• VLAN = Virtual Local Area Network.

• Allows to create a lot of networks (Virtual Networks) on the same Switch (Physical Switch).

• A zone is created "Interface" that you assign other interfaces too (Physical, VLAN..).
• Zone is a group of 1 or more interfaces that you can apply security policy to control traffic.

Creating the VLAN interfaces

1. Go to Network > Interfaces and select Create New > Interface.

2. Create the VLAN interface for VLAN ID 10.

3. Create the VLAN interface for VLAN ID 20 .

Creating the zone

1. Go to Network > Interfaces and select Create New > Zone

2. Name the zone LAN Zone, and add the newly created VLANs to the zone.
Ensure Block intra-zone traffic is enabled to prevent communication between the VLAN
interfaces.

Previous
Next
Creating a firewall policy for the zone
1. Go to Policy & Objects > IPv4 Policy and create a firewall policy giving any VLAN in the LAN
Zone permission to access the Internet.
2. Set up Security Profiles according to your organization's requirements.

VDOM configuration
 virtual domains (VDOMs) to provide Internet access for two different companies (called Company
A and Company B) using a single FortiGate.

1. First, enable VDOMs in the firewall.

FGVM01TM19008000 # config system global

FGVM01TM19008000 (global) # set vdom-mode multi-vdom

FGVM01TM19008000 (global) # end

2. Create two VDOMs, Sales and Accounting.

3. Figure 8.20: Create a VDOM Sales

4. Figure 8.21: Create a VDOM Accounting

5. Configure IP addresses for the Interfaces Port2 and Port3. Assign port3 to Sales
Vdom and port2 to Accounting Vdom.

Figure 8.22: Port2 and Port3 IP address configuration

Figure 8.23: Port2 configuration

 Figure 8.24: Port3 configuration
6. Go to Global VDOM > Network Interfaces > Create a new VDOM Link, and
configure it as Figure 8.25:
 Figure 8.25: Create a VDOM link between Sales and Accounting
7. In Accounting VDOM, Create two static routes:
o Destination: 192.168.1.0/255.255.255.0
o Interface: Accounting-Sales
o Gateway: 10.10.10.2
 Figure 8.26: Create a static route in Accounting VDOM

o Destination: 172.16.1.0/255.255.255.0
o Interface: Accounting-Sales
o Gateway: 10.10.10.2

Figure 8.27: Create a static route in Accounting VDOM

8. In Accounting VDOM, Create two Firewall Policies:

o Incoming: Port 2
o Outgoing: AS0
o NAT Disable
 Figure 8.28: Create a
Firewall Policy in Accounting VDOM from Port2 to AS0

Incoming:

o Incoming: AS0
o Outgoing: Port2
o NAT Disable

Figure 8.29: Create a

Firewall Policy in Accounting VDOM from AS0 to Port2

9. In Sales VDOM, Create two static routes:

o Destination: 192.168.1.0/255.255.255.0
o Interface: AS1
o Gateway: 10.10.10.1

Figure 8.30: Create a static route in Sales VDOM

o Destination: 172.16.1.0/255.255.255.0
o Interface: AS1
o Gateway: 10.10.10.1

Figure 8.31: Create a static route in Sales VDOM

10. In Sales VDOM, Create two Firewall Policies:

o Incoming: Port3
o Outgoing: AS1
o NAT Disable
 Figure 8.32: Create a Firewall Policy in Sales VDOM from Port3 to AS1

o Incoming: AS1
o Outgoing: Port3
o NAT Disable
 Figure 8.33: Create a Firewall Policy in Sales VDOM from AS1 to Port3

11. Now, you should verify your configuration and should be able to ping from
WebTerm1 to WebTerm2.
Figure 8.34: Verify configuration

Creating per-VDOM administrators

Per-VDOM administrator accounts only allow administrative access to specific VDOMs. By

creating per-VDOM administrators, you allow both Company A and Company B to manage their
respective VDOMs without allowing access to settings for other VDOMs or the global settings.
1. To create a per-VDOM administrator for VDOM-A, go to System > Administrators and
select Create New > Administrator.
2. Enter a Username and set Type to Local User. Enter and confirm a Password.
Set Administrator Profile to prof_admin.

You must use either the prof_admin or a custom profile for per-VDOM administrators.

3. Remove the root VDOM from the Virtual Domains list and add VDOM-A.
4. Repeat the above steps to create a per-VDOM administrator for VDOM-B.

Configuring the VDOMs

1. Access VDOM-A using the dropdown menu located in the top-left corner.
2. To add a static route, go to Network > Static Routes and select Create New.
3. Set Destination to Subnet and leave the destination IP address set to 0.0.0.0/0.0.0.0.
4. Set Gateway to the IP address provided by your ISP and Interface to the Internet-facing
interface.

5. To create a new policy, go to Policy & Objects > IPv4 Policy and select Create New.
6. Set the Incoming Interface to port 1 and set the Outgoing Interface to wan 1.
7. Repeat the above steps to configure VDOM-B.

Link Aggregation combines multiple physical interfaces into a single aggregated or logical
interface, providing increased BW as well as link redundancy 5through the Protocol LACP.

Limitations :

• A max of 4 physical port interfaces may be combined into a 1 aggregated interface.

• A physical interface may belong to no more than 1 aggregated interface.
• An aggregated interface may be specified as untagged interface in no more than 1 VLAN.

A desired name can be specified in the Interface Name section on the screen
that opens. Select 802.3ad Aggregate from the Type field.
In the Interface Members field, the ports that will be included in LACP are
selected. The role of the interface created from the Tags field is
determined. Depending on the usage needs, LAN, WAN, DMZ can be
selected. The network of the created interface is determined from the
address. If you want to access the device via these ports, access methods are
selected from the Administrative Access field.
On Switch

• SW :
ena
conf t
hostname SW
int range gi 0/0 - 1
channel-group 1 mode active
exit
do wr