Scribd
Upload
212 views35 pages

Hosting More Than One Fortios Instance On A Single Fortigate Unit Using Vdoms and Vlans

This document describes configuring a FortiGate unit to host multiple virtual domains (VDOMs) to provide network services for two companies, Company A and Company B, and an ISP. It involves: 1. Creating three VDOMs - VDOM-A and VDOM-B for Company A and B respectively, each with their own interfaces and policies, and VDOM-C operating in transparent mode for the ISP. 2. Configuring VDOM-A to use VLANs to separate Company A's internal networks and set up DHCP servers for each. 3. Configuring VDOM-B to implement DHCP with reserved IP addresses, a local DNS server, traffic shaping for sensitive traffic,

Uploaded by

Ratheesh Ravindran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
212 views35 pages

Hosting More Than One Fortios Instance On A Single Fortigate Unit Using Vdoms and Vlans

This document describes configuring a FortiGate unit to host multiple virtual domains (VDOMs) to provide network services for two companies, Company A and Company B, and an ISP. It involves: 1. Creating three VDOMs - VDOM-A and VDOM-B for Company A and B respectively, each with their own interfaces and policies, and VDOM-C operating in transparent mode for the ISP. 2. Configuring VDOM-A to use VLANs to separate Company A's internal networks and set up DHCP servers for each. 3. Configuring VDOM-B to implement DHCP with reserved IP addresses, a local DNS server, traffic shaping for sensitive traffic,

Uploaded by

Ratheesh Ravindran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 35

HostingmorethanoneFortiOSinstanceon

asingleFortiGateunitusingVDOMsand
VLANs
1. Network topology

UseVirtualdomains(VDOMs)todividetheFortiGateunitintotwoormorevirtualinstancesofFortiOS
thatfunctionsimilartoindependentFortiGateunits.EachVDOMhasitsownphysicalinterfaces,routing
configuration,andsecuritypolicies.

ThisexamplesimulatesanISPthatprovidesCompanyAandCompanyBwithInternetservicesandoffer
tothemdailynetworkmanagementandsecurityviaTLS(TransparentLANService)connections.Alsothe
ISPneedstoprotectitsserverssettopublicrouteableIPaddresses.
EachcompanywouldhaveitsownInternetIPaddressandinternalnetwork.Thisconfigurationrequires:

TwoVDOMs:VDOMAandVDOMBoperatinginNAT/Routemode,VDOMAforcompanyAand
VDOMBforcompanyB
OneVDOMCoperatingintransparentmodefortheISP

Thisscenariowillcoverthefollowingfeatures:

VDOMA:
o SettingupVLANStoseparateinternalnetworks
o ConfigureDHCPserveronVLANinterface

VDOMB:
o ConfigurelocalDNSserverresolvinginternalwebsitesandservers
o UseDHCPtoassignsomeIPsaccordingtodeviceMACaddresses
o Configuretrafficshapingforsensitivetraffic
o Configureexplicitwebproxyandwebcachingonsomenetwork

VDOMC:
o AllowingsecureaccesstoawebserverssettopublicIPaddress
o ProtectingthiswebserverusingUTMsecurityprofiles

2. Creating VDOMA, VDOMB and VDOMC

GotoSystem>Dashboard>StatusandenableVirtualDomain


GotoGlobal>VDOM>VDOMandaddVDOMA,VDOMB,VDOMCandamanagementIPforVDOMC
sinceitstransparent

Bydefault,rootisthemanagementVDOManditshouldhaveaninterfaceconnectedtotheinternetfor
managementtrafficsuchasFortiGuardservices,NTP,SNMP,etc.themanagementVDOMcanbemoved
toVDOMAorVDOMBorVDOMC.

TheadminaccounthasfullcontrolofallVDOMsintheFortiGateunit.Adminaccountcanaccessthe
FortiGateonanyinterfaceofanyVDOMasfarastheinterfacehasanIPaddressandallowinghttps
access.

GotoGlobal>Network>Interfaceandaddport1andport2toVDOMA

GotoRouter>Static>StaticRoutetoaddadefaultrouteforVDOMA

GotoGlobal>Network>Interfaceandaddport3andport4toVDOMB,andaddDHCPservertoport4

GotoRouter>Static>StaticRoutetoaddadefaultrouteforVDOMB

GotoGlobal>Network>Interfaceandaddport5andport6toVDOMC

GotoSystem>Network>RoutingTabletoaddadefaultrouteforVDOMC

GotoGlobal>Admin>AdministratorstocreateadministratorsforeachVDOM.Theadministrators
shouldonlyhaveaccesstotheirown

3. Configuring VDOMA using VLANs

LogontotheFortiGateunitVDOMAonport1orport2interfaceusingaadminaccount,thiswillletyou
manageonlyVDOMA

CompanyAseparatestheirthreeinternalnetworks(engineering,salesandmarketing)usingVLANs
ThissolutionusesVLANstoconnectthreenetworkstoVDOMAinternalinterfaceinthefollowingway:

PacketsfromeachnetworkpassthroughaVLANswitchbeforereachingtheVDOMA.TheVLAN
switchaddsdifferentVLANtagstopacketsfromeachnetwork.
TohandleVLANsonVDOMA,addVLANinterfacestotheinternalinterfaceforeachnetwork
AddaDHCPservertoeachVLANinterface.
CreatesecuritypoliciestoalloweachnetworktoaccesstheInternet.

ThissolutionassumesyouhaveconfiguredaVLANswitchtotagpacketsfromthethreenetworks

GotoSystem>Network>Interfacetocreatethreenewvlaninterfacesforengineering,marketingand
salesnetworks

GotoPolicy>Policy>Policytoaddfirewallpoliciesthatallowsusersontheengineering,marketingand
salesnetworkstoaccesstheinternetseparately

4. Showing results

FromengineeringnetworksetallhostsIPsinthesamesubnetastheEngineeringnetvlan
(192.168.10.x/24)withthegateway192.168.10.1orsethoststouseDHCP

FrommarketingnetworksetallhostsIPsinthesamesubnetastheMarketingnetvlan
(192.168.20.x/24)withthegateway192.168.20.1orsethoststouseDHCP
AndfromsalesnetworksetallhostsIPsinthesamesubnetastheSalesnetvlan(192.168.30.x/24)
withthegateway192.168.30.1orsethoststouseDHCP

ThenusersfromanyofthenetworksshouldbeabletoconnecttotheInternet

Policy>Policy>Policytoseetrafficcountforeachfirewallpolicy

GotoPolicy>Monitor>PolicyMonitortoseetheactivesessions


ClickoneachbluebarfordetailsforsourceIPandpolicyId

GotoLog&Report>TrafficLog>ForwardTraffic

Selectanentryformoredetails

5. Configuring VDOMB

LogontotheFortiGateunitVDOMBonport3orport4interfaceusingbadminaccount,thiswillletyou
manageonlyVDOMB

CompanyBrequiresreservedIPaccordingtodeviceMACaddressusingDHCP,localDNSserver,
guaranteedbandwidthforsensitivetrafficandfasterwebbrowsing.Consequentlythefollowing
featureswillbecovered:

DHCPservertoassignsomeIPaddressesaccordingtodeviceMACaddresses
LocalDNSserverlistingforinternalwebsitesandservers
Trafficshapingtomakesurehighpriorityservicesalwayshaveenoughbandwidth
Explicitwebproxyandwebcachingusersonsomenetworks

6. Configure DHCP to assign some IP addresses according to device


MAC addresses

GotoSystem>Network>DHCPServerandaddnewfortheinternalinterface(port4)

MakesuretospecifytheDNSServertotheinternalIPoftheFortiGateVDOMB(10.10.1.99).Thiswillbe
usefultoresolveinternalDNSrequests

ExtendMACAddressAccessControlListandcreateanewthenentertheMACaddressofthedevice
anditsdesiredreservedIPaddress.YoucanalsouseAddfromDHCPClientList

7. Creating a local DNS server listing for internal web sites and
servers

GotoSystem>Network>DNSServerandcreatenewunderDNSServiceonInterface.Makesureto
setModetoRecursive

ThencreatenewunderDNSDatabaseandaddDNSZoneandDomainName

ThencreatenewunderDNSEntriesandaddhostnames

TheDNSzonewillbelookinglikefollowing:

Fromanyhostontheinternalnetwork,setyournetworkconnectionstousetheinternalinterfaceof
FortiGateVDOMBIPaddress(10.10.1.99)asaprimaryDNSserver,thenyouwillbeabletosurftothe
webserverusingitsIPaddress(10.10.1.101)anditsdomainname(fortidocs.comor
www.fortidocs.com)

8. Configuring guaranteed bandwidth for sensitive traffic using traffic


shaping

Sensitivetraffic,suchasVoIP,flowingthroughtheFortigateVDOMBneedstohaveenoughguaranteed
bandwidthtoassurethevoicequality.

ThisscenarioinvolvestrafficshapingforVoIP/SIPtraffic.ToseehowtoconfigureSIPontheFortiGate
unit,refertoAllowinginboundandoutboundVoIP/SIPtrafficthroughtheFortiGaterecipe.

Usingtrafficshaping,youcanconfiguresharedshapersthatensureaconsistentamountofreserved
bandwidthforVoIP/SIPcommunicationsandstillmaintainbandwidthforotherInternettrafficsuchas
emailandwebbrowsing.Dependsthetotalavailablebandwidthyouhaveyoucandedicatea
guaranteedandamaximumbandwidthforeachfirewallpolicy(youcanverifyyourtotalbandwidth
usinghttp://speedtest.net/).Forthissolution,totalavailablebandwidthis70000Kbits/s,10000kbits/s
isguaranteedtobeavailableforVoIPandVoIPtrafficisgivenhigherprioritythanothertraffic.Other
trafficislimitedtoamaximumbandwidthof600000kbits/s.
InthisconfigurationtheinternalIPphonesandinternalnetworkareconnectedtotheFortiGateVDOM
Binternalinterface(port4).

GotoFirewallObjects>TrafficShaper>SharedandVoIPandDaily_TrafficShapers

GotoPolicy>Policy>PolicyandapplytheVoIPtrafficshapertothefirewallpolicycontrollingVoIP/SIP
traffic


ThenapplytheDaily_Trafficshapertothefirewallpolicycontrollingothertraffic


GotoFirewallObjects>Monitor>TrafficShaperMonitor


GotoLog&Report>TrafficLog>ForwardTraffictoseethatVoIPandDaily_Trafficshaperswere
appliedsuccessfully

Selectanentryforeachshapertoseedetails

9. Adding the explicit web proxy and web caching on the internal
network

Forfasterwebbrowsing,internaluserswillconnecttoanexplicitwebproxyusingport8080insteadof
surfingdirectlytotheInternetusingport80

GotoSystem>Network>ExplicitProxyandenablehttp/httpsexplicitwebproxy

MakesuretosettheDefaultFirewallPolicyActionheretoDeny,becausewewillcreateapolicyfor
webproxytrafficwithwebcacheenabledonit.

GotoSystem>Network>Interfaceandenablewebproxyonport4

GotoPolicy>Policy>Policytocreatenewoneforwebproxytrafficandenablewebcache

Configurewebbrowsersontheprivatenetworktoconnecttothenetworkusingaproxyserver.TheIP
addressoftheHTTPproxyserveris10.10.1.99(theIPaddressoftheFortiGateinternalinterface)and
theportis8080(thedefaultexplicitwebproxyport).

WebbrowsersconfiguredtousetheproxyserverareabletoconnecttotheInternet.

Gotopolicy>Policy>PolicytoseetheIDofthepolicyallowingwebproxytraffic(hereitsID3)

Webproxytrafficisnotcountedbyfirewallpolicy!

GotoLog&Report>TrafficLog>ForwardTrafficandfilterbypolicyID3

Selectanentryfordetails

10.

Configuring VDOMC

ThisVDOMCintransparentmodewillbesettoprotecttheISPsserverssettopublicIPsusingUTM
Profiles

LogontotheFortiGateunitVDOMConport5interface(managementIP172.20.120.23)usingcadmin
account,thiswillletyoumanageonlyVDOMC

GotoFirewallObjects>Address>AddresstosetwebserverIP

GotoPolicy>Policy>PolicytocreateoneforoutboundtrafficandapplyUTMsecurityprofilesthen
anotheroneforinboundtrafficwithsecurityUTMprofilesaswell


Youcanusethedefaultprofilesandcustomizethemifyouwantto.

YoucannowconnecttoyourwebserversecurelyfromtheinternetusingitspublicIPaddress
(eventuallyusingthesameFQDN)althoughthewebserverisbehindaFortiGateunit.Alsotheweb
serverisabletoconnecttotheinternetforupdatesandothers.

GotoLog&Report>TrafficLog>ForwardTraffictoseeinandoutboundtraffic


Selectanentryforoutboundandanotherentryforinboundtrafficfordetails

GotoUTMSecurityProfiles>MonitortoseeallUTMstatus

HereisanexampleofApplicationmonitorfromthatwebserverwithIPaddress172.20.120.226

You might also like