Professional Documents
Culture Documents
www.fortinet.com
Contents
Contents
Introduction ........................................................................................ 7
About FortiGate VLANs and VDOMs ............................................................... 7
About this document......................................................................................... 7
Document conventions.................................................................................. 7
FortiGate documentation .................................................................................. 8
Related documentation ..................................................................................... 9
FortiManager documentation ........................................................................ 9
FortiClient documentation ........................................................................... 10
FortiMail documentation .............................................................................. 10
FortiAnalyzer documentation ...................................................................... 10
Fortinet Knowledge Center ......................................................................... 10
Comments on Fortinet technical documentation ......................................... 10
Customer service and technical support ...................................................... 11
18
18
19
19
19
21
27
27
32
33
Contents
36
36
44
48
49
50
51
53
54
55
55
56
57
58
58
59
60
61
61
63
66
70
71
75
75
76
82
92
93
Contents
107
110
111
115
120
124
125
127
128
128
128
132
132
133
134
Contents
Index................................................................................................ 143
Introduction
Introduction
This chapter introduces you to FortiGate VLANs and VDOMs and the following
topics:
FortiGate documentation
Related documentation
Inter-VDOM routing
Document conventions
The following document conventions are used in this guide:
In the examples, private IP addresses are used for both private and public IP
addresses.
FortiGate documentation
Introduction
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Typographic conventions
FortiGate documentation uses the following typographical conventions:
Convention
Example
Keyboard input
In the Gateway Name field, type a name for the remote VPN
peer or client (for example, Central_Office_1).
Code examples
Document names
File content
<HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Menu commands
Program output
Welcome!
Variables
<address_ipv4>
FortiGate documentation
Information about FortiGate products is available from the following guides:
Introduction
Related documentation
Related documentation
Additional information about Fortinet products is available from the following
related documentation.
FortiManager documentation
Related documentation
Introduction
FortiClient documentation
FortiMail documentation
FortiAnalyzer documentation
10
Introduction
11
12
Introduction
Inter-VDOM routing
13
Virtual LANs (VLANs) use ID tags to logically separate devices on a LAN into
smaller broadcast domains. Each VLAN is its own broadcast domain. Smaller
broadcast domains reduce traffic and increase network security. The IEEE
802.1Q standard defines VLANs. Layer 2 and layer 3 devices must be 802.1Qcompliant to support VLANs. For more information see VLAN layer-2 switching
on page 14 and VLAN layer-3 routing on page 16.
VLANs reduce the size of the broadcast domains by only forwarding packets to
ports that are part of that VLAN, or part of a trunk link. Trunk links form switchswitch or switch-router connections and forward all VLAN traffic. This enables a
VLAN to include devices that are on the network but physically distant from each
other.
Any virtual domain can have a maximum of 255 interfaces in NAT or TP mode.
This includes VLANs, other virtual interfaces, and physical interfaces. To have
more than 255 interfaces configured you need to configure multiple VDOMs with
many interfaces on each.
A good example of when to use VLANs is an accounting department within a
company. The accounting computers can be located in different buildings (main
and branch offices). However, accounting computers need to communicate with
each other frequently and require increased security. VLANs allow the accounting
data to only be sent only to accounting computers and connect accounting
computers in different locations as if they were on the same physical subnet.
The VLAN ID tags used to define VLANs are a 4-byte frame extension that is
applied by switches and routers to every packet sent and received by the devices
in the VLAN. Workstations and desktop computers are not an active part of the
VLAN process - all the VLAN tagging and tag removal is done after the packet has
left the computer. For more information see Rules for VLAN IDs on page 17.
Note: This guide uses the term packet to refer to both layer-2 frames, and layer-3 packets.
14
Switch B
Switch A
Ports 1 - 4
Port 8
Ports 4, 5
Port 8
Ports 5 - 7
Port 6
Port 1
VL AN 100
VL AN 200
VL AN 200
VL AN 100
Branch Office
Main Office
Let's follow a data frame sent from a computer on subnet 1 that is part of VLAN
100.
A computer on port 1 of switch A sends a data frame over the network. Switch A
tags the data frame with a VLAN 100 ID tag upon arrival because port 1 is part of
VLAN 100. Switch A forwards the tagged data frame to the other VLAN 100 ports
- ports 2 through 4. Switch A also forwards the data frame to the 802.1Q trunk link
(port 8) so other parts of the network that may contain VLAN 100 groups will
receive VLAN 100 traffic.
This data frame is not forwarded to the other ports on switch A because they are
not part of VLAN 100. This increases security and decreases network traffic.
Switch B receives the data frame over the trunk link (port 8). There are VLAN 100
ports on switch B (ports 4 and 5) and the data frame is forwarded to those ports.
As with switch A, the data frame is not delivered to VLAN 200
If there were no VLAN 100 ports on switch B, the switch would not forward the
data frame and it would stop there.
Figure 2: Example VLAN Layer-2 packet delivery
Frame
Port 8
Port 1
VL AN 100
Branch Office
VL AN 200
Ports 4, 5
Port 8
Ports 5 - 7
Frame
Switch B
Switch A
Ports 1 - 4
Frame with
VLAN ID tag
Port 6
VL AN 200
Frame
VL AN 100
Main Office
15
Before a switch forwards the data frame to an end destination, it removes the
VLAN 100 ID tag. The sending computer and the receiving computers are not
aware of any VLAN tagging on the data frame. When any computer receives that
data frame, it appears as a normal data frame.
protocol
port number
The data frame may be forwarded to another VLAN, sent to a regular non-VLANtagged network or just forwarded to the same VLAN as a layer-2 switch would do.
It may be discarded if that is the proper firewall policy action.
16
FortiGate unit
Switch A
Ports 1 - 4
Port 8
Port 3
Ports 5 - 7
Port 1
VLAN 300
Port 1
Port 1
Port 5
Switch B
VLAN 100
Branch Office
VLAN 200
VLAN 300
Main Office
This example explains how traffic originating on VLAN 100 arrives at a destination
on VLAN 300. Layer-2 switches alone cannot accomplish this, but a layer-3 router
can do it. Lets follow a data frame going from VLAN 100 at the Branch Office to
VLAN 300 on at the Main Office.
As in the layer-2 example, the VLAN 100 computer sends the data frame to switch
A and a VLAN 100 tag is added. Switch A forwards the tagged data frame to the
FortiGate unit over the 802.1Q trunk link. The FortiGate unit removes the VLAN
100 tag and uses the content of the data frame to select the correct firewall policy.
In this case, the FortiGate units firewall policy allows the data frame to go to
VLAN 300. It goes to all VLAN 300 interfaces, but in the example there is only one
- port 1 on the FortiGate unit. Before the data frame leaves the FortiGate unit, the
VLAN subinterface adds a VLAN ID 300 tag.
The FortiGate unit then forwards the data frame to switch B. Switch B removes
the VLAN ID 300 tag because this is the last hop and forwards the data frame to
the computer on port 5.
In this example a data frame arrives at the FortiGate unit tagged as VLAN 100
and after checking its content, the FortiGate unit retags the data frame for VLAN
300. It is this change from VLAN 100 to VLAN 300 that requires a layer-3 routing
device, in this case the FortiGate unit. Layer-2 switches cannot perform this
change.
17
Creating VLAN subinterfaces with the same VLAN ID does not create any internal
connection between them. For example a VLAN ID of 300 on port1 and VLAN ID
of 300 on port2 are allowed, but they are not connected.Their relationship is the
same as between any two FortiGate network interfaces.
Inter-VDOM routing
FortiOS v3.0 MR1 introduced a new feature called inter-VDOM routing. When
configured, this feature allows traffic to pass between VDOMs without having to
leave the FortiGate unit on a physical interface and return on a different physical
interface. This feature also allows you to determine the level of inter-VDOM
routing varying from having only 2 VDOMs with limited interaction to having all
VDOMs fully inter-connected. All traffic between VDOMs must pass through
firewall policies as it does with all external interface connections.
The command to configure this feature, called vdom-link, is only available in the
CLI. Inter-VDOM routing is not available from the web-manager GUI. This topic is
dealt with in Inter-VDOM routing on page 127 and the VDOM-admin chapter in
the FortiOS CLI Reference.
18
Management VDOM
All management traffic leaves the FortiGate unit through the management VDOM.
This includes all external logging, remote management and other Fortinet
services. By default the management VDOM is the root VDOM. You can change
this to another VDOM so management traffic will originate from the new VDOM.
For more information see Changing the management VDOM on page 56.
system configuration
security policy
user authorization
administrator configuration
FortiGuard Update
configuration backup/restore
This makes it possible for you to have administrators for different services on
each VDOM. For example you can have one administrator responsible for logs
and reporting on a VDOM, while another administrator is responsible for security
policies on that same VDOM. For more information on access profiles, see the
FortiOS Administration Guide.
When you are configuring VDOMs using the admin administration account, the
web-based manager shows which VDOM you are editing at the bottom of the left
menu with the label Current VDOM:. If you are configuring global properties, there
is no virtual domain indicator.
19
System settings
Zones
DHCP services
Router configuration
all
Firewall settings
Policies
Addresses
Schedules
Virtual IPs
IP pools
Users
User groups
IPSec
PPTP
SSL
L2TP
Policy Download
Statistics
User settings
VPN settings
IM settings
20
DNS settings
Host name
System time
Firmware version
HA configuration
SNMP configuration
Replacement messages
Administrators
Access profiles
FortiManager configuration
Bug reporting
Predefined services
Protection Profiles
IPS settings
all
Antivirus settings
all
all
Spam filter
configuration
all
Logging configuration
and log reports
all
Firewall settings
21
22
Overview
23
There are several essential steps to configuring your FortiGate unit for VLANs:
Configuring routing
Each VLAN subinterface must be configured with its own IP address and
netmask. The subinterface VLAN ID can be any number between 1 and 4096. The
VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE
802.1Q-compliant router. If the IDs do not match, the subinterface will not recieve
the VLAN tagged traffic.
To add a VLAN subinterface in NAT/Route mode
1
If VDOMs are enabled and you are not in the root VDOM, select << Global.
From the Interface list, select the physical interface that receives the VLAN
packets intended for this VLAN subinterface.
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
Configure the VLAN subinterface settings as you would for any FortiGate
interface.
24
from the VLAN to another VLAN in the same virtual domain on the FortiGate
unit
to the VLAN from another VLAN in the same virtual domain on the FortiGate
unit
The packets on each VLAN are subject to antivirus and antispam scans as they
pass through the FortiGate unit.
To add firewall policies for VLAN subinterfaces
1
Select Create New to add firewall addresses that match the source and
destination IP addresses of VLAN packets.
Configuring routing
In the simplest case, you need to configure a default route for packets with
external destinations to the gateway of an external network. In more complex
cases, you might have to configure different routes based on packet source and
destination addresses. Routing is explained in the FortiGate Administration Guide
and the CLI Reference documentation.
As with firewalls, you need to configure routes for VLANs. VLANs need routing
and a gateway configured to send and recieve packets outside their local subnet.
Depending on the network you are connecting to it can be static or dynamic
routing. Dynamic routing can be routing information protocol (RIP), border
gateway protocol (BGP), open shortest path first (OSPF), or multicast.
If you enable protocols like SSH, PING, TELNET, HTTPS and HTTP on the VLAN
you can use them to confirm that routing is properly configured. Enabling logging
on the interfaces can also help locate any possible issues.
25
Internet
Untagged packets
External port
172.16.21.2
FortiGate unit
Internal port
192.168.110.126
802.1Q trunk
Fa 0/24
VLAN 100
Fa 0/9
Fa 0/3
VLAN Switch
VLAN 200
When the Cisco switch receives packets from VLAN 100 and VLAN 200, it applies
VLAN ID tags and forwards the packets to local ports and across the trunk to the
FortiGate unit. The FortiGate unit has policies that allow traffic to flow between the
VLANs and from the VLANs to the external network.
This section describes how to configure a FortiGate 800 unit and a Cisco Catalyst
2950 switch for this example network topology. Cisco configuration commands
used in this section are IOS commands. It is assumed that both the FortiGate 800
and the Cisco 2950 switch are installed, connected and basic configuration has
been completed. On the switch you will need to be able to access the CLI to enter
commands. Refer to the manuals for each unit for more information.
26
Add Firewall addresses and address ranges for the internal and external
networks.
If VDOMs are enabled and you are not in the root VDOM, select << Global.
Enter the following information for the external interface and select OK:
Addressing mode
Manual
IP/Netmask
172.16.21.2/255.255.255.0
27
If VDOMs are enabled and you are not in the root VDOM, select << Global.
VLAN_100
Interface
internal
VLAN ID
100
Addressing mode
Manual
IP/Netmask
10.1.1.1/255.255.255.0
Administrative Access
VLAN_200
Interface
internal
VLAN ID
200
Addressing mode
Manual
IP/Netmask
10.1.2.1/255.255.255.0
Administrative Access
28
VLAN_100_Net
Type
Subnet/IP Range
Subnet / IP Range
10.1.1.0/255.255.255.0
VLAN_200_Net
Type
Subnet/IP Range
Subnet / IP Range
10.1.2.0/255.255.255.0
29
VLAN_100
Address Name
VLAN_100_Net
Destination
Interface/Zone
VLAN_200
Address Name
VLAN_200_Net
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
30
VLAN_200
Address Name
VLAN_200_Net
Destination
Interface/Zone
VLAN_100
Address Name
VLAN_100_Net
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
VLAN_100
Address Name
VLAN_100_Net
Destination
Interface/Zone
external
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
VLAN_200
Address Name
VLAN_200_Net
Destination
Interface/Zone
external
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
31
32
VLAN ID 100
Port 0/9
VLAN ID 200
Port 0/24
802.1Q trunk
Note: To complete the setup, configure devices on VLAN 100 and VLAN 200 with default
gateways. The default gateway for VLAN 100 is the FortiGate VLAN 100 subinterface. The
default gateway for VLAN 200 is the FortiGate VLAN 200 subinterface.
33
VLAN 200
subinterface
10.1.2.1
tracert
Switch
VL AN 100 Network
10.1.1.2
VL AN 200 Network
10.1.2.2
VLAN 100
subinterface
10.1.1.1
Internet
tracert
Switch
VL AN 100 Network
34
The internal interface is configured with two VLAN subinterfaces: VLAN 10 for
the Local users network and VLAN 20 for the Finance network. The internal
interface connects to a Cisco 2950 switch using an 801.1Q trunk.
The external interface is configured with two VLAN subinterfaces: VLAN 30 for
the ATT ISP network and VLAN 40 for the XO ISP network. The internal
interface connects to a Cisco 2950 switch using an 801.1Q trunk.
The FortiGate-800 is configured with firewall policies that control the flow of traffic
between networks. The Finance network is the most secure network. It allows
outbound traffic to all other networks, but it does not allow inbound traffic. The
Local users network allows outbound traffic to the external networks (ATT ISP and
XO ISP), inbound traffic from the Finance network and a single inbound
connection from a VPN client on the ATT ISP network.
This section describes how to configure a FortiGate-800 unit and two 802.1Qcompliant switches for the example network topology shown in Figure 9.
Figure 9: Example VLAN topology (FortiGate unit in NAT/Route mode)
Internet
VPN client
XO ISP
ATT ISP
VLAN 30
Fa 0/3
VLAN 40
Fa 0/9
Fa 0/24
802.1Q
trunk
VLAN 30
VLAN 40
External
FortiGate-800 unit
Internal
802.1Q
trunk
VLAN 10
VLAN 20
Fa 0/24
VLAN 10
Fa 0/9
Fa 0/3
Cisco 2950 Switch
(Internal)
VLAN 20
Finance network
192.168.20.0
35
36
If VDOMs are enabled and you are not in the root VDOM, select << Global.
Enter the following information for the Local users network and select OK:
Name
Local-LAN
Interface
internal
VLAN ID
10
Addressing mode
Manual
IP/Netmask
192.168.10.1/255.255.255.0
Administrative Access
Enter the following information for the Finance network and select OK:
Name
Finance
Interface
internal
VLAN ID
20
Addressing mode
Manual
IP/Netmask
192.168.20.1/255.255.255.0
Administrative Access
Enter the following information for the ATT ISP network and select OK:
9
10
Name
ATT-ISP
Interface
external
VLAN ID
30
Addressing mode
Manual
IP/Netmask
30.1.1.1/255.255.255.0
Administrative Access
XO-ISP
Interface
external
VLAN ID
40
Addressing mode
Manual
IP/Netmask
40.1.1.1/255.255.255.0
Access
37
Select either the web-based manager or the CLI to add a default route.
To add a default route - web-based manager
38
Enter the following information to add a default route to ATT-ISP for network traffic
leaving the external interface and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
30.1.1.2
Device
ATT-ISP
Distance
10
Enter the following information to add a secondary default route to XO-ISP for
network traffic leaving the external interface and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
40.1.1.2
Device
XO-ISP
Distance
20
Address Name
Local_users
Type
Subnet/IP Range
IP Range/Subnet
192.168.10.0/255.255.255.0
39
Finance_users
Type
Subnet/IP Range
IP Range/Subnet
192.168.20.0/255.255.255.0
Finance
Address Name
Finance_users
Destination
Interface/Zone
ATT-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
40
Finance
Address Name
Finance_users
Destination
Interface/Zone
XO-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Finance
Address Name
Finance_users
Destination
Interface/Zone
Local-LAN
Address Name
Local_users
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
10
11
41
12
Local-LAN
Address Name
Local_users
Destination
Interface/Zone
ATT-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
13
14
15
Local-LAN
Address Name
Local_users
Destination
Interface/Zone
XO-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
42
43
edit 5
set srcintf Local-LAN
set dstintf XO-ISP
set srcaddr Local_users
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
end
Define the IP address for the VPN user on the Local users network.
44
Dialup_tunnel
Remote Gateway
Dialup User
Local Interface
ATT-ISP
Mode
Aggressive
Authentication Method
Preshared key
Pre-shared key
Advanced
P1 Proposal
DH Group
Keylife
28800 (seconds)
45
Dialup-client
Phase 1
Dialup_tunnel
Advanced
P2 Proposal
Enable replay
detection
Select
Enable perfect
forward secrecy
Select
DH Group
Keylife
1800 seconds
Select
DHCP-IPsec
Clear
46
ATT-net
Type
Subnet/IP Range
IP Range/Subnet
30.1.1.0/255.255.255.0
Local-LAN
Address Name
Local_users
Destination
Interface/Zone
ATT-ISP
Address Name
ATT-net
Schedule
Always
Service
ANY
Action
IPSEC
VPN Tunnel
Allow inbound
Select
Allow outbound
Clear
Inbound NAT
Select
Outbound NAT
Clear
Place the policy in the policy list above non-encrypt policies. If there is more than
one encrypt policy in the list, place the more specific ones above the more general
ones with similar source and destination addresses.
47
Start FortiClient.
48
Select Advanced.
Figure 13: Advanced Settings
10
11
12
IP
30.1.1.0
Subnet mask
255.255.255.0
49
VLAN ID 10
Port 0/9
VLAN ID 20
Port 0/24
802.1Q trunk
Note: To complete the setup, configure devices on VLAN 10 and VLAN 20 with default
gateways. The default gateway for VLAN 10 is the FortiGate VLAN 10 subinterface. The
default gateway for VLAN 20 is the FortiGate VLAN 20 subinterface.
50
VLAN ID 30
Port 0/9
VLAN ID 40
Port 0/24
802.1Q trunk
Note: To complete the setup, configure devices on VLAN 30 and VLAN 40 with default
gateways. The default gateway for VLAN 30 is the FortiGate VLAN 30 subinterface. The
default gateway for VLAN 40 is the FortiGate VLAN 40 subinterface.
<10 ms
<10 ms
<10 ms 192.168.20.1
<10 ms
<10 ms
<10 ms 192.168.10.2
Trace complete.
Figure 14: Example trace route from VLAN 20 to VLAN 10
FortiGate-800 unit
VLAN 20
subinterface
192.168.20.1
VLAN 10
subinterface
192.168.10.1
tracert
VL AN 20
Finance Network
Switch
VL AN 10
51
<10 ms
<10 ms
<10 ms
192.168.10.1
<10 ms
<10 ms
<10 ms
172.16.21.2
Trace complete.
Figure 15: Example trace route from VLAN 10 to the external network
FortiGate-800 unit
External
interface
172.16.21.1
VLAN 10
subinterface
192.168.10.1
Internet
tracert
VL AN 10
Switch
52
Overview
53
When Virtual Domain Configuration is enabled, the web-based manager and the
CLI are changed as follows:
Regular administrators can configure only the VDOM to which they are
assigned.
By default, there is no password for admin. To improve security, you should set a
password. Optionally, you can also rename the admin account. For more
information on this see the user sections of FortiGate Administration Guide.
Log in as admin.
Enter the name for your new virtual domain select OK. The name must not exceed
11 characters, and cannot contain spaces.
You can verify the new VDOM was created by refreshing the VDOM screen and
confirming it is in the list of virtual domains. You can repeat Steps 3 and 4 for each
VDOM that you want to create.
By default, your FortiGate unit supports a maximum of 10 VDOMs in any
combination of NAT/Route and Transparent modes. For FortiGate models
numbered 3000 and higher, you can purchase a license key to increase the
maximum number to 25, 50, 100 or 250 VDOMs.
To obtain a VDOM license key
Record your FortiGate unit serial number. You can find the serial number in the
web-based manager on the System > Status page under System Information.
Send the serial number to Fortinet customer support and request a license key for
25, 50, 100 or 250 VDOMs.
When you receive your license key, in the web-based manager, go to System >
Status under License and select License next to VDOMs Allowed.
In the License Key field, enter the 32-character license key you received from
Fortinet.
Select Apply.
You can verify the new VDOM license by going to System Status under Global
Configuration. There under License Information, Virtual Domains shows the new
maximum number of VDOMs allowed.
54
Log in as admin.
From the Virtual Domain list, select the VDOM that this administrator will control.
Configure the remaining settings of the administrator account. See the System
Admin chapter of the FortiGate Administration Guide for detailed information.
Select OK.
The newly-created administrator can access the FortiGate unit only through a
network interface that belongs to the assigned VDOM or through the Console
interface. The network interface must be configured to allow management access,
such as HTTPS and SSH.
Log in as admin.
Select the name of the virtual domain that you want to configure and select
Switch.
The the system network page for that virtual domain opens.
The bottom of the left menu displays the currently selected virtual domain name,
unless only the root domain exists.
55
Log out.
Connect to a FortiGate unit interface that belongs to the VDOM that you want to
configure.
To configure the root VDOM using the CLI, you can also connect to the Console
connector.
DNS lookups
FortiGuard service
Before you change the management VDOM, ensure that virtual domain
configuration is selected. To be able to connect to remote services such as NTP
and FortiGuard services, the management domain requires an interface
connected to the Internet.
Note: You cannot change the management VDOM if any administrators are using RADIUS
authentication.
56
Select mgmt_vdom - the VDOM that will be the new management VDOM.
If you are not in the root virtual domain, select << Global.
Select the physical interface that receives the VLAN packets intended for this
VLAN subinterface. The interface can be on a different VDOM from the VLAN.
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
Configure the VLAN subinterface settings as you would for any FortiGate unit
interface.
If you are not in the root virtual domain, select << Global.
From the Virtual Domain list, select the new VDOM of the interface.
57
Select OK.
The interface moves to the selected virtual domain. Firewall IP pools and virtual
IPs added for this interface are deleted. You should manually delete any routes
that include this interface.
To add a zone to a virtual domain
Add new firewall addresses, address ranges and address groups to the current
virtual domain.
To configure firewall policies for a virtual domain
58
Select Create new to add firewall policies to the current virtual domain.
Your firewall policies can involve only the interfaces, zones and firewall addresses
that are in the current virtual domain. The firewall policies that you add are only
visible when you are viewing the current virtual domain. Network traffic accepted
by the interfaces and VLAN subinterfaces in this virtual domain is controlled by
the firewall policies in this virtual domain
Go to VPN.
59
Internet
ISP2
40.1.1.32
ISP1
30.1.1.2
External
30.1.1.21
DMZ
40.1.1.2
FortiGate unit
Internal
802.1Q
trunk
VL AN 100
VL AN 200
Fa 0/24
VL AN 100
Fa 0/9
Fa 0/3
VLAN Switch
VL AN 200
10.1.2.2
10.1.1.2
ABC Inc.
10.1.1.0
DEF Inc.
10.1.2.0
When the switch receives packets from VLAN 100 and VLAN 200, it applies the
proper VLAN ID tags and forwards the packets across the trunk link to the
FortiGate unit. The FortiGate unit is a layer-3 device - it has policies that allow
traffic to flow from VLAN 100 to the external network and from VLAN 200 to the
DMZ network.
This section describes how to configure a FortiGate-800 unit and a Cisco 2950
switch for this example network topology.
60
Add Firewall addresses and address ranges for the internal and external
networks.
Add a firewall policy to allow the VLAN to access the external network.
Log in as admin.
Log in as admin.
61
Enter the following information for the external interface and select OK:
Virtual domain
ABCdomain
Addressing mode
Manual
IP/Netmask
30.1.1.21/255.255.255.0
Log in as admin.
Enter the following information for the external interface and select OK:
Virtual domain
DEFdomain
Addressing mode
Manual
IP/Netmask
40.1.1.32/255.255.255.0
62
Adding the VLAN interface will provide a way to send and recieve packets to
the VDOM. Interfaces are part of the global configuration.
Adding the firewall policy will allow connection to the external interface and
limit unwanted traffic. A firewall policy applies only to one VDOM.
Log in as admin.
VLAN_100
Interface
internal
VLAN ID
100
Virtual Domain
ABCdomain
Addressing mode
Manual
IP/Netmask
10.1.1.1/255.255.255.0
Administrative Access
63
Log in as admin.
VLAN_100_Net
Type
Subnet/IP Range
IP Range/Subnet
10.1.1.0/255.255.255.0
Interface
VLAN_100
64
VLAN_100
Address Name
VLAN_100_Net
Destination
Interface/Zone
External
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
65
Enter the following information to add a default route to ISP1 for network traffic
leaving the external interface and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
external
Gateway
30.1.1.2
Distance
10
66
Log in as admin.
VLAN_200
Interface
internal
VLAN ID
200
Virtual Domain
DEFdomain
Addressing mode
Manual
IP/Netmask
10.1.2.1/255.255.255.0
Administrative Access
Note that in the above figure VLAN_100 has no delete icon. That is because of
the firewall policy that was added to it. Before being able to delete VLAN_100 you
will have to first delete that firewall policy.
To add VLAN 200 subinterface - CLI
config global
config system interface
edit VLAN_200
set interface internal
set vlanid 200
set vdom DEFdomain
set mode static
set ip 10.1.2.1 255.255.255.0
set allowaccess https ping telnet
end
end
Log in as admin.
67
VLAN_200_Net
Type
Subnet/IP Range
IP Range/Subnet
10.1.2.0/255.255.255.0
Interface
VLAN_200
68
Log in as admin.
VLAN_200
Address Name
VLAN_200_Net
Destination
Interface/Zone
dmz/ha
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Log in as admin.
69
Enter the following information to add a default route to ISP2 for network traffic
leaving the external interface and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
40.1.1.2
Device
dmz/ha
Distance
10
70
Port 0/3
VLAN ID 100
Port 0/9
VLAN ID 200
Port 0/24
802.1Q trunk
Note: To complete the setup, configure devices on VLAN 100 and VLAN 200 with default
gateways. The default gateway for VLAN 100 is the FortiGate unit VLAN 100 subinterface.
The default gateway for VLAN 200 is the FortiGate unit VLAN 200 subinterface.
<10 ms
<10 ms
<10 ms
10.1.1.1
<10 ms
<10 ms
<10 ms
30.1.1.21
Trace complete.
Figure 26: Example trace route from VLAN 100 to the external network
FortiGate-800 unit
External
interface
30.1.1.21
VLAN 100
subinterface
10.1.1.1
Internet
tracert
Switch
VL AN 100 Network
<10 ms
<10 ms
<10 ms
10.1.2.1
<10 ms
<10 ms
<10 ms
40.1.1.32
Trace complete.
71
Figure 27: Example trace route from VLAN 200 to the DMZ network
FortiGate-800 unit
VLAN 200
subinterface
10.1.2.1
DMZ
interface
40.1.1.32
Internet
tracert
Switch
VL AN 200 network
72
The internal interface is configured with two VLAN subinterfaces: VLAN 10 for
the students network and VLAN 20 for the instructors network.
The external interface is configured with a VLAN subinterface, VLAN 30, for
the ATT-ISP network.
Firewall policies allow both the instructors and students networks to access the
internet through the ATT-ISP network. For students there is a more strict
protection profile governing their online activities.
The internal interface is configured with two VLAN subinterfaces: VLAN 80 for
the Sales network and VLAN 90 for the Development network.
Firewall policies allow access to the Internet through the XO-ISP and XS-ISP
networks from both Sales and Development networks.
Firewall policies allow access from the Sales network to the Development
network and from the Development network to the Sales network.
You might have noticed that the Student network and the Development network
have the same network address ranges. This does not cause a problem because
the two address ranges reside in different virtual domains.
73
Internet
ATT
ISP
XO
ISP
XS
ISP
VLAN 30
VLAN 40
VLAN 50
Fa 0/9
Fa 0/3
Fa 0/19
Fa 0/24
802.1Q trunk
VLAN 30
VLAN 40
VLAN 50
External
FortiGate unit
Internal
VLAN
VLAN
802.1Q trunk
VLAN
VLAN
Fa 0/24
Cisco 2900 Switch
(internal)
Fa 0/3
VLAN 10
Student network
192.168.10.0
VLAN 20
Instructors network
192.168.20.0
74
Fa 0/4
10
20
80
90
Fa 0/9
Fa 0/14
VLAN 80
Development network
192.168.10.0
VLAN 90
Sales network
192.168.15.0
Log in as admin.
75
Enter the following information for the students network and select OK:
Name
students
Type
VLAN
Interface
internal
VLAN ID
10
Virtual Domain
ABCdomain
Addressing mode
Manual
IP/Netmask
192.168.10.1/255.255.255.0
76
Enter the following information for the instructors network and select OK:
Name
instructors
Type
VLAN
Interface
internal
VLAN ID
20
Virtual Domain
ABCdomain
Addressing mode
Manual
IP/Netmask
192.168.20.1/255.255.255.0
Enter the following information for the ATT ISP network and select OK:
Name
ATT-ISP
Type
VLAN
Interface
external
VLAN ID
30
Virtual Domain
ABCdomain
Addressing mode
Manual
IP/Netmask
30.1.1.1/255.255.255.0
77
Enter the following information to add a default route to ATT-ISP for network traffic
leaving the external interface from the ABCdomain domain and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
ATT-ISP
Gateway
30.1.1.2
Distance
10
78
student_net
Type
Subnet/IP Range
IP Range/Subnet
192.168.10.0/255.255.255.0
Interface
Any
instructor_net
Type
Subnet/IP Range
IP Range/Subnet
192.168.20.0/255.255.255.0
Interface
Any
79
students
Address Name
student_net
Destination
Interface/Zone
ATT-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
strict
instructors
Address Name
instructor_net
Destination
Interface/Zone
ATT-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
scan
80
instructors
Address Name
instructor_net
Destination
Interface/Zone
students
Address Name
student_net
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
81
82
Enter the following information for the Sales network and select OK:
Name
Sales
Type
VLAN
Interface
internal
VLAN ID
80
Virtual Domain
Commercial
Addressing mode
Manual
IP/Netmask
192.168.15.1/255.255.255.0
Enter the following information for the Development network and select OK:
Name
Development
Type
VLAN
Interface
internal
VLAN ID
90
Virtual Domain
Commercial
Addressing mode
Manual
IP/Netmask
192.168.10.1/255.255.255.0
83
Enter the following information for the XO ISP network and select OK:
Name
XO-ISP
Type
VLAN
Interface
external
VLAN ID
40
Virtual Domain
Commercial
Addressing mode
Manual
IP/Netmask
40.1.1.1/255.255.255.0
Enter the following information for the XS ISP network and select OK:
Name
XS-ISP
Interface
external
VLAN ID
50
Virtual Domain
Commercial
Addressing mode
Manual
IP/Netmask
145.1.1.1/255.255.255.0
84
85
Enter the following information to add a default route to XO-ISP for network traffic
leaving the external interface from the Commercial domain and select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
40.1.1.2
Device
XO-ISP
Distance
10
Enter the following information to add a secondary default route to XS-ISP for
network traffic leaving the external interface from the Commercial domain and
select OK:
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
145.1.1.2
Device
XS-ISP
Distance
20
86
Address Name
all
Type
Subnet/IP Range
IP Range/Subnet
0.0.0.0/0.0.0.0
development_net
Type
Subnet/IP Range
IP Range/Subnet
192.168.10.0/255.255.255.0
sales_net
Type
Subnet/IP Range
IP Range/Subnet
192.168.15.0/255.255.255.0
87
Sales
Address Name
sales_net
Destination
Interface/Zone
XO-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
scan
Sales
Address Name
sales_net
Destination
Interface/Zone
XS-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
scan
88
Development
Address Name
development_net
Destination
Interface/Zone
XO-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
scan
Development
Address Name
development_net
Destination
Interface/Zone
XS-ISP
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
Protection profile
scan
10
11
Sales
Address Name
sales_net
Destination
Interface/Zone
Development
Address Name
development_net
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
89
12
13
Development
Address Name
development_net
Destination
Interface/Zone
Sales
Address Name
sales_net
Schedule
Always
Service
ANY
Action
ACCEPT
NAT
Select
90
91
92
Port 0/3
VLAN ID 10
Port 0/4
VLAN ID 20
Port 0/14
VLAN ID 80
Port 0/16
VLAN ID 90
Port 0/24
802.1Q trunk
Add this file to the Cisco switch connected to the FortiGate-800 external interface:
!
interface FastEthernet0/3
switchport access vlan 30
!
interface FastEthernet0/9
switchport access vlan 40
!
interface FastEthernet0/19
switchport access vlan 50
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
The switch has the following configuration:
Port 0/3
VLAN ID 30
Port 0/9
VLAN ID 40
Port 0/19
VLAN ID 50
Port 0/24
802.1Q trunk
<10 ms
<10 ms
<10 ms 192.168.20.1
<10 ms
<10 ms
<10 ms 192.168.10.2
Trace complete.
93
VLAN 10
subinterface
192.168.10.1
tracert
VLAN 20
Instructors Network
Switch
VLAN 10
Student network
192.168.10.2
Other tests
Using the preceding method, you can also test traffic from the Development
network to the Sales network and vice-versa, as well as traffic from each of the
internal networks to locations on the Internet.
94
Overview
95
You can add more virtual domains if you want to separate groups of VLAN
subinterfaces into virtual domains. When using a FortiGate unit to serve multiple
organizations, this simplifies administration because you see only the firewall
policies for the VDOM you are configuring. For information on adding and
configuring virtual domains, see Getting started with VDOMs on page 53.
One essential application of virtual domains is to prevent problems caused when a
FortiGate unit is connected to a layer-2 switch that has a global MAC table.
FortiGate units normally forward ARP requests to all interfaces, including VLAN
subinterfaces. It is then possible for the switch to receive duplicate ARP packets
on different VLANs. Some layer-2 switches reset when this happens. As ARP
requests are only forwarded to interfaces in the same virtual domain, you can
solve this problem by creating a virtual domain for each VLAN. For an example of
this type of configuration, see Example configuration Transparent mode (multiple
virtual domains) on page 107.
You can also configure the protection profiles that govern virus scanning, web
filtering and spam filtering. Protection profiles are covered in the documentation
for your FortiGate unit.
In Transparent mode, you can access the FortiGate unit web-based manager by
connecting to an interface configured for administrative access and using HTTPS
to access the management IP address. On the FortiGate-800 used as an example
in this document, administrative access is enabled by default on the Internal
interface and the default management IP address is 10.10.10.1. If you need more
information, see the Quick Start Guide or Installation Guide for your unit.
The procedures in this section assume that you have not enabled VDOM
configuration. If VDOM configuration is enabled, you need to navigate to the
global or VDOM configuration as needed before following each procedure.
96
Select the physical interface that receives the VLAN packets intended for this
VLAN subinterface.
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
10
Repeat Step 2 through Step 8, but choose the physical interface through which
the VLAN packets exit the FortiGate unit. Use the same VLAN ID and VDOM as
before.
For each of the VLAN subinterfaces you added, select Bring Up to start the
interface.
Select Create New to add firewall addresses that match the source and
destination IP addresses of VLAN packets.
From the Source Interface/Zone list, select the VLAN interface where packets
enter the unit.
From the Destination Interface/Zone list, select the VLAN interface where packets
exit the unit.
Select Protection Profile and select the profile from the list.
10
Select OK.
97
Internet
VLAN router
10.1.1.1
10.1.2.1
VLAN switch
802.1Q trunk
VLAN 1
VLAN 2
External
FortiGate-300 unit
in Transparent mode
Internal
VLAN 1
802.1Q trunk VLAN 2
VLAN switch
Fa0/3
VLAN 100
10.1.1.2
98
Fa0/24
Fa0/9
VLAN 200
10.1.2.2
VLAN_100_int
Interface
internal
VLAN ID
100
VLAN_100_ext
Interface
external
VLAN ID
100
99
Name
VLAN_200_int
Interface
internal
VLAN ID
200
Name
VLAN_200_ext
Interface
external
VLAN ID
200
100
Source
Interface/Zone
VLAN_100_int
Address Name
all
Destination
Interface/Zone
VLAN_100_ext
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
Source
Interface/Zone
VLAN_100_ext
Address Name
all
Destination
Interface/Zone
VLAN_100_int
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
101
Source
Interface/Zone
VLAN_200_int
Address Name
all
Destination
Interface/Zone
VLAN_200_ext
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
9
10
Source
Interface/Zone
VLAN_200_ext
Address Name
all
Destination
Interface/Zone
VLAN_200_int
Address Name
all
Schedule
Always
Service
ANY
Action
ACCEPT
102
103
Port 0/3
VLAN ID 100
Port 0/9
VLAN ID 200
Port 0/24
802.1Q trunk
104
!
The router has the following configuration:
Port 0/0.1
VLAN ID 100
Port 0/0.2
VLAN ID 200
Port 0/0
802.1Q trunk
Note: To complete the setup, configure devices on VLAN 100 and VLAN 200 with default
gateways. The default gateway for VLAN 100 is the Cisco router VLAN 100 subinterface.
The default gateway for VLAN 200 is the Cisco router VLAN 200 subinterface.
105
<10 ms
<10 ms
<10 ms
10.1.1.1
<10 ms
<10 ms
<10 ms
10.1.2.2
Trace complete.
Figure 39: Example trace route from VLAN 100 to VLAN 200
Router
10.1.1.1
10.1.1.2
External
FortiGate-300 unit
Internal
tracert
VL AN 100
10.1.1.2
106
Switch
VL AN 200
10.1.2.2
Router
Untagged packets
Fa0/3
VLAN Switch 2
Fa0/6
VLAN_100_ext
VLAN Trunk VLAN_200_ext
External VLAN_300_ext
FortiGate unit
in Transparent mode
Internal
VLAN Trunk
VLAN Switch 1
Fa0/1
VLAN_100_int
VLAN_200_int
VLAN_300_int
Fa0/8
Fa0/5
Fa0/2
ABC Inc
VLAN ID = 100
DEF Inc
VLAN ID = 200
XYZ Inc.
VLAN = 300
Creating schedules
The FortiGate-800 unit in this example serves organizations that are all
businesses that vary their policies according to the time of day. For simplicity, this
example assumes that they all have the same lunch hours. It would be possible to
accommodate different definitions of lunchtime by creating multiple schedules
tailored to the needs of each organization.
107
Set the Start time as 11:45 and set the Stop time as 14:00.
Select OK.
To create a recurring schedule for lunchtime - CLI
config firewall schedule recurring
edit Lunch
set day monday tuesday wednesday thursday friday
saturday
set start 11:45
set end 14:00
end
108
Profile name
Description
Used by
BusinessOnly
Lunch
Select Anti-Virus and enable Virus Scan for HTTP, FTP, IMAP, POP3 and SMTP.
Block
Block
Block
Block
Block
Business Oriented
Allow
Other
Block
Select Spam Filtering and enable RBL & ORDBL check for IMAP, POP3 and
SMTP.
For Spam action, select tagged for IMAP and POP3, discard for SMTP.
10
Select OK.
To create the BusinessOnly protection profile - CLI
config firewall profile
edit BusinessOnly
set ftp scan
set http scan catblock
set imap scan fragmail spamrbl bannedword
set pop3 scan fragmail spamrbl bannedword
set smtp scan fragmail spamrbl bannedword
set ips signature anomaly
set cat_allow 49-50-51-52-53
set cat_deny g01-g02-g03-g04-g05-g06-g08
end
To create the Relaxed protection profile - web-based manager
Select Anti-Virus and enable Virus Scan for HTTP, FTP, IMAP, POP3 and SMTP.
109
Block
Block
Monitor
Block
Allow
Business Oriented
Allow
Others
Allow
Select Spam Filtering and enable RBL & ORDBL check for IMAP, POP3 and
SMTP.
For Spam action, select tagged for IMAP and POP3, discard for SMTP.
10
Select OK.
To create the Relaxed protection profile - CLI
config firewall profile
edit Relaxed
set ftp scan
set http scan catblock
set imap scan
set pop3 scan
set smtp scan spamrbl
set ips anomaly
set ips signature
set cat_allow g06-g07-g08
set cat_deny g01-g02-g05
set cat_monitor g03-g04
end
110
Log in as admin.
system vdom
ABCdomain
DEFdomain
XYZdomain
Name
VLAN_100_int
Interface
internal
VLAN ID
100
Virtual Domain
ABCdomain
Name
VLAN_100_ext
Interface
external
VLAN ID
100
Virtual Domain
ABCdomain
111
Select Change following the current virtual domain name above the table.
For each of AOL, IRC, NetMeeting, Quake, SIP-MSNmessenger and Talk, select
the service in the Available Services list and select the right arrow to add it to the
Members list.
Select OK.
To create a games and chat service group - CLI
config firewall service group
edit games-chat
set member IRC NetMeeting QUAKE SIP-MSNmessenger AOL
TALK
end
112
Select OK.
To configure ABCdomain firewall addresses - CLI
config firewall address
edit all
set type ipmask
set subnet 0.0.0.0 0.0.0.0
end
Interface/Zone Source
VLAN_100_int
Interface/Zone Destination
VLAN_100_ext
all
BusinessDay
Service
games-chat
Action
DENY
This policy prevents the use of network games or chat programs during business
hours.
113
Interface/Zone Source
VLAN_100_int
Interface/Zone Destination
VLAN_100_ext
all
Lunch
Service
HTTP
Action
ACCEPT
Protection Profile
Relaxed
This policy relaxes the web category filtering during lunch hour.
5
Interface/Zone Source
VLAN_100_int
Interface/Zone Destination
VLAN_100_ext
all
BusinessDay
Service
HTTP
Action
ACCEPT
Protection Profile
BusinessOnly
This policy provides rather strict web category filtering during business hours.
Figure 42: ABCdomain firewall policies
114
Name
VLAN_200_int
Interface
internal
VLAN ID
200
Virtual Domain
DEFdomain
115
Name
VLAN_200_ext
Interface
external
VLAN ID
200
Virtual Domain
DEFdomain
Select Change following the current virtual domain name above the table.
116
For each of AOL, IRC, Quake, SIP-MSNmessenger and Talk, select the service in
the Available Services list and select the right arrow to add it to the Members list.
Select OK.
To create a games and chat service group - CLI
config firewall service group
edit Games
set member IRC QUAKE SIP-MSNmessenger AOL TALK
end
Select OK.
To configure DEFdomain firewall addresses - CLI
config firewall address
edit all
set type ipmask
set subnet 0.0.0.0 0.0.0.0
end
117
Interface/Zone Source
VLAN_200_int
Interface/Zone Destination
VLAN_200_ext
all
BusinessDay
Service
games-chat
Action
DENY
This policy prevents the use of network games or chat programs (except
NetMeeting) during business hours.
4
Interface/Zone Source
VLAN_200_int
Interface/Zone Destination
VLAN_200_ext
all
Lunch
Service
HTTP
Action
ACCEPT
Protection Profile
Relaxed
This policy relaxes the web category filtering during lunch hour.
5
Interface/Zone Source
VLAN_200_int
Interface/Zone Destination
VLAN_200_ext
all
BusinessDay
Service
HTTP
Action
ACCEPT
Protection Profile
BusinessOnly
This policy provides rather strict web category filtering during business hours.
6
118
Interface/Zone Source
VLAN_200_int
Interface/Zone Destination
VLAN_200_ext
all
always
Service
ANY
Action
ACCEPT
Protection Profile
Relaxed
Because it is last in the list, this policy applies to the times and services not
covered in preceding policies. This means that outside of regular business hours
the Relaxed protection profile applies to email and web browsing and that online
chat and games are permitted. DEF Inc. needs this policy because its employees
sometimes work overtime. The other companies in this example maintain fixed
hours and dont want any after-hours internet access.
Figure 44: DEFdomain firewall policies
119
VLAN_300_int
Interface
internal
VLAN ID
300
Virtual Domain
XYZdomain
120
Name
VLAN_300_ext
Interface
external
VLAN ID
300
Virtual Domain
XYZdomain
Select Change following the current virtual domain name above the table.
121
For each of POP3, IMAP and SMTP, select the service in the Available Services
list and select the right arrow to add it to the Members list.
Select OK.
To create an email service group - CLI
config firewall service group
edit Email
set member POP3 IMAP SMTP
end
To create a web service group - web-based manager
For each of HTTP, HTTPS and FTP, select the service in the Available Services
list and select the right arrow to add it to the Members list.
Select OK.
To create an email service group - CLI
config firewall service group
edit Web
set member HTTP HTTPS FTP
end
Select OK.
To configure XYZdomain firewall addresses - CLI
config firewall address
edit all
set type ipmask
set subnet 0.0.0.0 0.0.0.0
end
122
VLAN_300_int
Interface/Zone Destination
VLAN_300_ext
all
always
Service
Action
ACCEPT
Protection Profile
strict
This policy provides network protection for email using the default strict protection
profile. The administrator must also set up the antivirus, web filter and spam filter
settings. These procedures are not described in this document.
4
Interface/Zone Source
VLAN_300_int
Interface/Zone Destination
VLAN_300_ext
all
always
Service
Web
Action
ACCEPT
Protection Profile
web
This policy provides network protection for HTTP, HTTPS and FTP using the
default web protection profile. The administrator must also set up the antivirus and
web filter settings. These procedures are not described in this document.
Figure 46: XYZdomain firewall policies
123
Configuring switch 1
Add this file to Cisco VLAN switch 1:
!
interface FastEthernet0/1
switchport access vlan 100
!
interface FastEthernet0/2
switchport access vlan 200
!
interface FastEthernet0/5
switchport access vlan 300
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
124
Port 0/1
VLAN ID 100
Port 0/2
VLAN ID 200
Port 0/3
VLAN ID 300
Port 0/6
802.1Q trunk
Configuring switch 2
Add this file to Cisco VLAN switch 2:
interface FastEthernet0/3
switchport
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
Switch 1 has the following configuration:
Port 0/1
VLAN ID 100
Port 0/2
VLAN ID 200
Port 0/3
VLAN ID 300
Port 0/6
802.1Q trunk
From a host on VLAN 100, access a command prompt and enter this command:
C:\>tracert www.fortinet.com
Tracing route to www.fortinet.com [128.242.109.135]
over a maximum of 30 hops:
1
<10 ms
<10 ms
<10 ms
172.20.120.2
172 ms
141 ms
140 ms
128.242.109.135
...
14
Trace complete.
2
125
126
Inter-VDOM routing
Overview
Inter-VDOM routing
Overview
In the past VDOMs were separate from each other. There was no internal
communication between them. Any communication between VDOMs had to leave
on a physical interface and re-enter the FortiGate unit on another physical
interface.
Inter-VDOM routing changes this. With the introduction of inter-VDOM links in
FortiOS v3.0 MR1, VDOMs can communicate internally without using additional
physical interfaces. FortiManager units support inter-VDOM routing on managed
FortiGate units starting with FortiManager v3.0 MR1.
This chapter contains the following sections:
Inter-VDOM Configurations
Inter-VDOM planning
127
Inter-VDOM routing
For example a FortiGate-800 has 8 ports and if they are assigned 2 per VDOM
(one each for external and internal traffic) we can only have 4 VDOMs at most
configured, not the 10 VDOMs the license will allow. Adding even one additional
interface per VDOM to be used for inter-VDOM communication and we are down
to only 2 VDOMs for that configuration, since it would required 9 interfaces for 3
VDOMs. Even using one physical interface for both external traffic and interVDOM communication would severely lower the available bandwidth for external
traffic on that interface.
With the introduction of inter-VDOM routing, traffic can travel between VDOMs
internally, freeing up physical interfaces for external traffic. Using the above
example we can use the 4 VDOM configuration and all the interfaces will have
their full bandwidth.
128
Inter-VDOM routing
129
Inter-VDOM routing
These point-to-point interfaces are now treated like normal FortiGate interfaces
and need to be configured as regular interfaces would. This includes IP address
and netmask and what types of administrative access are allowed.
130
Inter-VDOM routing
you must have at least two virtual domains configured on the FortiGate device
In Policy Manager you can access the VDOM information for the selected
FortiGate device by selecting the FortiGate device and going to System > Virtual
Domain. Inter-VDOM link information can also be viewed on System > Status.
To create an inter-VDOM link
1
Select the checkbox next to the VDOM to be linked to the current VDOM (the one
selected in step 1.
Enter a name for the inter-VDOM link. Both virtual interfaces will use this name.
For example if the link is my_vlink, the virtual interfaces will be my_vlink0 and
my_vlink1.
Enter the IP address and netmask for the virtual interface for this link on the
current VDOM and the peer VDOM. For example if the current VDOM is vdom1,
root could be the peer VDOM.
Once the inter-VDOM link is created, these IP addresses cannot be changed
without deleting the link.
131
Inter-VDOM Configurations
Inter-VDOM routing
Inter-VDOM Configurations
By using fewer physical interfaces to inter-connect VDOMs, inter-VDOM links
provide you with more configuration options.
The inter-VDOM configurations are:
>ciZgcZi
2OOT 6$/-
>ciZgcVaCZildg`
>ciZgcVaCZildg`
>ciZgcVaCZildg`
132
Inter-VDOM routing
Inter-VDOM Configurations
>ciZgcZi
6$/-
6$/-
>ciZgcVaCZildg`
>ciZgcVaCZildg`
6$/-
>ciZgcVaCZildg`
This configuration has no communication between VDOMs and apart from initially
setting up each VDOM, this configuration requires no special configurations or
settings. Any communications between VDOMs is treated as if communication
was with a separate physical device.
The independent VDOMs configuration can be used where more than one
department or one company is sharing the FortiGate unit. They can each
administer the connections, firewalls and other VDOM dependant settings of only
their own VDOM. To each company or department it appears as if they have their
own FortiGate unit.
133
Inter-VDOM Configurations
Inter-VDOM routing
>ciZgcZi
2OOT 6$/INTER
6$/- LINKS
6$/-
6$/-
>ciZgcVaCZildg`
>ciZgcVaCZildg`
6$/-
>ciZgcVaCZildg`
Only the management VDOM is connected to the Internet. The other VDOMs are
connected to internal networks and possibly to very small secure external
networks, say a VPN dialup connection. All external traffic is routed through the
management VDOM using inter-VDOM links between the VDOMs. This ensures
the management VDOM has full control over access to the Internet including what
types of traffic are allowed in both directions. Security is greatly increased with
only one point of entry and exit. Only the management VDOM needs to be
professionally managed to ensure network security in this case.
The management VDOM configuration is ideally suited for a service provider
business. The service provider is the management VDOM and the other VDOMs
are customers. These customers do not require a dedicated IT person to manage
their network. The service provider controls the traffic and can prevent the
customers from using banned services and prevent Internet connections from
initiating those same banned services. One example of a banned service might be
Instant Messaging (IM) at a company concerned about intellectual property.
Another example could be to limit bandwidth used by file sharing applications
without banning it completely. Firewall policies control the traffic between a
customer VDOM and the management VDOM and can be customized for each
customer.
134
Inter-VDOM routing
Inter-VDOM planning
Partial mesh means only some VDOMs are inter-connected. In a full mesh
configuration, all VDOMs are inter-connected to all other VDOMs. This can be
useful when you want to provide full access between VDOMs but handle traffic
differently depending on which VDOM it originates from or is going to.
Figure 50: Meshed VDOMs
>ciZgcZi
2OOT 6$/INTER
6$/- LINKS
6$/-
>ciZgcVaCZildg`
6$/-
>ciZgcVaCZildg`
6$/-
>ciZgcVaCZildg`
With full access to all VDOMs being possible, it is important to ensure proper
security. This can be accomplished by establishing extensive proper firewall
policies and ensuring secure account access for administrators and users.
Meshed VDOM configurations can become complex very quickly, with full mesh
VDOMs being the most complex. Ensure this is the proper solution for your
situation before using this configuration.
Inter-VDOM planning
Inter-VDOM routing enables more FortiGate unit configurations than were
previously possible. This additional flexibility has benefits, but also has potential
difficulties.
Complexity
With more connections possible in inter-VDOM configurations, complexity quickly
becomes an issue. VDOMs are not trivial to understand and with additional
settings and issues to consider things can easily get out of hand.
135
Inter-VDOM planning
Inter-VDOM routing
To prevent this, you should carefully plan your move to the inter-VDOM
configuration to ensure you are aware of the differences between your new and
old setups as well as how these changes affect the interaction between the
VDOMs.
Making changes
Once configured, this new complex configuration means that any changes you
make to the system have a greater chance of introducing problems into the
system. Extra care should be taken to make sure any changes do not negatively
affect your existing FortiGate unit configuration.
For example using the old method to change communication between VDOMs,
cable connections had to be physically changed. When compared to inter-VDOM
where all the changes are internal, there is generally more checking built into the
physical process than there is for simple CLI commands.This lowered level of
checking may allow un-intended changes in VDOM interactions to slip into the
configuration undetected.
136
Overview
Asymmetric routing
Layer 2 traffic
NetBIOS
STP forwarding
Asymmetric routing
You might discover, unexpectedly, that hosts on some networks are unable to
reach certain other networks. This occurs when request and response packets
follow different paths. If the FortiGate unit sees the response packets, but not the
requests, it blocks them as invalid. Also, if the FortiGate unit sees the same
packets repeated on multiple interfaces, it blocks the session as a potential attack.
These are instances of asymmetric routing. By default, FortiGate units block
packets or drop the session when this happens. You can configure the FortiGate
unit to permit asymmetric routing using the following Command Line Interface
(CLI) command:
config system settings
set asymroute enable
end
If this solves your blocked traffic problem, you know that asymmetric routing is the
cause. But allowing asymmetric routing is not the best solution because it can
reduce the security of your system. It is better to change routing or change how
your FortiGate unit connects into your network. The Asymmetric Routing and
Other FortiGate Layer-2 Installation Issues technical note provides detailed
examples of asymmetric routing situations and possible solutions.
Caution: If you enable asymmetric routing, antivirus and intrusion prevention systems will
not be effective. Your FortiGate unit will be unaware of connections and treat each packet
individually. It will be a stateless firewall.
137
Layer 2 traffic
Layer 2 traffic
By default, FortiGate units do not pass Layer-2 traffic. If there are Layer-2
protocols such as IPX, PPTP or L2TP in use on your network, you need to
configure FortiGate interfaces to pass them. You can do this using the CLI:
config system interface
edit <name_str>
set l2forward enable
end
where <name_str> is the name of an interface.
Enabling Layer 2 traffic can cause a problem if it is possible for packets to
repeatedly loop through the network. This occurs when there is more than one
Layer 2 path from a source to a destination. Traffic can be impeded. One method
of addressing the loop that is created is to configure Spanning Tree Protocol
(STP) on switches and routers on the network. Using STP with FortiGate units is
covered in STP forwarding on page 140.
ARP traffic
Address Resolution Protocol (ARP) traffic is vital to communication on a network
and is enabled on FortiGate interfaces by default. Normally you want ARP packets
to pass through the FortiGate unit, especially if it is sitting between a client and a
server or between a client and a router.
ARP traffic can cause problems, especially in Transparent mode where ARP
packets arriving on one interface are sent to all other interfaces, including VLAN
subinterfaces. Some Layer 2 switches become unstable when they detect the
same MAC address originating on more than one switch interface or from more
than one VLAN. This instability can occur if the Layer 2 switch does not maintain
separate MAC address tables for each VLAN. Unstable switches may reset
causing network traffic to slow down.
Forward-domain solution
You may run into problems using the multiple VDOMs solution to solve the same
MAC address seeming to originate on multiple interfaces. It is possible that you
have more VLANs than licensed VDOMs, not enough physical interfaces or your
configuration may work better by grouping some VLANs together. In these
situations the separate VDOMs solution may not work for you.
138
Layer 2 traffic
139
NetBIOS
NetBIOS
Networked computers running Microsoft Windows operating systems rely on a
WINS server to resolve host names to IP addresses. The hosts communicate with
the WINS server using NetBIOS protocol. To support this type of network you
need to enable the forwarding of NetBIOS requests to a WINS server. Enter the
following CLI commands:
config system interface
edit <interface>
set netbios_forward enable
set wins-ip <wins_server_ip>
end
where <interface> is the name of the interface and <wins_server_ip> is
the IP address of the WINS server. These commands apply only in NAT/Route
mode.
STP forwarding
The FortiGate unit does not participate in the Spanning Tree protocol (STP). STP
is an IEEE 802.1 protocol to ensure there are no Layer-2 loops on the network.
Loops happen when there is more than one route for traffic to take and that traffic
is broadcasted back to the original switch - creating a loop that floods the network
with never ending traffic.
If you use the FortiGate unit in a network topology that relies on STP for network
loop protection, you need to make changes to the FortiGate configuration.
Otherwise, STP sees the FortiGate unit as a blocked link and forwards the data to
another path. By default, the FortiGate unit blocks STP as well as other non-IP
protocol traffic.
Using the CLI, you can enable forwarding of STP and other Layer 2 protocols
through the interface:
config system interface
edit <name_str>
set l2forward enable
set stpforward enable
end
where <name_str> is the name of the interface. This configuration will also allow
Layer-2 protocols such as IPX, PPTP or L2TP to be used on the network. For
more information see Layer 2 traffic on page 138.
140
141
142
Index
Index
Numerics
external logging 19
administrators
access profiles 19
common 19
multiple 19
VDOM 55
Anti Virus (AV) scanning 128
Antivirus (AV) settings 21
asymmetric routing 141
B
border gateway protocol (BGP). See routing, BGP
C
Cisco router configuration
IOS commands 26
simple Transparent VDOM example 104
Cisco switch
simple VLAN NAT/Route example 32
Cisco switch configuration
complex VDOM NAT/Route example 92
complex VLAN NAT/Route example 49
IOS commands 26
multiple VDOM Transparent example 124
simple Transparent VDOM example 104
simple VDOM NAT/Route example 70
CLI 26, 36
CPU load 128
customer service 11
D
default route 25, 58
complex VDOM NAT/Route example 78
complex VLAN NAT/Route example 38
NAT/Route 25
simple VDOM NAT/Route example 66, 69
default route, setting
complex VDOM example 85
diagnostics
ping 25, 33
tracert 33
G
gateway, VPN 44
example
complex VDOM NAT/Route 73
simple VLAN NAT/Route topology 59
HA 130
vcluster 130
HTTP 25
HTTPS 25
143
Index
I
ID tag 16, 17
IEEE 802.1Q 13, 14, 16, 24
independent configuration 132
Instant Messaging (IM) 134
settings 20
interfaces
802.1Q trunk 23, 32
DMZ, simple VDOM NAT/Route example 62
external, simple VDOM NAT/Route example 61
external, simple VLAN NAT/Route 27
external, simple VLAN NAT/Route example 27
maximum number 14, 95, 141
physical 128, 132
point-to-point 129
virtual 129
VLAN subinterface 23
inter-VDOM
delete link 130
FortiManager 131
independent configuration 132
management configuration 129, 133
meshed configuration 129, 134
physical interfaces 127
stand alone configuration 129, 132
virtual interface 129
IP address, overlapping 24
IPS settings 21
IPX, layer-2 forwarding 138
ISP 85
L
L2TP, layer-2 forwarding 138
layer-2 14
forwarding 138
layer-3 16
license 18
M
management configuration 129, 133
management VDOM 19
meshed configuration 129, 134
multicast. See routing, multicast
N
NAT/Route
complex VDOM example 78, 85
complex VLAN example 35, 36
simple VDOM example 63, 67
simple VLAN example 25, 27, 28
NetBIOS, for Windows networks 140
O
open shortest path first (OSPF). See routing, OSPF
P
packets
handling 18
144
VLAN-tagged 24
physical interface 132
physical interfaces 127, 128
ping 25, 33
Policy Manager 131
PPTP, layer-2 forwarding 138
protection profile
Transparent VDOM example 108
R
redundant ISPs 85
remote management 19
Router settings 20
routing
asymmetric 141
BGP 130
multicast
OSPF
RIP
STP 140
routing information protocol (RIP). See routing, RIP
routing, default route 25
complex VDOM example 85
complex VDOM NAT/Route example 78
complex VLAN NAT/Route example 38
NAT/Route 25
simple VDOM NAT/Route example 66, 69
VDOM 58
rules, VLAN ID 17
S
schedule, firewall
multiple VDOM example 107
service group
multiple VDOM Transparent example 116, 121
Transparent mode multiple VDOM example 112
settings shared by VDOMs 21
Spanning Tree Protocol. See STP
SSH 25
stand alone configuration 129, 132
STP, forwarding 140
subinterface
VDOM 57
VLAN NAT/Route 24
System settings 20, 21
T
tag 16
technical support 11
TELNET 25
testing
VDOM NAT/Route 71, 93
VDOM Transparent 106
VLAN NAT/Route 33, 51
tracert 33
traffic, management 19
Transparent
multiple VDOM example 107, 110, 113, 117, 124
simple VDOM example 99, 101, 104
Index
U
User settings 20
V
vcluster 130
VDOM 18
administration 55
administrators 19
complex VDOM NAT/Route example 75
exclusive settings 20
firewall policy 58
independent configuration 132
license 18
management configuration 129, 133
management traffic 19
management VDOM 19
maximum interfaces 14, 95, 141
meshed configuration 129, 134
multiple VDOMs 110
packet handling 18
routing 58
settings, common 21
settings, exclusive 19
shared settings 21
simple VDOM NAT/Route example 61, 63
simple VDOM NAT/Route VDOM example 66
stand alone configuration 132
Transparent mode 95
VLAN subinterface 57
VPN settings 59
VDOm
stand alone configuration 129
Virtual 53
virtual domain, See VDOM.
virtual interface 129
Virtual Private Network, see VPN.
VLAN
Cisco switch 50
complex VLAN NAT/Route 50
maximum number 14, 95, 141
subinterface 23
tagged packets 24
Transparent mode 95
VLAN ID
layer-3 16
rules 17
VLAN subinterface
complex VDOM NAT/Route example 76, 83
complex VLAN NAT/Route example 36
firewall policy 25
multiple VDOM example 111, 115, 120
simple VDOM NAT/Route example 63
simple VDOM Transparent example 99
simple VLAN NAT/Route example 28
Transparent mode 96
VDOM NAT/Route 57
VPN
client 48
dialup connection 134
FortiClient 48
gateway 44
policies 47
tunnel 45
VDOM 59
W
web-based manager 19, 36
Windows networks
enabling NetBIOS 140
WINS 140
145
Index
146
www.fortinet.com
www.fortinet.com