Inter-VDOM communication with static routing

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

In this recipe, you will configure virtual domains (VDOMs) and allow communication between them with static routing.

In this example, a managed security service provider (MSSP) provides controlled Internet access to two companies (Company A and Company B.) The MSSP, Company A, and Company B each has a VDOM (named root, VDOM-A and VDOM-B) that is managed independently. Connections between VDOM-A and VDOM-B to root are made using VDOM Links (named IVL-A and IVL-B.)

The management PC connected to the root VDOM will be used during this cookbook recipe.

1. Planning the network topology and addressing scheme

Below is the network diagram that we will use for this cookbook recipe. It was created based on the requirements in the example scenario.

As noted above, a connection between root and VDOM-A, as well as root and VDOM-B, will be achieved with a VDOM Link. VDOM-A and VDOM-B will not be allowed to communicate with each other directly; any communication between VDOM-A and VDOM-B has to be allowed by the root VDOM.

2. Switching to VDOM mode and creating two VDOMs

Go to System Settings and, under the Operations Settings section, enable Virtual Domains.

You will be required to re-login after enabling virtual domains because the GUI menu options change.

 

Certain FortiGate models will not show the above option under System Settings. For these models, click the >_ icon in the top-right corner of the GUI and enter the following command in the CLI Console:

config system global
  set vdom-admin enable
end

Enter y when you are asked if you want to continue.

You will be required to re-login to the GUI after enabling virtual domains because the GUI menu options change.

Make sure that Global is selected from dropdown menu located in the top-left corner. This allows you to make changes to the global configuration.

 

Go to System > VDOM and select Create New.

Name the Virtual Domain VDOM-A, and leave the defaults for Inspection Mode and NGFW Mode. Select OK to create your first VDOM.

 
Repeat the process above to create a second VDOM, VDOM-B.

3. Adding interfaces to VDOM-A and VDOM-B

In this example, one hardware switch interface (comprised of 3 physical interfaces) will be added to VDOM-A and VDOM-B for use by the local network.

If an interface is used in an existing FortiGate configuration, the VDOM assignment cannot be changed. Because some FortiGate models have a default configuration, you may need to delete existing policies and routes in order to make changes to that particular interface.

From Global, go to Network > Interfaces and edit the internal interface. 

Remove all Interface Members except for internal1, and ensure the Virtual Domain is set to root. All other settings can stay their default values.

 

The interface members we just removed from the internal hardware switch will be listed separately as internal2, internal3, etc, but will belong to the root VDOM.

Edit internal2 and change the Virtual Domain to VDOM-A. Leave the other settings their defaults.

Repeat this step for internal3 and internal4 to make them a member of VDOM-A.

 

Edit internal5, internal6, and internal7 and change their Virtual Domain to VDOM-B.

Your interface overview should now show internal1 assigned to root, internal2-4 assigned to VDOM-A, and internal5-7 assigned to VDOM-B.

 

Go to Network > Interfaces and create a new interface.

Type LAN-A for the Interface Name, set the Type to Hardware Switch, and set the Virtual Domain to VDOM-A.

Select internal2-4 as the Interface Members, and set the Role to LAN.

Assign 10.1.1.1/24 as the IP/Network Mask, set Administrative Access to HTTPS, PING, and SSH, and enable DHCP Server.

 

Create another interface, this time setting Interface Name as LAN-B. Set the Type to Hardware Switch, and set the Virtual Domain to VDOM-B.

Select internal5-7 as the Interface Members, and set the Role to LAN.

Assign 10.2.2.1/24 as the IP/Network Mask, set Administrative Access to HTTPS, PING, and SSH, and enable DHCP Server.

 

Your interface list should now show internal assigned to root, LAN-A assigned to VDOM-A, and LAN-B assigned to VDOM-B.

 

4. Connecting VDOMs with Virtual Links

Virtual Links are used to virtually connect VDOMs that would otherwise not be able to communicate with each other. A VDOM Link consists of two sub-interfaces, called Interface 0 and Interface 1, where each sub-interface is a member of one of the VDOMs that is being connected together. This can be conceptualized as two ends of a point-to-point link.

From Global, go to Network > Interfaces and select Create New > VDOM Link. Give the new VDOM Link the name IVL-A.

For Interface 0, select the Virtual Domain of root. Give it an IP/Netmask of 172.16.1.1/30, and set the Administrative Access to PING only.

For Interface 1, select the Virtual Domain of VDOM-A. Give it an IP/Netmask of 172.16.1.2/30, and set the Administrative Access to PING only.

 

Select Create New > VDOM Link to begin creating a second VDOM Link. Give the new VDOM Link the name IVL-B.

For Interface 0, select the Virtual Domain of root. Give it an IP/Netmask of 172.16.1.5/30, and set the Administrative Access to PING only.

For Interface 1, select the Virtual Domain of VDOM-A. Give it an IP/Netmask of 172.16.1.6/30, and set the Administrative Access to PING only.

 

5. Creating static routes in the root VDOM

Select root from the dropdown menu located in the top-left corner. This allows you to make changes to the root VDOM.  

Go to Network > Static Routes and select Create New.

Enter the Destination of 10.1.1.0/24, which is the subnet for VDOM-A’s internal network.

For Interface, select IVL-A0 from the dropdown menu, and then enter 172.16.1.2 for the Gateway, which is VDOM-A’s VDOM Link IP address.

 

Create a second route.

Enter the Destination of 10.2.2.0/24, which is the subnet for VDOM-B’s internal network.

For Interface, select IVL-B0 from the dropdown menu, and then enter 172.16.1.6 for the Gateway, which is VDOM-B’s VDOM Link IP address.

 

If your WAN interface receives a default route via DHCP or PPPoE, then it is not required to statically configure a default route.

However, if your WAN interface has been statically configured with an IP address, then you will need to add a static default route, shown below.

Create another route, which will be the static default route.

Leave the Destination of 0.0.0.0/0.0.0.0, which indicates this is the default route.

For Interface, select wan1 from the dropdown menu, and then enter your ISP-provided gateway IP for the Gateway field, which in this example is 172.25.176.41.

 

6. Creating firewall policies to allow Internet access through the root VDOM

Go to Policy & Objects > IPv4 Policy and select Create New.

Enter MGMT to Internet for the policy Name. Select internal for Incoming Interface and wan1 for Outgoing Interface.

Select all for the Source, all for the Destination, and ALL for the Service fields.

Leave NAT enabled and enable the Security Profiles desired to meet business requirements and best practices.

 

Create another policy.

Enter VDOM-A to Internet for the policy Name. Select IVL-A0 for Incoming Interface and wan1 for Outgoing Interface.

Select all for the Source, all for the Destination, and ALL for the Service fields.

Leave NAT enabled, and enable the Security Profiles desired to meet business requirements and best practices.

 

Create another policy.

Enter VDOM-B to Internet for the policy Name. Select IVL-B0 for Incoming Interface and wan1 for Outgoing Interface.

Select all for the Source, all for the Destination, and ALL for the Service fields.

Leave NAT enabled, and enable the Security Profiles desired to meet business requirements and best practices.

 

7. [Optional] Creating firewall policies in the root VDOM to allow VDOM-A and VDOM-B to communicate

If your business needs require VDOM-A to be able to communicate with VDOM-B, two additional policies will be needed.

Select Create New under Policy & Objects > IPv4 Policy and set Name to VDOM-A to VDOM-B. Select IVL-A0 for Incoming Interface and IVL-B0 for Outgoing Interface.

Select all for the Source, all for the Destination, ALL for the Service fields, and disable NAT.

Enable the Security Profiles desired to meet business requirements and best practices.

 

Create another policy and set Name to VDOM-B to VDOM-A. Select IVL-B0 for Incoming Interface and IVL-A0 for Outgoing Interface.

Select all for the Source, all for the Destination, ALL for the Service fields, and disable NAT.

Enable the Security Profiles desired to meet business requirements and best practices.

 

8. Creating firewall policies and static routes in VDOM-A

Select VDOM-A from the dropdown menu located in the top-left corner. This allows you to make changes to VDOM-A.

 

Go to Network > Static Routes and select Create New.

Leave the Destination of 0.0.0.0/0.0.0.0, which indicates this will be the default route.

For Interface, select IVL-A1 from the dropdown menu, and then enter 172.16.1.1 for the Gateway, which is root’s VDOM Link IP address on IVL-A.

 

Go to Policy & Objects > IPv4 Policies and Create New. Give the policy a Name of VDOM-A to root.

Select LAN-A for Incoming Interface and IVL-A1 for Outgoing Interface.

Select all for the Source, all for the Destination, and ALL for the Service fields. Disable NAT.

Company-A can enable the Security Profiles desired to meet their business requirements and best practices.

 

9. Creating firewall policies and static routes in VDOM-B

Select VDOM-B from the dropdown menu located in the top-left corner. This allows you to make changes to VDOM-B.  

Go to Network > Static Routes and select Create New.

Leave the Destination of 0.0.0.0/0.0.0.0, which indicates this will be the default route.

For Interface, select IVL-B1 from the dropdown menu, and then enter 172.16.1.5 for the Gateway, which is root’s VDOM Link IP address on IVL-B.

 

Go to Policy & Objects > IPv4 Policies and Create New. Give the policy a Name of VDOM-B to root.

Select LAN-B for Incoming Interface and IVL-B1 for Outgoing Interface.

Select all for the Source, all for the Destination, and ALL for the Service fields. Disable NAT.

Company-B can enable the Security Profiles desired to meet their business requirements and best practices.

 

10. Results

Using a PC located on VDOM-A’s internal network, generate Internet traffic.

On the management PC, select VDOM-A from the top-left dropdown, and navigate to FortiView > Policies. You can see traffic flowing through the VDOM-A to root policy.

 

Right-click the policy, then select Drill Down to Details. You can see more information about the traffic.

 

Using a PC located on VDOM-B’s internal network, generate Internet traffic.

On the management PC, select VDOM-B from the top-left dropdown, and navigate to FortiView > Policies. You can see traffic flowing through the VDOM-B to root policy.

 

Select root from the dropdown on the top-left, and navigate to FortiView > Policies. You can see traffic flowing through the VDOM-A to Internet and VDOM-B to Internet policies.

 

If you completed the optional Step 7, using a PC connected to VDOM-A’s internal network, initiate traffic to a device on VDOM-B’s internal network.

Select root from the dropdown on the top-left, and navigate to FortiView > Policies. You will see traffic flowing through the VDOM-A to VDOM-B and/or the VDOM-B to VDOM-A policies.

 

For further reading, check out Inter-VDOM Routing in the FortiOS 5.6 Handbook.

Fortinet Technical Documentation

Fortinet Technical Documentation

Contact Fortinet Technical Documentation at techdoc@fortinet.com.
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
Connecting VDOMs can be done physically (for example, connecting a cable between port2 and port4) or virtually (using VDOM Links).
The internal interface is the default hardware switch interface on many FortiGate models, including the FortiGate 60D used throughout this recipe. Your FortiGate model may have slightly different configuration, so you will need to adjust accordingly.
If your FortiGate doesn’t support a Hardware Switch, you can use a Software Switch instead.
As a general best practice, it is not recommended to use the all object where possible. However, we will use it throughout this cookbook recipe for the sake of brevity.
FortiGates are stateful firewalls, so two policies allows both VDOM-A and VDOM-B to initiate traffic. Only one firewall policy is required if a certain VDOM will always initiate traffic, with reply traffic being allowed back in by the same policy. 
The Security profiles are not shared between VDOMs. This means the MSSP in the root VDOM can have one baseline set of security profiles to apply to traffic, while Company A can have their own, company-specific profiles.