic based on your needs. This is an important step in
satisfying regulations that require proof of secure data handling. This is especially
important to health, law and accounting industries and the sensitive data they
handle every day.
By keeping things separate, traffic has to leave the FortiGate unit and re-enter to
change VDOMs. This forces traffic to go through the firewall when leaving and
enter through another firewall, keeping traffic secure.
The need for the physical interfaces is gone with inter-VDOM routing, but as with
all FortiGate interfaces, firewall policies need to be in place for traffic to be allowed
to pass through any interface - physical or virtual. This provides the same level of
security both internally and externally. In fact you will be able to configure more
VDOMs which will allow you more flexibility.
Your data will continue to have the high level of security you have come to expect.
More flexible configurations
A typical VDOM uses at least two physical interfaces - one for internal and one for
external traffic. Depending on the configuration, more interfaces may be required.
As explained earlier, the maximum number of VDOMs configurable on a FortiGate
unit is the number of physical interfaces available divided by two. VLANs can be
an answer to this, but they have some limitations.
Inter-VDOM routing Getting started with inter-VDOM routing
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 129
Using physical interfaces for inter-VDOM communication severely limits the
number of possible configurations on your FortiGate unit, but inter-VDOM routing
allows these connections to be moved inside the FortiGate unit. Using virtual
interfaces for inter-VDOM communication frees up the physical interfaces for
external traffic. Using Inter-VDOM routing on a FortiGate unit with 8 interfaces,
you can have 4 VDOMs communicating with each other (meshed configuration)
and continue to have 2 physical interfaces each for internal and external
connections. This configuration would have required 20 physical interfaces
without inter-VDOM routing. With inter-VDOM routing it only requires 8 physical
interfaces, with the other 12 interfaces being internal virtual interfaces.
Inter-VDOM routing allows you the freedom to select Stand alone VDOM
configuration, Management VDOM configuration and Meshed VDOM
configuration configurations without being limited by the number of physical
interfaces on your FortiGate unit.
Getting started with inter-VDOM routing
Once the VDOMs are configured, there are very few steps to configure inter-
VDOM routing. Inter-VDOM configuration and removal can only be accomplished
through the CLI. For more information see FortiGate CLI reference.
This example assumes that your FortiGate unit is set to multiple VDOM mode and
that you have 2 VDOMs called customer1 and customer2 already configured.
To configure an inter-VDOM routing connection
1 Create an internal point-to-point interface called vlink.
config global
config system vdom-link
edit vlink
next
end
In creating the point-to-point interface, you also created two additional interface
objects by default. They are called vlink0 and vlink1 - the interface name you
chose with a 1 or a 0 on the end to designate the two ends of the link.
2 Bind the interface objects to the VDOMs.
config system interface
edit vlink0
set vdom customer1
next
edit vlink1
set vdom customer2
next
end
Note: At this point you can see the two end point interface objects for the new inter-VDOM
link on the GUI under System > Network. You can only view inter-VDOM interfaces in the
GUI, not modify them.
FortiGate VLANs and VDOMs Version 3.0 User Guide
130 01-30004-0091-20070308
Advanced inter-VDOM issues Inter-VDOM routing
3 These point-to-point interfaces are now treated like normal FortiGate interfaces
and need to be configured as regular interfaces would. This includes IP address
and netmask and what types of administrative access are allowed.
4 Configure the appropriate firewalls and policies.
To remove an inter-VDOM routing connection
When you delete the inter-VDOM link, the link objects will also be deleted.
Before deleting the inter-VDOM link, make sure that all policies, firewalls and
other configurations that include the link are deleted, removed or changed to no
longer include the inter-VDOM link.
The following are the commands to remove an inter-VDOM routing connection
called vlink. This will also remove its two link objects vlink0 and vlink1.
config global
config system vdom-link
delete vlink
end
Advanced inter-VDOM issues
While inter-VDOM links behave almost exactly like a physical interface, there are
some situations where they have limitations or slightly different behavior. These
areas include:
Advanced routing over inter-VDOM links
HA virtual clusters and inter-VDOM links
Advanced routing over inter-VDOM links
As of FortiOS v3.0 MR3, BGP is supported over inter-VDOM links. Before then
multiple VDOMs on one FortiGate unit could not be neighbors. Unless otherwise
indicated, routing works as expected over inter-VDOM links.
HA virtual clusters and inter-VDOM links
FortiGate HA is implemented by configuring two or more FortiGate units to
operate as an HA cluster. To the network, the HA cluster appears to function as a
single FortiGate unit, processing network traffic and providing normal security
services such as firewalling, VPN, IPS, virus scanning, web filtering, and spam
filtering services.
Virtual clustering extends HA features to provide failover protection and load
balancing for a FortiGate operating with virtual domains. A virtual cluster consists
of a cluster of two FortiGate units operating with virtual domains. Traffic on
different virtual domains can be load balanced between the cluster units.
With virtual clusters (vclusters) configured, inter-VDOM links must be entirely
within one vcluster. You cannot create links between vclusters, and you cannot
move a VDOM that is linked into another virtual cluster. In HA mode, with multiple
vclusters when you create the vdom-link the CLI command config system
vdom-link has an option to set which vcluster the link will be in. For more
information on HA configurations, see FortiGate HA Guide.
Inter-VDOM routing FortiManager and inter-VDOMs
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 131
FortiManager and inter-VDOMs
FortiManager helps you manage FortiGate units with features such as monitoring
and multiple device configuration. Starting with v3.0 MR1, FortiManager supports
inter-VDOM routing.
Configuring inter-VDOMs with FortiManager
Before configuring inter-VDOM routing
you must have at least two virtual domains configured on the FortiGate device
the virtual domains must all be in NAT/route mode
each virtual domain to be linked must have at least one interface or
subinterface assigned to it
In Policy Manager you can access the VDOM information for the selected
FortiGate device by selecting the FortiGate device and going to System > Virtual
Domain. Inter-VDOM link information can also be viewed on System > Status.
To create an inter-VDOM link
1 In the Policy Manager, select a virtual domain in the navigation frame.
2 Select the blue arrow to expand Configure Inter-VDOM routing.
If there is no blue arrow, there is only one virtual domain. You must create at least
one more virtual domain before continuing.
3 Select the checkbox next to the VDOM to be linked to the current VDOM (the one
selected in step 1.
4 Enter a name for the inter-VDOM link. Both virtual interfaces will use this name.
For example if the link is my_vlink, the virtual interfaces will be my_vlink0 and
my_vlink1.
5 Enter the IP address and netmask for the virtual interface for this link on the
current VDOM and the peer VDOM. For example if the current VDOM is vdom1,
root could be the peer VDOM.
Once the inter-VDOM link is created, these IP addresses cannot be changed
without deleting the link.
6 Select Traffic Log to log the traffic on this inter-VDOM link.
7 Select Apply to save your settings.
You can repeat these steps to create other inter-VDOM links if you have more
than two VDOMs.
To remove an inter-VDOM link, clear the checkbox next to it and select Apply.
Both ends of the link will be removed.
For more information on using FortiManager, see the FortiManager Administration
Guide.
FortiGate VLANs and VDOMs Version 3.0 User Guide
132 01-30004-0091-20070308
Inter-VDOM Configurations Inter-VDOM routing
Inter-VDOM Configurations
By using fewer physical interfaces to inter-connect VDOMs, inter-VDOM links
provide you with more configuration options.
The inter-VDOM configurations are:
Stand alone VDOM configuration
Independent VDOMs configuration
Management VDOM configuration
Meshed VDOM configuration
Stand alone VDOM configuration
The stand alone VDOM configuration uses a single VDOM - the root VDOM that
all FortiGate units have by default. This is the VDOM configuration you are likely
familiar with.
Figure 47: Stand-alone VDOM
This configuration has no VDOM inter-connections and requires no special
configurations or settings.
The stand alone VDOM configuration can be used for simple network
configurations that only have one department or one company administering the
connections, firewalls and other VDOM dependant settings.
Independent VDOMs configuration
The Independent VDOMs configuration uses multiple VDOMs that are completely
separate from each other. This is likely another VDOM configuration you are
familiar with.
>ciZgcZi
>ciZgcVaCZildg`
>ciZgcVaCZildg` >ciZgcVaCZildg`
Poot vDOM
Inter-VDOM routing Inter-VDOM Configurations
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 133
Figure 48: Independent VDOMs
This configuration has no communication between VDOMs and apart from initially
setting up each VDOM, this configuration requires no special configurations or
settings. Any communications between VDOMs is treated as if communication
was with a separate physical device.
The independent VDOMs configuration can be used where more than one
department or one company is sharing the FortiGate unit. They can each
administer the connections, firewalls and other VDOM dependant settings of only
their own VDOM. To each company or department it appears as if they have their
own FortiGate unit.
Management VDOM configuration
In the Management VDOM configuration, the root VDOM is the management
VDOM and the other VDOMs are connected to the management VDOM with inter-
VDOM links. There are no other inter-VDOM connections.
>ciZgcZi
>ciZgcVaCZildg`
>ciZgcVaCZildg` >ciZgcVaCZildg`
vDOM l vDOM 2 vDOM 3
FortiGate VLANs and VDOMs Version 3.0 User Guide
134 01-30004-0091-20070308
Inter-VDOM Configurations Inter-VDOM routing
Figure 49: Management VDOM
Only the management VDOM is connected to the Internet. The other VDOMs are
connected to internal networks and possibly to very small secure external
networks, say a VPN dialup connection. All external traffic is routed through the
management VDOM using inter-VDOM links between the VDOMs. This ensures
the management VDOM has full control over access to the Internet including what
types of traffic are allowed in both directions. Security is greatly increased with
only one point of entry and exit. Only the management VDOM needs to be
professionally managed to ensure network security in this case.
The management VDOM configuration is ideally suited for a service provider
business. The service provider is the management VDOM and the other VDOMs
are customers. These customers do not require a dedicated IT person to manage
their network. The service provider controls the traffic and can prevent the
customers from using banned services and prevent Internet connections from
initiating those same banned services. One example of a banned service might be
Instant Messaging (IM) at a company concerned about intellectual property.
Another example could be to limit bandwidth used by file sharing applications
without banning it completely. Firewall policies control the traffic between a
customer VDOM and the management VDOM and can be customized for each
customer.
Meshed VDOM configuration
The Meshed VDOMs configuration, including partial and full mesh, has VDOMs
inter-connected with other VDOMs. There is no special feature to do this - they are
just complex VDOM configurations.
>ciZgcZi
>ciZgcVaCZildg` >ciZgcVaCZildg` >ciZgcVaCZildg`
vDOM l vDOM 2
Poot vDOM
vDOM 3
inter-vDOM links
Inter-VDOM routing Inter-VDOM planning
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 135
Partial mesh means only some VDOMs are inter-connected. In a full mesh
configuration, all VDOMs are inter-connected to all other VDOMs. This can be
useful when you want to provide full access between VDOMs but handle traffic
differently depending on which VDOM it originates from or is going to.
Figure 50: Meshed VDOMs
With full access to all VDOMs being possible, it is important to ensure proper
security. This can be accomplished by establishing extensive proper firewall
policies and ensuring secure account access for administrators and users.
Meshed VDOM configurations can become complex very quickly, with full mesh
VDOMs being the most complex. Ensure this is the proper solution for your
situation before using this configuration.
Inter-VDOM planning
Inter-VDOM routing enables more FortiGate unit configurations than were
previously possible. This additional flexibility has benefits, but also has potential
difficulties.
Complexity
With more connections possible in inter-VDOM configurations, complexity quickly
becomes an issue. VDOMs are not trivial to understand and with additional
settings and issues to consider things can easily get out of hand.
>ciZgcZi
>ciZgcVaCZildg` >ciZgcVaCZildg` >ciZgcVaCZildg`
vDOM l vDOM 2
Poot vDOM
vDOM 3
inter-vDOM links
FortiGate VLANs and VDOMs Version 3.0 User Guide
136 01-30004-0091-20070308
Inter-VDOM planning Inter-VDOM routing
To prevent this, you should carefully plan your move to the inter-VDOM
configuration to ensure you are aware of the differences between your new and
old setups as well as how these changes affect the interaction between the
VDOMs.
Making changes
Once configured, this new complex configuration means that any changes you
make to the system have a greater chance of introducing problems into the
system. Extra care should be taken to make sure any changes do not negatively
affect your existing FortiGate unit configuration.
For example using the old method to change communication between VDOMs,
cable connections had to be physically changed. When compared to inter-VDOM
where all the changes are internal, there is generally more checking built into the
physical process than there is for simple CLI commands.This lowered level of
checking may allow un-intended changes in VDOM interactions to slip into the
configuration undetected.
Avoiding Problems with VLANs Overview
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 137
Avoiding Problems with VLANs
Overview
There are several issues that can cause problems with your VLANs:
Asymmetric routing
Layer 2 traffic
NetBIOS
STP forwarding
Too many VLAN interfaces
Asymmetric routing
You might discover, unexpectedly, that hosts on some networks are unable to
reach certain other networks. This occurs when request and response packets
follow different paths. If the FortiGate unit sees the response packets, but not the
requests, it blocks them as invalid. Also, if the FortiGate unit sees the same
packets repeated on multiple interfaces, it blocks the session as a potential attack.
These are instances of asymmetric routing. By default, FortiGate units block
packets or drop the session when this happens. You can configure the FortiGate
unit to permit asymmetric routing using the following Command Line Interface
(CLI) command:
config system settings
set asymroute enable
end
If this solves your blocked traffic problem, you know that asymmetric routing is the
cause. But allowing asymmetric routing is not the best solution because it can
reduce the security of your system. It is better to change routing or change how
your FortiGate unit connects into your network. The Asymmetric Routing and
Other FortiGate Layer-2 Installation Issues technical note provides detailed
examples of asymmetric routing situations and possible solutions.
!
Caution: If you enable asymmetric routing, antivirus and intrusion prevention systems will
not be effective. Your FortiGate unit will be unaware of connections and treat each packet
individually. It will be a stateless firewall.
FortiGate VLANs and VDOMs Version 3.0 User Guide
138 01-30004-0091-20070308
Layer 2 traffic Avoiding Problems with VLANs
Layer 2 traffic
By default, FortiGate units do not pass Layer-2 traffic. If there are Layer-2
protocols such as IPX, PPTP or L2TP in use on your network, you need to
configure FortiGate interfaces to pass them. You can do this using the CLI:
config system interface
edit <name_str>
set l2forward enable
end
where <name_str> is the name of an interface.
Enabling Layer 2 traffic can cause a problem if it is possible for packets to
repeatedly loop through the network. This occurs when there is more than one
Layer 2 path from a source to a destination. Traffic can be impeded. One method
of addressing the loop that is created is to configure Spanning Tree Protocol
(STP) on switches and routers on the network. Using STP with FortiGate units is
covered in STP forwarding on page 140.
ARP traffic
Address Resolution Protocol (ARP) traffic is vital to communication on a network
and is enabled on FortiGate interfaces by default. Normally you want ARP packets
to pass through the FortiGate unit, especially if it is sitting between a client and a
server or between a client and a router.
ARP traffic can cause problems, especially in Transparent mode where ARP
packets arriving on one interface are sent to all other interfaces, including VLAN
subinterfaces. Some Layer 2 switches become unstable when they detect the
same MAC address originating on more than one switch interface or from more
than one VLAN. This instability can occur if the Layer 2 switch does not maintain
separate MAC address tables for each VLAN. Unstable switches may reset
causing network traffic to slow down.
Multiple VDOMs solution
One solution is to configure multiple VDOMs on the FortiGate unit, one for each
VLAN. This means one inbound and one outbound VLAN interface in each virtual
domain. ARP packets are not forwarded between VDOMs.
By default, physical interfaces are in the root domain. Do not configure any of your
VLANs in the root domain.
As a result of this VDOM configuration, the switches do not receive multiple ARP
packets with the same source MAC but different VLAN IDs and the instability does
not occur.
Forward-domain solution
You may run into problems using the multiple VDOMs solution to solve the same
MAC address seeming to originate on multiple interfaces. It is possible that you
have more VLANs than licensed VDOMs, not enough physical interfaces or your
configuration may work better by grouping some VLANs together. In these
situations the separate VDOMs solution may not work for you.
Avoiding Problems with VLANs Layer 2 traffic
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 139
In these situations, the solution is to use the forward-domain
<collision_group> CLI command. This command tags VLAN traffic as
belonging to a particular forward-domain collision group and only VLANs tagged
as part of that collision group recieve that traffic. By default interfaces and VLANs
are part of forward-domain collision group 0.
There are many benefits for this solution from reduced administration, to using
fewer physical interfaces to being able to allowing you more flexible network
solutions.
In the following example, forward-domain collision group 340 includes VLAN 340
traffic on Port1 and untagged traffic on Port2. Forward-domain collision group 341
includes VLAN 341 traffic on Port1 and untagged traffic on Port3. All other
interfaces are part of forward-domain collision group 0 by default.
These are the CLI commands to accomplish this setup.
config system interface
edit port1
next
edit "port2"
set forward_domain 340
next
edit port3
set forward_domain 341
next
edit "port1-340"
set forward_domain 340
set interface "port1"
set vlanid 340
next
edit "port1-341"
set forward_domain 341
set interface "port1"
set vlanid 341
next
end
There is a more detailed discussion of this issue in the Asymmetric Routing and
Other FortiGate Layer-2 Installation Issues technical note.
FortiGate VLANs and VDOMs Version 3.0 User Guide
140 01-30004-0091-20070308
NetBIOS Avoiding Problems with VLANs
NetBIOS
Networked computers running Microsoft Windows operating systems rely on a
WINS server to resolve host names to IP addresses. The hosts communicate with
the WINS server using NetBIOS protocol. To support this type of network you
need to enable the forwarding of NetBIOS requests to a WINS server. Enter the
following CLI commands:
config system interface
edit <interface>
set netbios_forward enable
set wins-ip <wins_server_ip>
end
where <interface> is the name of the interface and <wins_server_ip> is
the IP address of the WINS server. These commands apply only in NAT/Route
mode.
STP forwarding
The FortiGate unit does not participate in the Spanning Tree protocol (STP). STP
is an IEEE 802.1 protocol to ensure there are no Layer-2 loops on the network.
Loops happen when there is more than one route for traffic to take and that traffic
is broadcasted back to the original switch - creating a loop that floods the network
with never ending traffic.
If you use the FortiGate unit in a network topology that relies on STP for network
loop protection, you need to make changes to the FortiGate configuration.
Otherwise, STP sees the FortiGate unit as a blocked link and forwards the data to
another path. By default, the FortiGate unit blocks STP as well as other non-IP
protocol traffic.
Using the CLI, you can enable forwarding of STP and other Layer 2 protocols
through the interface:
config system interface
edit <name_str>
set l2forward enable
set stpforward enable
end
where <name_str> is the name of the interface. This configuration will also allow
Layer-2 protocols such as IPX, PPTP or L2TP to be used on the network. For
more information see Layer 2 traffic on page 138.
Avoiding Problems with VLANs Too many VLAN interfaces
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 141
Too many VLAN interfaces
Any virtual domain can have a maximum of 255 interfaces in NAT or TP mode.
This includes VLANs, other virtual interfaces, and physical interfaces.
Your FortiGate unit may allow you to configure more interfaces than this, however
if you configure more than 255 interfaces your system will become unstable and
not work properly over time. These problems are due to routing limitations. When
you try to add additional interfaces you will see an error message stating the
maximum limit has already been reached.
If you see the maximum limit has been reached error message, chances are you
already have too many VLANs on your system and your routing has become
unstable. To verify this, delete a VLAN and try to add it back. If you have too many,
you will not be able to add it back on to the system. In this case you will need to
remove enough interfaces (including VLANs) so the total number of interfaces is
255 or less. After doing this you should also reboot your FortiGate unit to clean up
its memory and buffers.
To configure more than 255 interfaces on your FortiGate unit, you will have to
configure multiple VDOMs and many interfaces within each VDOM. However, if
you want to configure more than 255 interfaces you will need to purchase
additional VDOM licenses if your FortiGate model supports them. With these extra
licenses, you will be able to configure up to 250 VDOMs each with up to 255
VLANs for a theoretical maximum of over 63 000 interfaces. However, in such a
configuration you would quickly run into a lack of system resources before
reaching that number.
FortiGate VLANs and VDOMs Version 3.0 User Guide
142 01-30004-0091-20070308
Too many VLAN interfaces Avoiding Problems with VLANs
Index
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 143
Index
Numerics
802.1Q 13, 14, 16, 24
A
administrators
access profiles 19
common 19
multiple 19
VDOM 55
Anti Virus (AV) scanning 128
Antivirus (AV) settings 21
asymmetric routing 141
B
border gateway protocol (BGP). See routing, BGP
C
Cisco router configuration
IOS commands 26
simple Transparent VDOM example 104
Cisco switch
simple VLAN NAT/Route example 32
Cisco switch configuration
complex VDOM NAT/Route example 92
complex VLAN NAT/Route example 49
IOS commands 26
multiple VDOM Transparent example 124
simple Transparent VDOM example 104
simple VDOM NAT/Route example 70
CLI 26, 36
CPU load 128
customer service 11
D
default route 25, 58
complex VDOM NAT/Route example 78
complex VLAN NAT/Route example 38
NAT/Route 25
simple VDOM NAT/Route example 66, 69
default route, setting
complex VDOM example 85
diagnostics
ping 25, 33
tracert 33
E
example
complex VDOM NAT/Route 73
simple VLAN NAT/Route topology 59
external logging 19
F
file sharing 134
Firewall
settings 20, 21
firewall address
complex VDOM NAT/Route mode example 79, 86
complex VLAN NAT/Route example 39
multiple VDOM example 122
multiple VDOM Transparent example 117
policy 25
simple VDOM NAT/Route example 64, 67
simple VLAN NAT/Route example 29
Transparent multiple VDOM example 113
firewall policy 128
complex VDOM NAT/Route example 80, 87
complex VLAN NAT/Route example 40
multiple VDOM example 113, 117, 123
simple Transparent VDOM example 101
simple VDOM NAT/Route example 65, 68
simple VDOM NAT/Routeexample 65, 68
simple VLAN NAT/Route example 30
Transparent mode 97
VDOM 58
very complex 135
VLAN subinterface 25
firewall schedule
multiple VDOM example 107
FortiClient 48
FortiGate
CLI 26, 36
web-based manager 36
FortiGate-800 128
FortiManager v3.0 131
MR1 127, 131
Policy Manager 131
Fortinet
customer service 11
services 19
FortiOS v3.0
MR1 127
MR3 130
G
gateway, VPN 44
H
HA 130
vcluster 130
HTTP 25
HTTPS 25
FortiGate VLANs and VDOMs Version 3.0 User Guide
144 01-30004-0091-20070308
Index
I
ID tag 16, 17
IEEE 802.1Q 13, 14, 16, 24
independent configuration 132
Instant Messaging (IM) 134
settings 20
interfaces
802.1Q trunk 23, 32
DMZ, simple VDOM NAT/Route example 62
external, simple VDOM NAT/Route example 61
external, simple VLAN NAT/Route 27
external, simple VLAN NAT/Route example 27
maximum number 14, 95, 141
physical 128, 132
point-to-point 129
virtual 129
VLAN subinterface 23
inter-VDOM
delete link 130
FortiManager 131
independent configuration 132
management configuration 129, 133
meshed configuration 129, 134
physical interfaces 127
stand alone configuration 129, 132
virtual interface 129
IP address, overlapping 24
IPS settings 21
IPX, layer-2 forwarding 138
ISP 85
L
L2TP, layer-2 forwarding 138
layer-2 14
forwarding 138
layer-3 16
license 18
M
management configuration 129, 133
management VDOM 19
meshed configuration 129, 134
multicast. See routing, multicast
N
NAT/Route
complex VDOM example 78, 85
complex VLAN example 35, 36
simple VDOM example 63, 67
simple VLAN example 25, 27, 28
NetBIOS, for Windows networks 140
O
open shortest path first (OSPF). See routing, OSPF
P
packets
handling 18
VLAN-tagged 24
physical interface 132
physical interfaces 127, 128
ping 25, 33
Policy Manager 131
PPTP, layer-2 forwarding 138
protection profile
Transparent VDOM example 108
R
redundant ISPs 85
remote management 19
Router settings 20
routing
asymmetric 141
BGP 130
multicast
OSPF
RIP
STP 140
routing information protocol (RIP). See routing, RIP
routing, default route 25
complex VDOM example 85
complex VDOM NAT/Route example 78
complex VLAN NAT/Route example 38
NAT/Route 25
simple VDOM NAT/Route example 66, 69
VDOM 58
rules, VLAN ID 17
S
schedule, firewall
multiple VDOM example 107
service group
multiple VDOM Transparent example 116, 121
Transparent mode multiple VDOM example 112
settings shared by VDOMs 21
Spanning Tree Protocol. See STP
SSH 25
stand alone configuration 129, 132
STP, forwarding 140
subinterface
VDOM 57
VLAN NAT/Route 24
System settings 20, 21
T
tag 16
technical support 11
TELNET 25
testing
VDOM NAT/Route 71, 93
VDOM Transparent 106
VLAN NAT/Route 33, 51
tracert 33
traffic, management 19
Transparent
multiple VDOM example 107, 110, 113, 117, 124
simple VDOM example 99, 101, 104
Index
FortiGate VLANs and VDOMs Version 3.0 User Guide
01-30004-0091-20070308 145
simple VLAN example 98
Transparent mode 95
firewall policy 97
VLAN subinterface 96
trunk interface 23, 32
tunnel 45
U
User settings 20
V
vcluster 130
VDOM 18
administration 55
administrators 19
complex VDOM NAT/Route example 75
exclusive settings 20
firewall policy 58
independent configuration 132
license 18
management configuration 129, 133
management traffic 19
management VDOM 19
maximum interfaces 14, 95, 141
meshed configuration 129, 134
multiple VDOMs 110
packet handling 18
routing 58
settings, common 21
settings, exclusive 19
shared settings 21
simple VDOM NAT/Route example 61, 63
simple VDOM NAT/Route VDOM example 66
stand alone configuration 132
Transparent mode 95
VLAN subinterface 57
VPN settings 59
VDOm
stand alone configuration 129
Virtual 53
virtual domain, See VDOM.
virtual interface 129
Virtual Private Network, see VPN.
VLAN
Cisco switch 50
complex VLAN NAT/Route 50
maximum number 14, 95, 141
subinterface 23
tagged packets 24
Transparent mode 95
VLAN ID
layer-3 16
rules 17
VLAN subinterface
complex VDOM NAT/Route example 76, 83
complex VLAN NAT/Route example 36
firewall policy 25
multiple VDOM example 111, 115, 120
simple VDOM NAT/Route example 63
simple VDOM Transparent example 99
simple VLAN NAT/Route example 28
Transparent mode 96
VDOM NAT/Route 57
VPN
client 48
dialup connection 134
FortiClient 48
gateway 44
policies 47
tunnel 45
VDOM 59
W
web-based manager 19, 36
Windows networks
enabling NetBIOS 140
WINS 140
FortiGate VLANs and VDOMs Version 3.0 User Guide
146 01-30004-0091-20070308
Index
www.fortinet.com
www.fortinet.com