advertisement
▼
Scroll to page 2
of 152
USER GUIDE FortiGate VLANs and VDOMs Version 3.0 www.fortinet.com FortiGate VLANs and VDOMs User Guide Version 3.0 10 SEPTEMBER 2007 01-30005-0091-20070910 © Copyright 2007 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuardAntivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Contents Contents Introduction ........................................................................................ 7 About FortiGate VLANs and VDOMs ............................................................... 7 About this document......................................................................................... 7 Document conventions.................................................................................. 7 FortiGate documentation .................................................................................. 8 Related documentation ..................................................................................... 9 FortiManager documentation ........................................................................ 9 FortiClient documentation ........................................................................... 10 FortiMail documentation .............................................................................. 10 FortiAnalyzer documentation ...................................................................... 10 Fortinet Knowledge Center ......................................................................... 10 Comments on Fortinet technical documentation ......................................... 10 Customer service and technical support ...................................................... 11 Introduction to VLANs and VDOMs................................................ 13 Overview of VLAN technology ....................................................................... 13 VLAN layer-2 switching ............................................................................... 14 VLAN layer-3 routing ................................................................................... 16 Rules for VLAN IDs ..................................................................................... 18 Overview of Virtual Domains .......................................................................... 18 Maximum number of VDOMs ...................................................................... Inter-VDOM routing ..................................................................................... Management VDOM ................................................................................... Administration of virtual domains ................................................................ Global and virtual domain settings .............................................................. For more information ................................................................................... 18 19 19 19 20 22 Using VLANs in NAT/Route mode .................................................. 23 Overview........................................................................................................... 23 Configuring FortiGate units in NAT/Route mode ......................................... 23 Adding VLAN subinterfaces ........................................................................ 24 Creating firewall policies ............................................................................. 25 Configuring routing...................................................................................... 25 Example configuration NAT/Route mode (simple) ....................................... 26 General configuration steps ........................................................................ Configuring the FortiGate-800 unit .............................................................. Configuring the Cisco switch to support VLAN tags.................................... Testing the configuration ............................................................................. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 27 27 33 34 3 Contents Example configuration NAT/Route mode (complex).................................... 35 General configuration steps ........................................................................ Configuring the FortiGate-800 unit.............................................................. Configuring the FortiGate-800 IPSec VPN tunnel and encrypt policy......... Configuring the VPN client.......................................................................... Configuring the internal Cisco switch .......................................................... Configuring the external Cisco switch ......................................................... Testing the configuration............................................................................. 36 37 45 49 51 51 52 Using VDOMs in NAT/Route mode................................................. 55 Overview........................................................................................................... 55 Getting started with VDOMs ........................................................................... 55 Enabling virtual domain configuration ......................................................... Creating virtual domains ............................................................................. Creating administrators for virtual domains ................................................ Accessing virtual domains to configure them.............................................. 55 56 57 57 Configuring virtual domains........................................................................... 59 Changing the management VDOM ............................................................. Adding interfaces and VLAN subinterfaces to a virtual domain .................. Configuring routing for a virtual domain ...................................................... Configuring firewall policies for a virtual domain ......................................... Configuring VPNs for a virtual domain ........................................................ 59 60 61 61 61 Example VDOM configuration in NAT/Route mode (simple)....................... 62 General configuration steps ........................................................................ Creating the virtual domains ....................................................................... Configuring the FortiGate-800 external and DMZ interfaces ...................... Configuring the ABCdomain VDOM............................................................ Configuring the DEFdomain VDOM ............................................................ Configuring the Cisco switch....................................................................... Testing the configuration............................................................................. 63 63 64 65 69 73 73 Example VDOM configuration in NAT/Route mode (complex).................... 75 General configuration steps ........................................................................ Creating the virtual domains ....................................................................... Configuring the ABCdomain VDOM............................................................ Configuring the Commercial VDOM............................................................ Configuring the Cisco switch....................................................................... Testing the configuration............................................................................. 77 77 78 84 94 95 Using VLANs and VDOMs in Transparent mode .......................... 97 Overview........................................................................................................... 97 VLANs and virtual domains......................................................................... 97 Configuring the FortiGate unit in Transparent mode................................... 98 Adding VLAN subinterfaces ........................................................................ 98 Creating firewall policies ............................................................................. 99 4 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Contents Example configuration Transparent mode (simple)................................... 100 General configuration steps ...................................................................... Configuring the FortiGate-800 unit ............................................................ Configuring the Cisco switch ..................................................................... Configuring the Cisco router ..................................................................... Testing the configuration ........................................................................... 101 101 106 106 108 Example configuration Transparent mode (multiple virtual domains)..... 109 Configuring global items............................................................................ Creating virtual domains ........................................................................... Configuring the ABCdomain...................................................................... Configuring the DEFdomain ...................................................................... Configuring the XYZdomain ...................................................................... Configuring the Cisco switch ..................................................................... Testing the configuration ........................................................................... 109 112 113 117 122 127 128 Inter-VDOM routing ........................................................................ 129 Overview......................................................................................................... 129 Benefits of inter-VDOM routing .................................................................... 129 Freeing up physical interfaces .................................................................. Faster than physical interfaces ................................................................. Continuing to use secure firewall policies ................................................. More flexible configurations ...................................................................... 130 130 130 131 Getting started with inter-VDOM routing..................................................... 131 Advanced inter-VDOM issues....................................................................... 132 Advanced routing over inter-VDOM links .................................................. 132 HA virtual clusters and inter-VDOM links .................................................. 133 FortiManager and inter-VDOMs.................................................................... 133 Inter-VDOM Configurations .......................................................................... 134 Stand alone VDOM configuration.............................................................. Independent VDOMs configuration ........................................................... Management VDOM configuration ............................................................ Meshed VDOM configuration .................................................................... 135 136 137 138 Inter-VDOM planning ..................................................................................... 139 Avoiding Problems with VLANs ................................................... 141 Overview......................................................................................................... 141 Asymmetric routing....................................................................................... 141 Layer 2 traffic ................................................................................................. 142 ARP traffic ................................................................................................. 142 NetBIOS .......................................................................................................... 144 STP forwarding .............................................................................................. 144 Too many VLAN interfaces ........................................................................... 145 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 5 Contents Index................................................................................................ 147 6 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Introduction About FortiGate VLANs and VDOMs Introduction This chapter introduces you to FortiGate VLANs and VDOMs and the following topics: • About FortiGate VLANs and VDOMs • About this document • FortiGate documentation • Related documentation • Customer service and technical support About FortiGate VLANs and VDOMs Virtual Local Area Networks (VLANs) and Virtual Domains (VDOMs) multiply the capabilities of your FortiGate unit. VLANs increase the number of network interfaces beyond the physical connections on the unit. VDOMs enable the unit to function as multiple independent units with common administration. About this document This document describes how to implement IEEE 802.1Q VLAN technology on FortiGate units operating in both NAT/Route and Transparent mode. It also describes how to use FortiGate VDOMs to provide separate network protection, routing and VPN configurations for multiple organizations. This document contains the following chapters: • Introduction to VLANs and VDOMs • Using VLANs in NAT/Route mode • Using VDOMs in NAT/Route mode • Using VLANs and VDOMs in Transparent mode • Inter-VDOM routing • Avoiding Problems with VLANs Each of the Using sections contains detailed example configurations. Document conventions The following document conventions are used in this guide: • In the examples, private IP addresses are used for both private and public IP addresses. • Notes and Cautions are used to provide important information: Note: Highlights useful additional information. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 7 FortiGate documentation Introduction ! Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment. Typographic conventions FortiGate documentation uses the following typographical conventions: Convention Example Keyboard input In the Gateway Name field, type a name for the remote VPN peer or client (for example, Central_Office_1). Code examples config sys global set ips-open enable end CLI command syntax config firewall policy edit id_integer set http_retry_count <retry_integer> set natip <address_ipv4mask> end Document names FortiGate Administration Guide File content <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</H4> Menu commands Go to VPN > IPSEC > Phase 1 and select Create New. Program output Welcome! Variables <address_ipv4> FortiGate documentation Information about FortiGate products is available from the following guides: • FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit. • FortiGate Installation Guide Describes how to install a FortiGate unit. Includes a hardware reference, default configuration information, installation procedures, connection procedures, and basic configuration procedures. Choose the guide for your product model number. • FortiGate Administration Guide Provides basic information about how to configure a FortiGate unit, including how to define FortiGate protection profiles and firewall policies; how to apply intrusion prevention, antivirus protection, web content filtering, and spam filtering; and how to configure a VPN. • FortiGate online help Provides a context-sensitive and searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work. 8 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Introduction Related documentation • FortiGate CLI Reference Describes how to use the FortiGate CLI and contains a reference to all FortiGate CLI commands. • FortiGate Log Message Reference Available exclusively from the Fortinet Knowledge Center, the FortiGate Log Message Reference describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units. • FortiGate High Availability Overview and FortiGate High Availability User Guide These documents contain in-depth information about the FortiGate High Availability (HA) feature and the FortiGate clustering protocol. • FortiGate IPS User Guide Describes how to configure the FortiGate Intrusion Prevention System settings and how the FortiGate IPS deals with some common attacks. • FortiGate IPSec VPN User Guide Provides step-by-step instructions for configuring IPSec VPNs using the webbased manager. • FortiGate SSL VPN User Guide Compares FortiGate IPSec VPN and FortiGate SSL VPN technology, and describes how to configure web-only mode and tunnel-mode SSL VPN access for remote users through the web-based manager. • FortiGate PPTP VPN User Guide Explains how to configure a PPTP VPN using the web-based manager. • FortiGate Certificate Management User Guide Contains procedures for managing digital certificates including generating certificate requests, installing signed certificates, importing CA root certificates and certificate revocation lists, and backing up and restoring installed certificates and private keys. Related documentation Additional information about Fortinet products is available from the following related documentation. FortiManager documentation • FortiManager QuickStart Guide Explains how to install the FortiManager Console, set up the FortiManager Server, and configure basic settings. • FortiManager System Administration Guide Describes how to use the FortiManager System to manage FortiGate devices. • FortiManager System online help Provides a searchable version of the Administration Guide in HTML format. You can access online help from the FortiManager Console as you work. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 9 Related documentation Introduction FortiClient documentation • FortiClient Host Security User Guide Describes how to use FortiClient Host Security software to set up a VPN connection from your computer to remote networks, scan your computer for viruses, and restrict access to your computer and applications by setting up firewall policies. • FortiClient Host Security online help Provides information and procedures for using and configuring the FortiClient software. FortiMail documentation • FortiMail Administration Guide Describes how to install, configure, and manage a FortiMail unit in gateway mode and server mode, including how to configure the unit; create profiles and policies; configure antispam and antivirus filters; create user accounts; and set up logging and reporting. • FortiMail online help Provides a searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work. • FortiMail Web Mail Online Help Describes how to use the FortiMail web-based email client, including how to send and receive email; how to add, import, and export addresses; and how to configure message display preferences. FortiAnalyzer documentation • FortiAnalyzer Administration Guide Describes how to install and configure a FortiLog unit to collect FortiGate and FortiMail log files. It also describes how to view FortiGate and FortiMail log files, generate and view log reports, and use the FortiLog unit as a NAS server. • FortiAnalyzer online help Provides a searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work. Fortinet Knowledge Center The most recent Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains short how-to articles, FAQs, technical notes, product and feature guides, and much more. Visit the Fortinet Knowledge Center at http://kc.forticare.com. Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to [email protected]. 10 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Introduction Customer service and technical support Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network. Please visit the Fortinet Technical Support web site at http://support.fortinet.com to learn about the technical support services that Fortinet provides. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 11 Customer service and technical support 12 Introduction FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Introduction to VLANs and VDOMs Overview of VLAN technology Introduction to VLANs and VDOMs Virtual Local Area Networks (VLANs) and Virtual Domains (VDOMs) multiply the capabilities of your FortiGate unit. VLANs use ID tags added to network frames to increase the number of network interfaces beyond the physical connections on the FortiGate unit. VDOMs enable the unit to function as multiple independent units with common administration. Both can provide added network security. Using VLANs, a single FortiGate unit can provide security services and control connections between multiple security domains. Using VDOMs, a single FortiGate unit can serve multiple organizations. It can provide separate firewall policies and, in NAT/Route mode, completely separate routing and VPN configurations for each organization. This document describes how to implement IEEE 802.1Q Virtual LAN (VLAN) technology on FortiGate units operating in both NAT/Route and Transparent mode. Example configurations illustrate how VLANs can be implemented between FortiGate units and other 802.1Q-compliant devices, such as Cisco switches and routers. This document also describes how to implement virtual domains (VDOMs) and presents example configurations to illustrate how VDOMs can be implemented on FortiGate units. The information in this document applies to all FortiGate units. All FortiGate models support VLANs and VDOMs. This document contains the following sections: • Overview of VLAN technology • Overview of Virtual Domains • Using VLANs in NAT/Route mode • Using VDOMs in NAT/Route mode • Using VLANs and VDOMs in Transparent mode • Inter-VDOM routing • Avoiding Problems with VLANs Each of the Using sections contains detailed example configurations. Overview of VLAN technology A LAN consists of network broadcast domains. A network broadcast domain includes all the computers that receive a packet broadcast from any computer in the broadcast domain. Switches automatically forward the packets to all ports on that switch, whereas by default routers separate broadcast domains by not automatically forwarding network broadcast packets. If a network has only switches and no routers, that network is considered one broadcast domain no matter how large it is. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 13 Overview of VLAN technology Introduction to VLANs and VDOMs Virtual LANs (VLANs) use ID tags to logically separate devices on a LAN into smaller broadcast domains. Each VLAN is its own broadcast domain. Smaller broadcast domains reduce traffic and increase network security. The IEEE 802.1Q standard defines VLANs. Layer 2 and layer 3 devices must be 802.1Qcompliant to support VLANs. For more information see “VLAN layer-2 switching” on page 14 and “VLAN layer-3 routing” on page 16. VLANs reduce the size of the broadcast domains by only forwarding packets to ports that are part of that VLAN, or part of a trunk link. Trunk links form switchswitch or switch-router connections and forward all VLAN traffic. This enables a VLAN to include devices that are on the network but physically distant from each other. Any virtual domain can have a maximum of 255 interfaces in NAT or TP mode. This includes VLANs, other virtual interfaces, and physical interfaces. To have more than 255 interfaces configured you need to configure multiple VDOMs with many interfaces on each. A good example of when to use VLANs is an accounting department within a company. The accounting computers can be located in different buildings (main and branch offices). However, accounting computers need to communicate with each other frequently and require increased security. VLANs allow the accounting data to only be sent only to accounting computers and connect accounting computers in different locations as if they were on the same physical subnet. The VLAN ID tags used to define VLANs are a 4-byte frame extension that is applied by switches and routers to every packet sent and received by the devices in the VLAN. Workstations and desktop computers are not an active part of the VLAN process - all the VLAN tagging and tag removal is done after the packet has left the computer. For more information see “Rules for VLAN IDs” on page 18. Note: This guide uses the term packet to refer to both layer-2 frames, and layer-3 packets. VLAN layer-2 switching Switches are generally 802.1Q compliant - they are layer-2 devices. Layer-2 refers to the second layer of the OSI networking model - the Data Link layer. FortiGate units act as layer-2 switches when they are in Transparent Mode. They simply tag and forward the VLAN traffic or receive and remove the tag from it. A VLAN can have any number of physical interfaces assigned to it. Physical interfaces can be assigned to multiple VLANs. Typically two or more physical interfaces are assigned to a VLAN - at least one for incoming and one for outgoing traffic. Multiple VLANs can be configured on the FortiGate unit, including trunk links. Trunk links are connections between switches or routers that pass all VLAN traffic along so that it can reach other parts of the network. This does not flood the network with traffic because switches and routers only deliver traffic to the VLAN it is addressed to. 14 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Introduction to VLANs and VDOMs Overview of VLAN technology Layer-2 VLAN example To better understand VLAN operation, lets look at what happens to a data frame on a network that uses VLANs. Two 8-port switches are configured to support 2 VLANs on a network. Subnet 1 is connected to switch A and subnet 2 is connected to switch B. On switch A, ports 1 through 4 are part of VLAN 100. Port 8 on both switches is connected to an 802.1Q trunk link. Switch A's other ports (ports 5 through 7) belong to VLAN 200. On switch B, ports 4 and 5 are part of VLAN 100 and port 6 is part of VLAN 200. There are unassigned ports on switch B. Figure 1: Example VLAN layer-2 switching configuration Switch B 802.1Q trunk link Switch A Ports 1 - 4 Port 8 Ports 4, 5 Port 8 Ports 5 - 7 Port 6 Port 1 VL AN 100 Branch Office VL AN 200 VL AN 200 VL AN 100 Main Office Let's follow a data frame sent from a computer on subnet 1 that is part of VLAN 100. A computer on port 1 of switch A sends a data frame over the network. Switch A tags the data frame with a VLAN 100 ID tag upon arrival because port 1 is part of VLAN 100. Switch A forwards the tagged data frame to the other VLAN 100 ports - ports 2 through 4. Switch A also forwards the data frame to the 802.1Q trunk link (port 8) so other parts of the network that may contain VLAN 100 groups will receive VLAN 100 traffic. This data frame is not forwarded to the other ports on switch A because they are not part of VLAN 100. This increases security and decreases network traffic. Switch B receives the data frame over the trunk link (port 8). There are VLAN 100 ports on switch B (ports 4 and 5) and the data frame is forwarded to those ports. As with switch A, the data frame is not delivered to VLAN 200 If there were no VLAN 100 ports on switch B, the switch would not forward the data frame and it would stop there. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 15 Overview of VLAN technology Introduction to VLANs and VDOMs Figure 2: Example VLAN Layer-2 packet delivery Frame Port 8 Port 1 VL AN 100 Ports 4, 5 Port 8 Ports 5 - 7 Frame Switch B 802.1Q trunk link Switch A Ports 1 - 4 Frame with VLAN ID tag Port 6 VL AN 200 VL AN 200 Branch Office Frame VL AN 100 Main Office Before a switch forwards the data frame to an end destination, it removes the VLAN 100 ID tag. The sending computer and the receiving computers are not aware of any VLAN tagging on the data frame. When any computer receives that data frame, it appears as a normal data frame. VLAN layer-3 routing Routers are layer-3 devices. Layer-3 refers to the third layer of the OSI networking model - the Network layer. FortiGate units act as layer-3 devices when they are in NAT/Route mode. As with layer-2, FortiGate units acting as layer-3 devices are 802.1Q-compliant. The main difference between layer-2 and layer-3 devices is how they process VLAN tags. Layer-2 switches just add, read and remove the tags - they do not alter the tags or do any other high level actions. Layer-3 routers not only add, read and remove tags but they analyze the data frame and its contents. This analysis allows layer-3 routers to change the VLAN tag if it is appropriate and send the data frame out on a different VLAN In a layer-3 environment, the 802.1Q-compliant router receives the data frame and assigns a VLAN ID. The router then forwards the data frame to other members of the same VLAN broadcast domain. The broadcast domain can include local ports, layer-2 devices and layer-3 devices such as routers and firewalls. When a layer-3 device receives the data frame, the device removes the VLAN tag and examines its contents to decide what to do with the data frame. The layer-3 device considers: • source and destination addresses • protocol • port number The data frame may be forwarded to another VLAN, sent to a regular non-VLANtagged network or just forwarded to the same VLAN as a layer-2 switch would do. It may be discarded if that is the proper firewall policy action. 16 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Introduction to VLANs and VDOMs Overview of VLAN technology Layer-3 VLAN Example In the configuration for this example, subnet 1 is the same as the layer-2 previous example. In subnet 2, VLAN 300 is on port 5 of switch B. The FortiGate unit is connected to switch B on port 1 and the trunk link connects the FortiGate unit’s port 3 to switch A. The other ports on switch B are unassigned. This configuration is shown in Figure 3 on page 17. Figure 3: Example VLAN layer-3 routing FortiGate unit Switch A Ports 1 - 4 Port 8 802.1Q trunk link Port 3 Ports 5 - 7 Port 1 VLAN 300 Port 1 Port 1 Port 5 Switch B VLAN 100 Branch Office VLAN 200 VLAN 300 Main Office This example explains how traffic originating on VLAN 100 arrives at a destination on VLAN 300. Layer-2 switches alone cannot accomplish this, but a layer-3 router can do it. Let’s follow a data frame going from VLAN 100 at the Branch Office to VLAN 300 on at the Main Office. As in the layer-2 example, the VLAN 100 computer sends the data frame to switch A and a VLAN 100 tag is added. Switch A forwards the tagged data frame to the FortiGate unit over the 802.1Q trunk link. The FortiGate unit removes the VLAN 100 tag and uses the content of the data frame to select the correct firewall policy. In this case, the FortiGate unit’s firewall policy allows the data frame to go to VLAN 300. It goes to all VLAN 300 interfaces, but in the example there is only one - port 1 on the FortiGate unit. Before the data frame leaves the FortiGate unit, the VLAN subinterface adds a VLAN ID 300 tag. The FortiGate unit then forwards the data frame to switch B. Switch B removes the VLAN ID 300 tag because this is the last hop and forwards the data frame to the computer on port 5. In this example a data frame arrives at the FortiGate unit tagged as VLAN 100 and after checking its content, the FortiGate unit retags the data frame for VLAN 300. It is this change from VLAN 100 to VLAN 300 that requires a layer-3 routing device, in this case the FortiGate unit. Layer-2 switches cannot perform this change. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 17 Overview of Virtual Domains Introduction to VLANs and VDOMs Rules for VLAN IDs Layer-2 switches and layer-3 devices add VLAN ID tags to the traffic as it arrives and remove them before they deliver the traffic to its final destination. Devices like PCs and servers on the network do not require any special configuration for VLANs. On a layer-2 switch, you can only have one VLAN subinterface per physical interface, unless that interface is configured as a trunk link. Trunk links can transport more than one VLANs traffic to other parts of the network. On a FortiGate unit, multiple VLANs can be added to the same physical interface. However, VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID or IP addresses on the same subnet. You can add VLAN subinterfaces with the same VLAN ID to different physical interfaces. Creating VLAN subinterfaces with the same VLAN ID does not create any internal connection between them. For example a VLAN ID of 300 on port1 and VLAN ID of 300 on port2 are allowed, but they are not connected. Their relationship is the same as between any two FortiGate network interfaces. Overview of Virtual Domains Virtual Domains provide a way to divide your FortiGate unit and operate it as multiple separate units. You can configure and manage interfaces, VLAN subinterfaces, zones, firewall policies, routing and VPN configurations separately for each virtual domain. This separation simplifies configuration because you do not have to manage as many routes or firewall policies at one time. One application of this capability is to use a single FortiGate unit to provide routing and network protection for several organizations. Each organization has its own network interfaces (physical or virtual), routing requirements and network protection rules. By default, communication between organizations is possible only if both allow access to an external network such as the internet. The chapter, “Using VDOMs in NAT/Route mode” on page 55 provides two examples of this application. When a packet enters a virtual domain, it is confined to that virtual domain. In a given domain, you can only create firewall policies for connections between VLAN subinterfaces or zones in the virtual domain. The packet never crosses virtual domain borders. Maximum number of VDOMs If virtual domain configuration is enabled on your FortiGate unit and you log on as the default admin administrator, you can go to System > Status and look at Virtual Domain in the License Information section to see the maximum number of virtual domains supported on yourFortiGate unit. By default, your FortiGate unit supports a maximum of 10 VDOMs in any combination of NAT/Route and Transparent modes. For FortiGate models numbered 3000 and higher, you can purchase a license key to increase the maximum number to 25, 50, 100 or 250 VDOMs. For more information see “Creating virtual domains” on page 56. 18 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Introduction to VLANs and VDOMs Overview of Virtual Domains Inter-VDOM routing FortiOS v3.0 MR1 introduced a new feature called inter-VDOM routing. When configured, this feature allows traffic to pass between VDOMs without having to leave the FortiGate unit on a physical interface and return on a different physical interface. This feature also allows you to determine the level of inter-VDOM routing varying from having only 2 VDOMs with limited interaction to having all VDOMs fully inter-connected. All traffic between VDOMs must pass through firewall policies as it does with all external interface connections. The command to configure this feature, called vdom-link, is only available in the CLI. Inter-VDOM routing is not available from the web-manager GUI. This topic is dealt with in “Inter-VDOM routing” on page 129 and the VDOM-admin chapter in the FortiOS CLI Reference. Management VDOM All management traffic leaves the FortiGate unit through the management VDOM. This includes all external logging, remote management and other Fortinet services. By default the management VDOM is the root VDOM. You can change this to another VDOM so management traffic will originate from the new VDOM. For more information see “Changing the management VDOM” on page 59. Administration of virtual domains You can manage virtual domains using either one common administrator or multiple separate administrators for each VDOM. The FortiGate administrator accounts have two groups of permissions super_admin and the rest. Super_admin admin accounts can manage all of the virtual domains on the FortiGate unit. By default this is the “admin” account. However, starting in v3.0 MR5 the super_admin profile can be assigned to other admin accounts. This is a security measure to provide for changing the name of the default administrator account. Any admin account that has the super_admin profile has the same permissions as the default “admin” account. Note: Exercise extreme caution when changing super_admin accounts, especially the default “admin” account. Make careful note of administrators and their passwords. You may accidently remove all access to your FortiGate unit and be required to call support to regain access. Any configuration changes you have made may also be lost as this process will reset your FortiGate unit to factory default settings. You can use super_admin accounts to create other administrator accounts and assign them to VDOMs. Each administrator account can only configure and manage its own VDOM. Global properties affect all VDOMs. Access to global properties is available only through super_admin accounts. Access profiles configure read-only or read/write access for all administrators. Administrators can have access to: • system configuration • security policies • logging and reporting • user authorization • administrator management • configuration backup/restore FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 19 Overview of Virtual Domains Introduction to VLANs and VDOMs This makes it possible for you to have administrators for different services on each VDOM. For example you can have one administrator responsible for logs and reporting on a VDOM, while another administrator is responsible for security policies on that same VDOM. For more information on access profiles, see the FortiOS Administration Guide. When you are configuring VDOMs using a super_admin account, the web-based manager shows which VDOM you are editing at the bottom of the left menu with the label Current VDOM:. If you are configuring global properties, there is no virtual domain indicator and no << Global in the left menu. Global and virtual domain settings When working with virtual domains, it is important to remember which settings belong exclusively to the virtual domain and which apply to the entire FortiGate unit. The following list of items are in the order they appear in the web-manager interface. Settings exclusive to virtual domains The following configuration settings are exclusively part of a virtual domain and are not shared between virtual domains: System settings • Zones • DHCP services • Operation mode (NAT/Route or Transparent) • Management IP (Transparent mode) Router configuration • all Firewall settings • Policies • Addresses • Service groups and custom services • Schedules • Virtual IPs • IP pools • Protection Profile • IPSec • PPTP • SSL • Users • User groups • RADIUS and LDAP servers • Microsoft Windows Active Directory servers • all VPN settings User settings Web filter configuration 20 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Introduction to VLANs and VDOMs Overview of Virtual Domains P2P Statistics • View and Reset Logs and Reports • Configuration • Log Access • Log Reports Settings shared by all virtual domains Virtual domains share the following global settings with other processes on the FortiGate unit: System settings • Physical interfaces and VLAN subinterfaces (Each physical interface or VLAN subinterface belongs to only one VDOM. Each VDOM can use or configure only its own interfaces.) • DNS settings • Host name • System time • Firmware version • Idle and authentication timeout • Web-based manager language • LCD panel PIN, where applicable • Dead gateway detection • HA configuration • SNMP configuration • Replacement messages • Administrators (Each non-super administrator belongs to only one VDOM. Each VDOM can configure only its own administrators.) • Access profiles • FortiManager configuration • Configuration backup and restore • FDN update configuration • Bug reporting VPN • Certificates User • Authentication settings Antivirus • Quarantine • Configuration Antispam configuration • all IM, P2P & VoIP • Configuration • User lists and policies FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 21 Overview of Virtual Domains Introduction to VLANs and VDOMs For more information Detailed information and procedures involving virtual domains are provided in the “Using VDOMs in NAT/Route mode” and “Using VLANs and VDOMs in Transparent mode” chapters. 22 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs in NAT/Route mode Overview Using VLANs in NAT/Route mode Overview In NAT/Route mode the FortiGate unit functions as a layer-3 device. In this mode, it controls the flow of packets between VLANs and can also remove VLAN tags from incoming VLAN packets. The FortiGate unit can also forward untagged packets to other networks, such as the Internet. In NAT/Route mode, the FortiGate unit supports VLAN trunk links with IEEE 802.1Q-compliant switches (or routers). The trunk link transports VLAN tagged packets between physical subnets or networks. When you add VLAN subinterfaces to the FortiGate physical interfaces, the VLANs have IDs that match the VLAN IDs of packets on the trunk link. The FortiGate unit directs packets with VLAN IDs to sub-interfaces with matching IDs. Normally the FortiGate unit's internal interface is connected to a VLAN trunk and the external interface connects to an untagged Internet router. In this configuration the FortiGate unit can apply different policies for traffic on each VLAN connected to the internal interface. You can define VLAN sub-interfaces on all FortiGate physical interfaces. However if multiple virtual domains are configured on the FortiGate unit, you will only have access to the physical interfaces on your virtual domain. The FortiGate unit can tag packets leaving on a VLAN subinterface. It can also remove VLAN tags from incoming packets and add a different VLAN tag to outgoing packets. Configuring FortiGate units in NAT/Route mode You can access FortiGate unit's web-based manager (GUI) with a supported web browser that connects to a FortiGate interface. The interface must be configured for administrative access. Use HTTPS to access the address of the interface. All FortiGate units have administrative access enabled by default on the default interface. On the FortiGate 800 the default interface is the Internal interface. For the examples presented in this chapter, the default interface has an address of 192.168.1.99. If you need more information, refer to the Quick Start Guide or Installation Guide that came with your FortiGate unit. In this chapter, we assume you have not enabled VDOM configuration on your FortiGate unit. If have enabled it, you will need to navigate to the global or VDOM configuration as needed before following each procedure. This document does not explain how to configure the protection profiles for virus scanning, web filtering and spam filtering. Your FortiGate unit documentation explains Protection profiles. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 23 Configuring FortiGate units in NAT/Route mode Using VLANs in NAT/Route mode There are several essential steps to configuring your FortiGate unit for VLANs: • Adding VLAN subinterfaces • Creating firewall policies • Configuring routing Adding VLAN subinterfaces You add VLAN subinterfaces to the physical interface that receives VLAN-tagged packets. FortiGate interfaces cannot have overlapping IP addresses. That is, the IP addresses of all interfaces must be on different subnets. This rule applies to both physical interfaces and to VLAN subinterfaces. Note: If you are unable to change your existing configurations to prevent IP overlap, enter the CLI command config system global and set ip-overlap enable to allow IP address overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is part of a subnet used by another interface. This command is recommended for advanced users only. Each VLAN subinterface must be configured with its own IP address and netmask. The subinterface VLAN ID can be any number between 1 and 4096. The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router. If the IDs do not match, the subinterface will not recieve the VLAN tagged traffic. To add a VLAN subinterface in NAT/Route mode 1 If VDOMs are enabled and you are not in the root VDOM, select << Global. 2 Go to System > Network > Interface. 3 Select Create New to add a VLAN subinterface. 4 Enter a Name to identify the VLAN subinterface. 5 From the Interface list, select the physical interface that receives the VLAN packets intended for this VLAN subinterface. 6 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. 7 Configure the VLAN subinterface settings as you would for any FortiGate interface. 8 Select OK to save your changes. The FortiGate unit adds the new VLAN subinterface to the interface that you selected in step 5. To view the new VLAN subinterface, select the blue arrow next to the parent physical interface. This will expand to display all VLAN subinterfaces on this physical interface. If there is no blue arrow displayed, there are no subinterfaces on this physical interface. 24 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs in NAT/Route mode Configuring FortiGate units in NAT/Route mode Creating firewall policies Firewall policies permit communication between the FortiGate unit’s network interfaces based on source and destination IP addresses. Optionally, you can limit communication to particular times and services. You need firewall policies to permit packets to pass from the VLAN interface where they enter the FortiGate unit to the interface where they exit. Each VLAN requires you create a firewall policy for each of the following permitted connections the VLAN will be using: • from the VLAN to an external network • to the VLAN from an external network • from the VLAN to another VLAN in the same virtual domain on the FortiGate unit • to the VLAN from another VLAN in the same virtual domain on the FortiGate unit The packets on each VLAN are subject to antivirus and antispam scans as they pass through the FortiGate unit. To add firewall policies for VLAN subinterfaces 1 Go to Firewall > Address. 2 Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets. 3 Go to Firewall > Policy. 4 Add firewall policies as required. Configuring routing In the simplest case, you need to configure a default route for packets with external destinations to the gateway of an external network. In more complex cases, you might have to configure different routes based on packet source and destination addresses. Routing is explained in the FortiGate Administration Guide and the CLI Reference documentation. As with firewalls, you need to configure routes for VLANs. VLANs need routing and a gateway configured to send and recieve packets outside their local subnet. Depending on the network you are connecting to it can be static or dynamic routing. Dynamic routing can be routing information protocol (RIP), border gateway protocol (BGP), open shortest path first (OSPF), or multicast. If you enable protocols like SSH, PING, TELNET, HTTPS and HTTP on the VLAN you can use them to confirm that routing is properly configured. Enabling logging on the interfaces can also help locate any possible issues. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 25 Example configuration NAT/Route mode (simple) Using VLANs in NAT/Route mode Example configuration NAT/Route mode (simple) Figure 4 shows a simplified NAT/Route mode VLAN configuration. In this example, FortiGate internal interface connects to a Cisco 2950 VLAN switch using an 802.1Q trunk and is configured with two VLAN subinterfaces (VLAN 100 and VLAN 200). The external interface connects to the Internet and is not configured with VLAN subinterfaces. Figure 4: FortiGate unit in NAT/Route mode Internet Untagged packets External port 172.16.21.2 FortiGate unit Internal port 192.168.110.126 802.1Q trunk Fa 0/24 VLAN 100 VLAN 100 Network 10.1.1.0 Fa 0/9 Fa 0/3 VLAN Switch VLAN 200 VLAN 200 Network 10.1.2.0 When the Cisco switch receives packets from VLAN 100 and VLAN 200, it applies VLAN ID tags and forwards the packets to local ports and across the trunk to the FortiGate unit. The FortiGate unit has policies that allow traffic to flow between the VLANs and from the VLANs to the external network. This section describes how to configure a FortiGate 800 unit and a Cisco Catalyst 2950 switch for this example network topology. Cisco configuration commands used in this section are IOS commands. It is assumed that both the FortiGate 800 and the Cisco 2950 switch are installed, connected and basic configuration has been completed. On the switch you will need to be able to access the CLI to enter commands. Refer to the manuals for each unit for more information. 26 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs in NAT/Route mode Example configuration NAT/Route mode (simple) General configuration steps The following steps provide an overview of configuring and testing the hardware used in this example. The steps are explained in detail later in this section. 1 Configuring the FortiGate-800 unit • Configuring the external interface • Add two VLAN subinterfaces to the Internal network interface. • Add Firewall addresses and address ranges for the internal and external networks. • Add firewall policies to allow: • • the VLAN networks to access each other. the VLAN networks to access the external network. 2 Configuring the Cisco switch to support VLAN tags 3 Testing the configuration. Configuring the FortiGate-800 unit Use the FortiGate web-based manager to configure the FortiGate-800 unit. Alternately the CLI can be used. Configuring the FortiGate unit includes: • Configuring the external interface • Adding VLAN subinterfaces • Adding the firewall addresses • Adding firewall policies Configuring the external interface The FortiGate unit’s external interface will be the path to the Internet for our network. Configuring the external interface can be completed through the web-based manager or the CLI. To configure the external interface - web-based manager 1 If VDOMs are enabled and you are not in the root VDOM, select << Global. 2 Go to System > Network > Interface. 3 Select the Edit icon for the external interface. 4 Enter the following information for the external interface and select OK: Addressing mode Manual IP/Netmask 172.16.21.2/255.255.255.0 Configure other fields as required. To configure the external interface - CLI config system interface edit external set mode static set ip 172.16.21.2 255.255.255.0 end FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 27 Example configuration NAT/Route mode (simple) Using VLANs in NAT/Route mode Adding VLAN subinterfaces This step creates the VLANs on the FortiGate physical interfaces. The rest of this example is configuring the VLAN behavior on the FortiGate unit, configuring the switches to treat the VLANs the same way as the FortiGate unit and testing that all of the settings are correct. Adding VLAN subinterfaces can be completed through the web-based manager, or the CLI. To add VLAN subinterfaces - web-based manager 1 If VDOMs are enabled and you are not in the root VDOM, select << Global. 2 Go to System > Network > Interface. 3 Select Create New. 4 Enter the following information for VLAN_100 and select OK: Name VLAN_100 Interface internal VLAN ID 100 Addressing mode Manual IP/Netmask 10.1.1.1/255.255.255.0 Administrative Access HTTPS, PING, TELNET Configure other fields as required. 5 Select Create New. 6 Enter the following information for VLAN_200 and select OK: Name VLAN_200 Interface internal VLAN ID 200 Addressing mode Manual IP/Netmask 10.1.2.1/255.255.255.0 Administrative Access HTTPS, PING, TELNET Configure other fields as required. Figure 5: VLAN subinterfaces 28 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs in NAT/Route mode Example configuration NAT/Route mode (simple) To add VLAN subinterfaces - CLI config system interface edit VLAN_100 set interface internal set vlanid 100 set mode static set ip 10.1.1.1 255.255.255.0 set allowaccess https ping telnet next edit VLAN_200 set interface internal set vlanid 200 set mode static set ip 10.1.2.1 255.255.255.0 set allowaccess https ping telnet end Adding the firewall addresses You need to define the addresses of the VLAN subnets for use in firewall policies. The FortiGate unit provides one default address, “all”, that you can use when a firewall policy applies to all addresses as a source or destination of a packet. In this example, the ‘_Net’ part of the address name indicates a range of addresses instead of a unique address. When choosing firewall address names keep them informative and unique, but short.You can select the web-based manager or the CLI to add firewall addresses. To add the firewall addresses - web-based manager 1 Go to Firewall > Address. 2 Select Create New. 3 Enter the following information and select OK: Address Name VLAN_100_Net Type Subnet/IP Range Subnet / IP Range 10.1.1.0/255.255.255.0 4 Select Create New. 5 Enter the following information and select OK: Address Name VLAN_200_Net Type Subnet/IP Range Subnet / IP Range 10.1.2.0/255.255.255.0 Figure 6: Firewall addresses FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 29 Example configuration NAT/Route mode (simple) Using VLANs in NAT/Route mode To add the firewall addresses - CLI config firewall address edit VLAN_100_Net set type ipmask set subnet 10.1.1.0 255.255.255.0 next edit VLAN_200_Net set type ipmask set subnet 10.1.2.0 255.255.255.0 end Adding the firewall policies Once you have assigned addresses to the VLANs, you need to configure firewall policies for them using either the web-based manager or the CLI. This will allow packets to pass from one VLAN to another and to the Internet. If you do not wish to allow all services on a VLAN, you can create a firewall policy for each service you want to allow. This example allows all services. To add the firewall policies - web-based manager 1 Go to Firewall > Policy. 2 Select Create New. 3 Enter the following information and select OK: Source Interface/Zone VLAN_100 Address Name VLAN_100_Net Destination Interface/Zone VLAN_200 Address Name VLAN_200_Net Schedule Always Service ANY Action ACCEPT NAT Select Configure other fields as required. 4 30 Select Create New. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs in NAT/Route mode 5 Example configuration NAT/Route mode (simple) Enter the following information and select OK: Source Interface/Zone VLAN_200 Address Name VLAN_200_Net Destination Interface/Zone VLAN_100 Address Name VLAN_100_Net Schedule Always Service ANY Action ACCEPT NAT Select Configure other fields as required. 6 Select Create New. 7 Enter the following information and select OK: Source Interface/Zone VLAN_100 Address Name VLAN_100_Net Destination Interface/Zone external Address Name all Schedule Always Service ANY Action ACCEPT NAT Select Configure other fields as required. 8 Select Create New. 9 Enter the following information and select OK: Source Interface/Zone VLAN_200 Address Name VLAN_200_Net Destination Interface/Zone external Address Name all Schedule Always Service ANY Action ACCEPT NAT Select Configure other fields as required. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 31 Example configuration NAT/Route mode (simple) Using VLANs in NAT/Route mode To add the firewall policies - CLI config firewall policy edit 1 set srcintf VLAN_100 set dstintf VLAN_200 set srcaddr VLAN_100_Net set dstaddr VLAN_200_Net set schedule always set service ANY set action accept set nat enable set status enable next edit 2 set srcintf VLAN_200 set dstintf VLAN_100 set srcaddr VLAN_200_Net set dstaddr VLAN_100_Net set schedule always set service ANY set action accept set nat enable set status enable next edit 3 set srcintf VLAN_100 set dstintf external set srcaddr VLAN_100_Net set dstaddr all set schedule always set service ANY set action accept set nat enable set status enable next edit 4 set srcintf VLAN_200 set dstintf external set srcaddr VLAN_200_Net set dstaddr all set schedule always set service ANY set action accept set nat enable set status enable end 32 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs in NAT/Route mode Example configuration NAT/Route mode (simple) Configuring the Cisco switch to support VLAN tags On the Cisco Catalyst 2950 ethernet switch, you need to define VLANs 100 and 200 in the VLAN database and then add a configuration file to define the VLAN subinterfaces and the 802.1Q trunk interface. One method to configure a Cisco switch is to connect over a serial connection to the console port and enter the commands at the CLI. Another method is to designate one interface on the switch as the management interface and use a web browser to connect to the switch’s graphical interface. For details on connecting and configuring your Cisco switch, refer to the installation and configuration manuals for the switch. The switch used in this example is a Cisco Catalyst 2950 switch. The commands used are IOS commands. Refer to the switch manual for help with these commands. To configure the VLAN subinterfaces and the trunk interfaces Add this file to the Cisco switch: ! interface FastEthernet0/3 switchport access vlan 100 ! interface FastEthernet0/9 switchport access vlan 200 ! interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk ! The switch has the following configuration: Port 0/3 VLAN ID 100 Port 0/9 VLAN ID 200 Port 0/24 802.1Q trunk Note: To complete the setup, configure devices on VLAN 100 and VLAN 200 with default gateways. The default gateway for VLAN 100 is the FortiGate VLAN 100 subinterface. The default gateway for VLAN 200 is the FortiGate VLAN 200 subinterface. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 33 Example configuration NAT/Route mode (simple) Using VLANs in NAT/Route mode Testing the configuration Use diagnostic commands (tracert, ping) to test traffic routed through the FortiGate unit and the Cisco switch. Testing includes: • Testing traffic from VLAN 100 to VLAN 200 • Testing traffic from VLAN 100 to the external network Testing traffic from VLAN 100 to VLAN 200 In this example, a route is traced between the two internal networks. The route target is a host on VLAN 200. From VLAN 100, access a command prompt and enter this command: C:\>tracert 10.1.2.2 Tracing route to 10.1.2.2 over a maximum of 30 hops: 1 <10 ms <10 ms <10 ms 10.1.1.1 2 <10 ms <10 ms <10 ms 10.1.2.2 Trace complete. Figure 7: Example trace route from VLAN 100 to VLAN 200 FortiGate-800 unit VLAN 100 subinterface 10.1.1.1 VLAN 200 subinterface 10.1.2.1 tracert Switch VL AN 100 Network 10.1.1.2 VL AN 200 Network 10.1.2.2 Testing traffic from VLAN 100 to the external network In this example, a route is traced from an internal network to the external network. The route target is the external network interface of the FortiGate-800 unit. From VLAN 100, access a command prompt and enter this command: C:\>tracert 172.16.21.2 Tracing route to 172.16.83.1 over a maximum of 30 hops: 1 <10 ms <10 ms <10 ms 10.1.1.1 2 <10 ms <10 ms <10 ms 172.16.21.2 Trace complete. 34 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs in NAT/Route mode Example configuration NAT/Route mode (complex) Figure 8: Example trace route from VLAN 100 to the external network FortiGate-800 unit External interface 30.1.1.21 VLAN 100 subinterface 10.1.1.1 Internet tracert Switch VL AN 100 Network Example configuration NAT/Route mode (complex) In this example, a FortiGate-800 unit operates in NAT/Route mode. Its network interfaces are configured as follows: • The internal interface is configured with two VLAN subinterfaces: VLAN 10 for the Local users network and VLAN 20 for the Finance network. The internal interface connects to a Cisco 2950 switch using an 801.1Q trunk. • The external interface is configured with two VLAN subinterfaces: VLAN 30 for the ATT ISP network and VLAN 40 for the XO ISP network. The internal interface connects to a Cisco 2950 switch using an 801.1Q trunk. The FortiGate-800 is configured with firewall policies that control the flow of traffic between networks. The Finance network is the most secure network. It allows outbound traffic to all other networks, but it does not allow inbound traffic. The Local users network allows outbound traffic to the external networks (ATT ISP and XO ISP), inbound traffic from the Finance network and a single inbound connection from a VPN client on the ATT ISP network. This section describes how to configure a FortiGate-800 unit and two 802.1Qcompliant switches for the example network topology shown in Figure 9. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 35 Example configuration NAT/Route mode (complex) Using VLANs in NAT/Route mode Figure 9: Example VLAN topology (FortiGate unit in NAT/Route mode) Internet VPN client XO ISP ATT ISP VLAN 30 VLAN 40 Fa 0/9 Fa 0/3 Fa 0/24 802.1Q trunk VLAN 30 VLAN 40 Cisco 2950 Switch (External) External FortiGate-800 unit Internal 802.1Q trunk VLAN 10 VLAN 20 Fa 0/24 VLAN 10 Fa 0/9 Fa 0/3 Cisco 2950 Switch (Internal) Local users network 192.168.10.0 VLAN 20 Finance network 192.168.20.0 General configuration steps The following steps break down the NAT/Route mode complex configuration example into smaller sections, each with a number of smaller procedures. 36 1 Configuring the FortiGate-800 unit 2 Configuring the FortiGate-800 IPSec VPN tunnel and encrypt policy 3 Configuring the VPN client 4 Configuring the internal Cisco switch 5 Configuring the external Cisco switch 6 Testing the configuration FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs in NAT/Route mode Example configuration NAT/Route mode (complex) Configuring the FortiGate-800 unit Start the web-based manager or use the CLI to configure the FortiGate-800 unit. Configuring the FortiGate unit includes: • Adding the VLAN subinterfaces Local-LAN, Finance, ATT-ISP and XO-ISP • Adding a default route • Adding the firewall addresses • Adding the firewall policies Adding the VLAN subinterfaces Select either the web-based manager or the CLI to add VLAN subinterfaces. To add the VLAN subinterfaces - web-based manager 1 If VDOMs are enabled and you are not in the root VDOM, select << Global. 2 Go to System > Network > Interface. 3 Select Create New. 4 Enter the following information for the Local users network and select OK: Name Local-LAN Interface internal VLAN ID 10 Addressing mode Manual IP/Netmask 192.168.10.1/255.255.255.0 Administrative Access HTTPS, PING, TELNET 5 Select Create New. 6 Enter the following information for the Finance network and select OK: Name Finance Interface internal VLAN ID 20 Addressing mode Manual IP/Netmask 192.168.20.1/255.255.255.0 Administrative Access HTTPS, PING, TELNET 7 Select Create New. 8 Enter the following information for the ATT ISP network and select OK: 9 Name ATT-ISP Interface external VLAN ID 30 Addressing mode Manual IP/Netmask 30.1.1.1/255.255.255.0 Administrative Access HTTPS, PING, TELNET Select Create New. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 37 Example configuration NAT/Route mode (complex) 10 Using VLANs in NAT/Route mode Enter the following information for the XO ISP network and select OK: Name XO-ISP Interface external VLAN ID 40 Addressing mode Manual IP/Netmask 40.1.1.1/255.255.255.0 Access HTTPS, PING, TELNET Figure 10: VLAN subinterfaces 38 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs in NAT/Route mode Example configuration NAT/Route mode (complex) To add the VLAN subinterfaces - CLI config system interface edit Local-LAN set interface internal set vlanid 10 set mode static set ip 192.168.10.1 255.255.255.0 set allowaccess https ping telnet next edit Finance set interface internal set vlanid 20 set mode static set ip 192.168.20.1 255.255.255.0 set allowaccess https ping telnet next edit ATT-ISP set interface external set vlanid 30 set mode static set ip 30.1.1.1 255.255.255.0 set allowaccess https ping telnet next edit XO-ISP set interface external set vlanid 40 set mode static set ip 40.1.1.1 255.255.255.0 set allowaccess https ping telnet end Adding a default route Default routes need to be added to the ISP connections. They are weighted differently using the distance metric. This means traffic will use ATT-ISP by default. Note: If you wanted both ISPs to be used interchangeably, i.e. for load balancing by session, three things have to be in place: their distances have to be equal, their priorities have to be equal and load balancing must be turned on. This configuration is an equal cost For more information on these settings, see the FortiGate CLI Reference. Select either the web-based manager or the CLI to add a default route. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 39 Example configuration NAT/Route mode (complex) Using VLANs in NAT/Route mode To add a default route - web-based manager 1 Go to Router > Static > Static Route. 2 Select Create New to add a new route. 3 Enter the following information to add a default route to ATT-ISP for network traffic leaving the external interface and select OK: 4 Destination IP/Mask 0.0.0.0/0.0.0.0 Gateway 30.1.1.2 Device ATT-ISP Distance 10 Enter the following information to add a secondary default route to XO-ISP for network traffic leaving the external interface and select OK: Destination IP/Mask 0.0.0.0/0.0.0.0 Gateway 40.1.1.2 Device XO-ISP Distance 20 To add a default route - CLI config router static edit 1 set device ATT-ISP set gateway 30.1.1.2 set distance 10 next edit 2 set device XO-ISP set gateway 40.1.1.2 set distance 20 end Adding the firewall addresses Before you can configure firewall policies to control inter-VLAN and VLAN-internet traffic, you need to assign firewall addresses. These define the subnets where the firewall policies are applied. Select either the web-based manager or the CLI to add the firewall addresses. To add the firewall addresses - web-based manager 1 Go to Firewall > Address. 2 Select Create New. 3 Enter the following information and select OK: 4 40 Address Name Local_users Type Subnet/IP Range IP Range/Subnet 192.168.10.0/255.255.255.0 Select Create New. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs in NAT/Route mode 5 Example configuration NAT/Route mode (complex) Enter the following information and select OK: Address Name Finance_users Type Subnet/IP Range IP Range/Subnet 192.168.20.0/255.255.255.0 Figure 11: firewall addresses To add the firewall addresses - CLI config firewall address edit Local_users set type ipmask set subnet 192.168.10.0 255.255.255.0 next edit Finance_users set type ipmask set subnet 192.168.20.0 255.255.255.0 end Adding the firewall policies Firewall policies allow VLAN traffic to move to other VLANs and the internet. Select either the web-based manager or the CLI to add the firewall policies. To add the firewall policies - web-based manager 1 Go to Firewall > Policy. 2 Select Create New. 3 Enter the following information and select OK: Source Interface/Zone Finance Address Name Finance_users Destination Interface/Zone ATT-ISP Address Name all Schedule Always Service ANY Action ACCEPT NAT Select Configure other fields as required. 4 Go to Firewall > Policy. 5 Select Create New. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 41 Example configuration NAT/Route mode (complex) 6 Using VLANs in NAT/Route mode Enter the following information and select OK: Source Interface/Zone Finance Address Name Finance_users Destination Interface/Zone XO-ISP Address Name all Schedule Always Service ANY Action ACCEPT NAT Select Configure other fields as required. 7 Go to Firewall > Policy. 8 Select Create New. 9 Enter the following information and select OK: Source Interface/Zone Finance Address Name Finance_users Destination Interface/Zone Local-LAN Address Name Local_users Schedule Always Service ANY Action ACCEPT NAT Select Configure other fields as required. 42 10 Go to Firewall > Policy. 11 Select Create New. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs in NAT/Route mode 12 Example configuration NAT/Route mode (complex) Enter the following information and select OK: Source Interface/Zone Local-LAN Address Name Local_users Destination Interface/Zone ATT-ISP Address Name all Schedule Always Service ANY Action ACCEPT NAT Select Configure other fields as required. 13 Go to Firewall > Policy. 14 Select Create New. 15 Enter the following information and select OK: Source Interface/Zone Local-LAN Address Name Local_users Destination Interface/Zone XO-ISP Address Name all Schedule Always Service ANY Action ACCEPT NAT Select Configure other fields as required. The list of firewall policies looks like this: FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 43 Example configuration NAT/Route mode (complex) Using VLANs in NAT/Route mode To add the firewall policies - CLI config firewall policy edit 1 set srcintf Finance set dstintf ATT-ISP set srcaddr Finance_users set dstaddr all set schedule always set service ANY set action accept set nat enable set status enable next edit 2 set srcintf Finance set dstintf XO-ISP set srcaddr Finance_users set dstaddr all set schedule always set service ANY set action accept set nat enable set status enable next edit 3 set srcintf Finance set dstintf Local-LAN set srcaddr Finance_users set dstaddr Local_users set schedule always set service ANY set action accept set nat enable set status enable next edit 4 set srcintf Local-LAN set dstintf ATT-ISP set srcaddr Local_users set dstaddr all set schedule always set service ANY set action accept set nat enable set status enable end 44 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs in NAT/Route mode Example configuration NAT/Route mode (complex) edit 5 set srcintf Local-LAN set dstintf XO-ISP set srcaddr Local_users set dstaddr all set schedule always set service ANY set action accept set nat enable set status enable end Configuring the FortiGate-800 IPSec VPN tunnel and encrypt policy In this example, one user is allowed to connect to the Local user network through a VPN tunnel from an external dial-up connection. To enable this, you need to do the following: • Configure the VPN gateway. • Configure the VPN tunnel. • Define the IP address for the VPN user on the Local users network. • Add the encrypt firewall policy to enable the connection. Configuring the VPN gateway VPN IPSec tunnels are typically a two phase process. The VPN gateway is the first phase. Select either the web-based manager or the CLI to configure the VPN gateway. To configure the VPN gateway - web-based manager 1 Go to VPN > IPSEC Tunnel > Auto Key. 2 Select Create Phase 1 and then select Advanced. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 45 Example configuration NAT/Route mode (complex) 3 Using VLANs in NAT/Route mode Enter the following information, then select OK: Name Dialup_tunnel Remote Gateway Dialup User Local Interface ATT-ISP Mode Aggressive Authentication Method Preshared key Pre-shared key The key must contain at least 6 printable characters and should only be known by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters. The client must use the same pre-shared key. Advanced Select Advanced to configure the following options. The values shown here are the defaults and should not need to be changed. P1 Proposal 1-Encryption 3DES, Authentication SHA1 2-Encryption 3DES, Authentication MD5 DH Group 5 Keylife 28800 (seconds) Configure other fields as required. To configure the VPN gateway - CLI config vpn ipsec phase1 edit Dialup_tunnel set type dynamic set mode aggressive set authmethod psk set psksecret <pre-shared key> set proposal 3des-sha1 3des-md5 set dhgrp 5 set keylife 28800 end Configuring the VPN tunnel With the VPN gateway configured, the VPN tunnel can be configured. The VPN tunnel is Phase 2. Select either the web-based manager or the CLI to configure the VPN tunnel. To configure the VPN tunnel - web-based manager 46 1 Go to VPN > IPSEC > Phase 2. 2 Select Create New and then select Advanced. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs in NAT/Route mode 3 Example configuration NAT/Route mode (complex) Enter the following information, then select OK: Name Dialup-client Phase 1 Dialup_tunnel Advanced Select Advanced to configure the following options. P2 Proposal 1-Encryption 3DES, Authentication SHA1 2-Encryption 3DES, Authentication MD5 Enable replay detection Select Enable perfect forward secrecy Select DH Group 5 Keylife 1800 seconds Autokey Keep Alive Select DHCP-IPsec Clear Quick Mode Selector Source address Source port Destination address Destination port Protocol Configure other fields as required. To configure the VPN tunnel - CLI config vpn ipsec phase2 edit Dialup-client set phase1name Dialup_tunnel set proposal 3des-sha1 3des-md5 set replay enable set pfs enable set dhgrp 5 set keylife_type seconds set keylifeseconds 1800 set keepalive enable end Defining the VPN user IP address The destination address used in the firewall policy determines the acceptable source address range for the remote VPN user. To allow the user to use the VPN from any host, the firewall policy could specify the “all” firewall address. This example requires that the remote user can only use the ATT-ISP network. To define the VPN user IP address- web-based users 1 Go to Firewall > Address > Address. 2 Select Create New. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 47 Example configuration NAT/Route mode (complex) 3 Using VLANs in NAT/Route mode Enter the following information and select OK: Address Name ATT-net Type Subnet/IP Range IP Range/Subnet 30.1.1.0/255.255.255.0 To define the VPN user IP address - CLI config firewall address edit VIP_IP set type ipmask set start_ip 30.1.1.0 255.255.255.0 end Adding the encrypt policy Select either the web-based manager or the CLI to add the encrypt policy. To add the encrypt policy- web-based manager 1 Go to Firewall > Policy. 2 Select Create New. 3 Enter the following information, then select OK: Source Interface/Zone Local-LAN Address Name Local_users Destination Interface/Zone ATT-ISP Address Name ATT-net Schedule Always Service ANY Action IPSEC VPN Tunnel Allow inbound Select Allow outbound Clear Inbound NAT Select Outbound NAT Clear Configure other fields as required. 4 48 Place the policy in the policy list above non-encrypt policies. If there is more than one encrypt policy in the list, place the more specific ones above the more general ones with similar source and destination addresses. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs in NAT/Route mode Example configuration NAT/Route mode (complex) To add the encrypt policy - CLI config firewall policy edit 6 set srcintf Local-LAN set dstintf ATT-ISP set srcaddr Local_users set dstaddr ATT-net set schedule always set service ANY set action ipsec set vpntunnel Dialup-clientset inbound enable set outbound disable set natinbound enable set natoutbound disable set vpntunnel Dialup_tunnel set status enable end Configuring the VPN client The Local users network allows a single inbound connection from a VPN client on the ATT ISP network. This example shows how to configure FortiClient v3.0 MR5 for this purpose. Creating a new VPN connection 1 Start FortiClient. 2 Go to VPN > Connections and select Advanced > Add. Figure 12: New VPN Connection 3 Type a name for the connection in the Connection Name field. 4 In the Remote Gateway IP address box, enter 30.1.1.1. 5 In the Remote Network address box, enter 192.168.10.0/255.255.255.0. 6 From the Authentication Method box select Preshared Key. 7 Type the pre-shared key in the Pre-Shared Key field. Note: The pre-shared key must match the FortiGate authentication key. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 49 Example configuration NAT/Route mode (complex) 8 Using VLANs in NAT/Route mode Select Advanced. Figure 13: Advanced Settings 9 Select Acquire virtual IP address and then select Config. The Virtual IP Acquisition dialog box opens. 10 Select Manually Set. 11 Enter the following information and select OK. 12 50 IP 30.1.1.0 Subnet mask 255.255.255.0 Select OK and then select OK again to complete configuration of the VPN connection. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs in NAT/Route mode Example configuration NAT/Route mode (complex) Configuring the internal Cisco switch On the Cisco Catalyst 2950 ethernet switch connected to the internal interface, you need to define VLANs 10 and 20 in the VLAN database and then add a configuration file to define the VLAN subinterfaces and the 802.1Q trunk interface. This example uses Cisco IOS commands. Configuring the VLAN subinterfaces and the trunk interfaces Add this file to the Cisco switch connected to the internal interface: ! interface FastEthernet0/3 switchport access vlan 10 ! interface FastEthernet0/9 switchport access vlan 20 ! interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk ! The switch has the following configuration: Port 0/3 VLAN ID 10 Port 0/9 VLAN ID 20 Port 0/24 802.1Q trunk Note: To complete the setup, configure devices on VLAN 10 and VLAN 20 with default gateways. The default gateway for VLAN 10 is the FortiGate VLAN 10 subinterface. The default gateway for VLAN 20 is the FortiGate VLAN 20 subinterface. Configuring the external Cisco switch On the Cisco Catalyst 2900 ethernet switch connected to the external interface, you need to define VLANs 30 and 40 in the VLAN database and then add a configuration file to define the VLAN subinterfaces and the 802.1Q trunk interface. This example uses Cisco IOS commands. Configuring the VLAN subinterfaces and the trunk interfaces Add this file to the Cisco switch connected to the external interface: ! interface FastEthernet0/3 switchport access vlan 30 ! interface FastEthernet0/9 switchport access vlan 40 ! interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk ! FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 51 Example configuration NAT/Route mode (complex) Using VLANs in NAT/Route mode The switch has the following configuration: Port 0/3 VLAN ID 30 Port 0/9 VLAN ID 40 Port 0/24 802.1Q trunk Note: To complete the setup, configure devices on VLAN 30 and VLAN 40 with default gateways. The default gateway for VLAN 30 is the FortiGate VLAN 30 subinterface. The default gateway for VLAN 40 is the FortiGate VLAN 40 subinterface. Testing the configuration Use diagnostic commands (tracert, ping) to test traffic routed through the FortiGate unit and the Cisco switch. The traffic route tests include: • testing traffic from VLAN 20 to VLAN 10 • testing traffic from VLAN 20 to the external network Testing traffic from VLAN 20 to VLAN 10 In this example, a route is traced between the two internal networks. The route target is a host on the Local users network (VLAN 10). From the Finance network, access a command prompt and enter this command: C:\>tracert 192.168.10.2 Tracing route to 192.168.10.2 over a maximum of 30 hops: 1 <10 ms <10 ms <10 ms 192.168.20.1 2 <10 ms <10 ms <10 ms 192.168.10.2 Trace complete. Figure 14: Example trace route from VLAN 20 to VLAN 10 FortiGate-800 unit VLAN 20 subinterface 192.168.20.1 VLAN 10 subinterface 192.168.10.1 tracert VL AN 20 Finance Network 52 Switch VL AN 10 Local users network 192.168.10.2 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs in NAT/Route mode Example configuration NAT/Route mode (complex) Testing traffic from VLAN 10 to the external network In this example, a route is traced from VLAN 10 on an internal network to the external network. The route target is the external network interface of the FortiGate-800 unit. From the Local users network (VLAN 10), access a command prompt and enter this command: C:\>tracert 172.16.21.2 Tracing route to 172.16.21.2 over a maximum of 30 hops: 1 <10 ms <10 ms <10 ms 192.168.10.1 2 <10 ms <10 ms <10 ms 172.16.21.2 Trace complete. Figure 15: Example trace route from VLAN 10 to the external network FortiGate-800 unit External interface 172.16.21.1 VLAN 10 subinterface 192.168.10.1 Internet tracert VL AN 10 Switch Local users network FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 53 Example configuration NAT/Route mode (complex) 54 Using VLANs in NAT/Route mode FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Overview Using VDOMs in NAT/Route mode Overview Virtual Domains (VDOMs) split your FortiGate unit into multiple separate units so that it can serve multiple organizations. Each VDOM has separate routing and firewall policies. Each interface, physical or virtual, belongs exclusively to one virtual domain. This simplifies administration because you can see only the interfaces, routing tables and firewall policies for the VDOM you are configuring. This chapter contains the following sections: • Getting started with VDOMs • Configuring virtual domains • Example VDOM configuration in NAT/Route mode (simple) • Example VDOM configuration in NAT/Route mode (complex) Getting started with VDOMs To configure your FortiGate unit for operation with multiple virtual domains, you will be: • Enabling virtual domain configuration • Creating virtual domains • Creating administrators for virtual domains • Accessing virtual domains to configure them Enabling virtual domain configuration Using the default admin administration account, you can enable multiple VDOM operation on the FortiGate unit. To enable virtual domain configuration 1 Log in as admin, or another super_admin account. 2 Go to System > Status. 3 Under System Information > Virtual Domain, select Enable. 4 Confirm your selection when prompted. The FortiGate unit logs off your session. You can now log in again as admin. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 55 Getting started with VDOMs Using VDOMs in NAT/Route mode When Virtual Domain Configuration is enabled, the web-based manager and the CLI are changed as follows: • Global and per-VDOM configurations are separated. • Only the admin account can view or configure global options. • The admin account can configure all VDOM configurations. • Regular administrators can configure only the VDOM to which they are assigned. By default, there is no password for admin. To improve security, you should set a password. Optionally, you can also rename the admin account. For more information on this see the user sections of FortiGate Administration Guide. Creating virtual domains Only a super_admin administrator account such as the default “admin” account can create VDOMs. By default, the FortiGate unit has one fixed virtual domain named “root”, which you cannot delete or rename. You can create additional VDOMs and name them as you like. To create virtual domains 1 Log in with a super_admin account. 2 Select System > VDOM. 3 Select Create New. 4 Enter the name for your new virtual domain select OK. The name must not exceed 11 characters, and cannot contain spaces. You can verify the new VDOM was created by refreshing the VDOM screen and confirming it is in the list of virtual domains. You can repeat Steps 3 and 4 for each VDOM that you want to create. By default, your FortiGate unit supports a maximum of 10 VDOMs in any combination of NAT/Route and Transparent modes. For FortiGate models numbered 3000 and higher, you can purchase a license key from customer support to increase the maximum number to 25, 50, 100 or 250 VDOMs. To obtain a VDOM license key 1 Record your FortiGate unit serial number. You can find the serial number in the web-based manager on the System > Status page under System Information. 2 Send the serial number to Fortinet customer support and request a license key for 25, 50, 100 or 250 VDOMs. 3 When you receive your license key, in the web-based manager on your FortiGate unit, go to System > Status and under License Information select License next to VDOMs Allowed. 4 In the License Key field, enter the 32-character license key you received from Fortinet. 5 Select Apply. You can verify the new VDOM license by going to System Status under Global Configuration. Under License Information, Virtual Domains shows the new maximum number of VDOMs allowed. 56 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Getting started with VDOMs Creating administrators for virtual domains Only super_admin administrator accounts can create administrator accounts and assign them to a VDOM. To create administrators for virtual domains 1 Log in with a super_admin account. 2 Go to System > Admin > Administrators. 3 Select Create New. The New Administrator dialog box opens. 4 Configure the settings of the administrator account. See the System Admin chapter of the FortiGate Administration Guide for detailed information. 5 When setting the profile for this new account, select super_admin to manage accounts in any Virtual Domain on your FortiGate unit or prof_admin (or other profile) for an administrator account that will only manage users on one Virtual Domain. 6 From the Virtual Domain list, select the VDOM that this administrator will control. Alternately, if this is a super_admin account this option will instead be automatically set to global. 7 Select OK. The newly-created administrator can access the FortiGate unit only through network interfaces that belong to their assigned VDOM or through the Console interface. The network interface must be configured to allow management access, such as HTTPS and SSH. For more information on configuring VDOM interfaces see “Adding interfaces and VLAN subinterfaces to a virtual domain” on page 60. For general information about interfaces see the FortiGate Administration Guide. Accessing virtual domains to configure them Only super_admin administrator accounts can access all of the virtual domains on the FortiGate unit. Other administrator accounts can access and configure only theor own VDOM and must connect to an interface in that VDOM. Management systems such as SNMP, logging, alert email, updates using the FDN and setting system time using NTP all use addresses and routing in the root virtual domain by default to communicate with the network. They can only connect to network resources that can communicate with the management virtual domain. Note: Management traffic requires an interface. If there is no interface assigned to the VDOM containing the management traffic, services including updates will not function. See “Changing the management VDOM” on page 59. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 57 Getting started with VDOMs Using VDOMs in NAT/Route mode To access a virtual domain with a super_admin account 1 Log in with a super_admin account. 2 Select System > VDOM. From here you can select a specific VDOM to configure. Figure 16: List of virtual domains 3 Select the name of the virtual domain that you want to configure, and select Switch. The the system network page for that virtual domain opens. The bottom of the left menu displays the currently selected virtual domain name, unless only the root domain exists. 4 When you are finished configuring the VDOM, you can • Select << Global to return to the Virtual Domain Configuration page. • Log out. To access a virtual domain with a non super_admin account 1 Connect to a FortiGate unit using an interface that belongs to the VDOM that you want to configure. To configure the root VDOM using the CLI, you can also connect to the Console connector. 2 Log in using an administrator account that belongs to the VDOM. The main web-based manager page opens. From here you can access VDOMspecific settings. 58 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Configuring virtual domains Configuring virtual domains To configure VDOMs on your FortiGate unit, you may be: • Changing the management VDOM • Adding interfaces and VLAN subinterfaces to a virtual domain • Configuring routing for a virtual domain • Configuring firewall policies for a virtual domain • Configuring VPNs for a virtual domain Changing the management VDOM By default the management VDOM is the root domain. When other VDOMs are configured on your FortiGate unit, management traffic can be moved to them. Management traffic is generally any traffic that originates from the FortiGate unit. This includes: • DNS lookups • logging to FortiAnalyzer, syslog or webtrend • FortiGuard service • sending alert emails • network time protocol traffic (ntpd) • sending SNMP traps • quarantining suspicious files and email Before you change the management VDOM, ensure that virtual domain configuration is selected. To be able to connect to remote services such as NTP and FortiGuard services, the management domain requires an interface connected to the Internet. Note: You cannot change the management VDOM if any administrators are using RADIUS authentication. To change the management VDOM from the web based manager These steps will change the management VDOM from root (the default) to a newly created virtual domain named mgmt_vdom. 1 Select System > VDOM. 2 Select mgmt_vdom - the VDOM that will be the new management VDOM. 3 Select Management to apply the change. To change the management VDOM from the CLI configuration global configuration system global set management-vdom mgmt_vdom end Management traffic will now originate from the new management VDOM mgmt_vdom. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 59 Configuring virtual domains Using VDOMs in NAT/Route mode Adding interfaces and VLAN subinterfaces to a virtual domain A virtual domain must contain at least two interfaces to be useful. These can be physical interfaces or VLAN interfaces. By default all physical interfaces are in the root virtual domain and when you create a new VLAN, the default virtual domain is root. To add a VLAN subinterface to a virtual domain 1 If you are not in the root virtual domain, select << Global. 2 Go to System > Network > Interface. 3 Select Create New to add a VLAN subinterface. 4 Enter a Name to identify the VLAN subinterface. 5 Select the physical interface that receives the VLAN packets intended for this VLAN subinterface. The interface can be on a different VDOM from the VLAN. 6 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. 7 Select the virtual domain to add this VLAN subinterface to. 8 Configure the VLAN subinterface settings as you would for any FortiGate unit interface. 9 Select OK to save your changes. You will see the new VLAN subinterface added the interface that you selected in step 5. It will appear as a “+” icon that when selected expands to show all subinterfaces on that interface. To move an existing interface to another virtual domain 1 If you are not in the root virtual domain, select << Global. 2 Go to System > Network > Interface. 3 Select Edit for the physical interface you want to move. 4 From the Virtual Domain list, select the new VDOM of the interface. 5 Select OK. The interface moves to the selected virtual domain. Firewall IP pools and virtual IPs added for this interface are deleted. You should manually delete any routes that include this interface. To add a zone to a virtual domain 60 1 Go to System > VDOM. 2 Select the virtual domain to edit, and select Switch. 3 Go to System > Network > Zone. 4 Choose the virtual domain to add zones to. 5 Select Create new. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Configuring virtual domains Configuring routing for a virtual domain Routing is VDOM-specific. Each VDOM should have at least a default static route configured. You can configure dynamic routing for each VDOM, with other VDOMs as neighbors. For more information see the Dynamic Routing chapter of the FortiOS Administration Guide. To configure routing for a virtual domain 1 Log in as admin, and go to System > VDOM. 2 Select the VDOM to edit, and select Switch. 3 Go to System > Router. 4 Configure routing for the current virtual domain as required. The routing you define applies only to network traffic entering interfaces belonging to this virtual domain. Configuring firewall policies for a virtual domain Each VDOM must have its own firewall policies. This includes adding firewall addresses and configuring firewall policies. For more information see the firewall chapter of the FortiGate Administration Guide. To add firewall addresses to a virtual domain 1 Log in as admin, and go to System > VDOM. 2 Select the VDOM to configure, and select Switch. 3 Go to Firewall > Address. 4 Add new firewall addresses, address ranges and address groups to the current virtual domain. To configure firewall policies for a virtual domain 1 Log in as admin, and go to System > VDOM. 2 Select the VDOM to configure, and select Switch. 3 Go to Firewall > Policy. 4 Select Create new to add firewall policies to the current virtual domain. Your firewall policies can involve only the interfaces, zones and firewall addresses that are in the current virtual domain. The firewall policies that you add are only visible when you are viewing the current virtual domain. Network traffic accepted by the interfaces and VLAN subinterfaces in this virtual domain is controlled by the firewall policies in this virtual domain Configuring VPNs for a virtual domain Configurations for IPSec Tunnel, IPSec Interface, PPTP and SSL are VDOMspecific. However, certificates are shared by all virtual domains. For more information see the VPN chapter of FortiGate Administration Guide FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 61 Example VDOM configuration in NAT/Route mode (simple) Using VDOMs in NAT/Route mode To configure VPN for a virtual domain 1 Log in as admin, and go to System > VDOM. 2 Select the VDOM to configure, and select Switch. 3 Go to VPN. 4 Configure IPSec Tunnel, IPSec Interface, PPTP and SSL as required. Example VDOM configuration in NAT/Route mode (simple) Figure 17 shows a simplified NAT/Route mode VLAN configuration in which a FortiGate unit provides Internet access with real time network protection for two organizations. Inside the FortiGate unit, each organization has its own virtual domain, enabling separate configuration of network protection profiles. A Cisco 2950 VLAN switch combines the LANs of the two organizations into an 802.1Q trunk that connects to the Internal interface of the FortiGate-800 unit. There are two VLAN subinterfaces on the Internal interface, VLAN 100 and VLAN 200. The external and DMZ interfaces of the FortiGate unit connect to the Internet through different ISPs, one for each organization. These interfaces are not configured with VLAN subinterfaces. Figure 17: FortiGate unit in Nat/Route mode Internet ISP2 40.1.1.32 ISP1 30.1.1.2 External 30.1.1.21 DMZ 40.1.1.2 FortiGate unit Internal 802.1Q trunk VL AN 100 VL AN 200 Fa 0/24 VL AN 100 VL AN 200 10.1.2.2 10.1.1.2 ABC Inc. 10.1.1.0 62 Fa 0/9 Fa 0/3 VLAN Switch DEF Inc. 10.1.2.0 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (simple) When the switch receives packets from VLAN 100 and VLAN 200, it applies the proper VLAN ID tags and forwards the packets across the trunk link to the FortiGate unit. The FortiGate unit is a layer-3 device - it has policies that allow traffic to flow from VLAN 100 to the external network and from VLAN 200 to the DMZ network. This section describes how to configure a FortiGate-800 unit and a Cisco 2950 switch for this example network topology. General configuration steps While this example may not be labelled complex, it is not trivial. This section is a list of steps that provide a brief overview. It describes topics which the following sections will cover in detail. To generally configure the FortiGate-800 unit and the Cisco switch. 1 Create virtual domains. 2 Configure the FortiGate-800 external and DMZ interfaces. 3 Configure each virtual domain on the FortiGate-800 unit: • Add a VLAN subinterface to the Internal network interface. • Add Firewall addresses and address ranges for the internal and external networks. • Add a firewall policy to allow the VLAN to access the external network. • Configure the default route to the ISP. 4 Configure the Cisco switch to support VLAN tags. 5 Test the implementation. Creating the virtual domains In this example, two new virtual domains are created: ABCdomain for company ABC and DEFdomain for company DEF. You can create them either with the webbased manager or through the CLI. To create the virtual domains - web-based manager 1 Log in with a super_admin account. 2 Go to System > VDOM, and select Create New. 3 Enter “ABCdomain“ and select OK. 4 Select Create New. 5 Enter “DEFdomain“ and select OK. To create the virtual domains - CLI config vdom edit ABCdomain next edit DEFdomain end FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 63 Example VDOM configuration in NAT/Route mode (simple) Using VDOMs in NAT/Route mode Configuring the FortiGate-800 external and DMZ interfaces Start the FortiGate web-based manager to configure the FortiGate-800 unit. Select Global Configuration. This section configures the interfaces for each company and their connections to the Internet. Note: If you cannot change the VDOM of an network interface it is because something is referring to that interface that needs to be deleted. Once all the references are deleted the interface will be available to switch to a different VDOM. For example a common reference to the external interface is the default static route entry. Configuring the external interface Now you will configure the external interface using either the web-based manager, or through the CLI. To configure the external interface - web-based manager 1 Log in with a super_admin account. 2 Go to System > Network > Interface. 3 Select Edit on the external interface. 4 Enter the following information for the external interface and select OK: Virtual domain ABCdomain Addressing mode Manual IP/Netmask 30.1.1.21/255.255.255.0 Configure other fields as required. To configure the external interface - CLI config global config system interface edit external set vdom ABCdomain set mode static set ip 30.1.1.21 255.255.255.0 end end Configuring the DMZ interface Next, configure the DMZ interface either with the web-based manager or the CLI. To configure the DMZ interface - web-based manager 1 Log in with a super_admin account. 2 Go to System > Network > Interface. 3 Select Edit on the external interface. 4 Enter the following information for the external interface and select OK: Virtual domain DEFdomain Addressing mode Manual IP/Netmask 40.1.1.32/255.255.255.0 Configure other fields as required. 64 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (simple) To configure the DMZ interface - CLI config global config system interface edit dmz/ha set vdom DEFdomain set mode static set ip 40.1.1.32 255.255.255.0 end end Configuring the ABCdomain VDOM In this example, the ABCdomain VDOM is used for company ABC. You configure it with a VLAN subinterface for VLAN_100 and a firewall policy to allow connection to the External interface. • Adding the VLAN interface will provide a way to send and recieve packets to the VDOM. Interfaces are part of the global configuration. • Adding the firewall policy will allow connection to the external interface and limit unwanted traffic. A firewall policy applies only to one VDOM. Adding the VLAN subinterface VLAN 100 is how ABC Inc. communicates with the outside world. Make sure that access protocols such as HTTPS are added. Otherwise, ABC Inc. will not be able to manage their VDOM. To add the VLAN 100 subinterface 1 Log in with a super_admin account. 2 Go to System > Network > Interface. 3 Select Create New. 4 Enter the following information for VLAN_100 and select OK: Name VLAN_100 Interface internal VLAN ID 100 Virtual Domain ABCdomain Addressing mode Manual IP/Netmask 10.1.1.1/255.255.255.0 Administrative Access HTTPS, PING, TELNET Configure other fields as required. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 65 Example VDOM configuration in NAT/Route mode (simple) Using VDOMs in NAT/Route mode Figure 18: ABCdomain VDOM interfaces and subinterfaces To add the VLAN_100 subinterface - CLI config global config system interface edit VLAN_100 set interface internal set vlanid 100 set vdom ABCdomain set mode static set ip 10.1.1.1 255.255.255.0 set allowaccess https ping telnet end end Adding ABCdomain firewall addresses You need to define the addresses of the VLAN subnets for use in firewall policies. The FortiGate unit provides one default address, “all”, that you can use when a firewall policy applies to all addresses as a source or destination of a packet. To add ABCdomain firewall addresses - web-based manager 66 1 Log in with a super_admin account. 2 Go to System > VDOM. 3 Select ABCdomain, and select Switch. 4 Go to Firewall > Address. 5 Select Create New. 6 Enter the following information and select OK: Address Name VLAN_100_Net Type Subnet/IP Range IP Range/Subnet 10.1.1.0/255.255.255.0 Interface VLAN_100 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (simple) Figure 19: ABCdomain VDOM firewall addresses To add the ABCdomain VDOM firewall addresses - CLI config vdom edit ABCdomain config firewall address edit VLAN_100_Net set type ipmask set subnet 10.1.1.0 255.255.255.0 end Adding the ABCdomain firewall policy Next you will add the ABCdomain firewall policy using either the web-based manager or the CLI. To add the ABCdomain firewall policy - web-based manager 1 Go to Firewall > Policy. 2 Select Create New. 3 Enter the following information and select OK: Source Interface/Zone VLAN_100 Address Name VLAN_100_Net Destination Interface/Zone External Address Name all Schedule Always Service ANY Action ACCEPT NAT Select Configure other fields as required. Figure 20: ABCdomain VDOM firewall policy FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 67 Example VDOM configuration in NAT/Route mode (simple) Using VDOMs in NAT/Route mode To add the firewall policy - CLI config firewall policy edit 1 set srcintf VLAN_100 set dstintf external set srcaddr VLAN_100_Net set dstaddr all set schedule always set service ANY set action accept set nat enable set status enable end Adding a default route You need to define a default route to direct packets to the ISP if their destination is outside of the VLAN 100 subnet. To add a default route - web-based manager 1 Go to Router > Static. 2 Select Create New to add a new route. 3 Enter the following information to add a default route to ISP1 for network traffic leaving the external interface and select OK: Destination IP/Mask 0.0.0.0/0.0.0.0 Device external Gateway 30.1.1.2 Distance 10 Figure 21: ABCdomain VDOM routing table To add a default route - CLI config router static edit 1 set device external set gateway 30.1.1.2 end 68 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (simple) Configuring the DEFdomain VDOM In this example, the DEFdomain VDOM is used for company DEF. You configure it with a VLAN subinterface for VLAN_200 and a firewall policy to allow connection to the External interface. Interfaces are part of the global configuration. Firewall policies apply to each VDOM. Adding the VLAN_200 subinterface VLAN_200 is how DEF Inc. communicates with the outside world. Make sure that access protocols are added. Otherwise DEF Inc. will not be able to manage their VDOM. To add the VLAN_200 subinterface - web-based manager 1 Log in with a super_admin account. 2 Go to System > Network > Interface. 3 Select Create New. 4 Enter the following information for VLAN_200 and select OK: Name VLAN_200 Interface internal VLAN ID 200 Virtual Domain DEFdomain Addressing mode Manual IP/Netmask 10.1.2.1/255.255.255.0 Administrative Access HTTPS, PING, TELNET Configure other fields as required. Figure 22: DEFdomain interfaces and subinterfaces Note that in the above figure VLAN_100 has no delete icon. That is because of the firewall policy that was added to it. Before being able to delete VLAN_100 you will have to first delete that firewall policy. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 69 Example VDOM configuration in NAT/Route mode (simple) Using VDOMs in NAT/Route mode To add VLAN 200 subinterface - CLI config global config system interface edit VLAN_200 set interface internal set vlanid 200 set vdom DEFdomain set mode static set ip 10.1.2.1 255.255.255.0 set allowaccess https ping telnet end end Adding the DEFdomain firewall address You need to define addresses for use in firewall policies. In this example, the DEFdomain VDOM needs an address for the VLAN 200 subnet and the “all” address. To add the DEFdomain firewall address - web-based manager 1 Log in with a super_admin account. 2 Go to System > VDOM. 3 Select DEFdomain, and select Switch. 4 Go to Firewall > Address. 5 Select Create New. 6 Enter the following information and select OK: Address Name VLAN_200_Net Type Subnet/IP Range IP Range/Subnet 10.1.2.0/255.255.255.0 Interface VLAN_200 Figure 23: Firewall addresses for DEFdomain To add the DEFdomain firewall address - CLI config vdom edit DEFdomain config firewall address edit VLAN_200_Net set type ipmask set subnet 10.1.2.0 255.255.255.0 end 70 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (simple) Adding the DEFdomain firewall policy The DEFdomain firewall policy allows all traffic. This configuration is an example. To add the DEFdomain firewall policy - web-based manager 1 Log in with a super_admin account. 2 Go to System > VDOM. 3 Select DEFdomain, and select Switch. 4 Go to Firewall > Policy. 5 Select Create New. 6 Enter the following information and select OK: Source Interface/Zone VLAN_200 Address Name VLAN_200_Net Destination Interface/Zone dmz/ha Address Name all Schedule Always Service ANY Action ACCEPT NAT Select Configure other fields as required. Figure 24: DEFdomain firewall policy To add the DEFdomain firewall policy - CLI config firewall policy edit 1 set srcintf VLAN_200 set dstintf dmz/ha set srcaddr VLAN_200_Net set dstaddr all set schedule always set service ANY set action accept set nat enable set status enable end Adding a default route You need to define a default route to direct packets to the ISP if their destination is outside of the VLAN 200 subnet. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 71 Example VDOM configuration in NAT/Route mode (simple) Using VDOMs in NAT/Route mode To add a default route - web-based manager 1 Log in as admin. 2 Go to System > VDOM. 3 Select DEFdomain, and select Switch. 4 Go to Router > Static. 5 Select Create New to add a new route. 6 Enter the following information to add a default route to ISP2 for network traffic leaving the external interface and select OK: Destination IP/Mask 0.0.0.0/0.0.0.0 Gateway 40.1.1.2 Device dmz/ha Distance 10 Figure 25: DEFdomain routing table To add a default route - CLI config router static edit 1 set device external set gateway 40.1.1.2 end 72 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (simple) Configuring the Cisco switch On the Cisco Catalyst 2950 ethernet switch, you need to define VLANs 100 and 200 in the VLAN database and then add a configuration file to define the VLAN subinterfaces and the 802.1Q trunk interface. Configuring the VLAN subinterfaces and the trunk interfaces Add this file to the Cisco switch: ! interface FastEthernet0/3 switchport access vlan 100 ! interface FastEthernet0/9 switchport access vlan 200 ! interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk ! The switch has the following configuration: Port 0/3 VLAN ID 100 Port 0/9 VLAN ID 200 Port 0/24 802.1Q trunk Note: To complete the setup, configure devices on VLAN 100 and VLAN 200 with default gateways. The default gateway for VLAN 100 is the FortiGate unit VLAN 100 subinterface. The default gateway for VLAN 200 is the FortiGate unit VLAN 200 subinterface. Testing the configuration Use diagnostic commands (tracert, ping) to test traffic routed through the FortiGate unit and the Cisco switch. Testing traffic from VLAN 100 to the external network In this example, a route is traced from an internal network to the external network. The route target is the external network interface of the FortiGate-800 unit. From VLAN 100, access a command prompt and enter this command: C:\>tracert 30.1.1.21 Tracing route to 30.1.1.21 over a maximum of 30 hops: 1 <10 ms <10 ms <10 ms 10.1.1.1 2 <10 ms <10 ms <10 ms 30.1.1.21 Trace complete. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 73 Example VDOM configuration in NAT/Route mode (simple) Using VDOMs in NAT/Route mode Figure 26: Example trace route from VLAN 100 to the external network FortiGate-800 unit VLAN 100 subinterface 10.1.1.1 External interface 30.1.1.21 Internet tracert Switch VL AN 100 Network Testing traffic from VLAN 200 to the DMZ network In this example, a route is traced from an internal network to the external network. The route target is the DMZ network interface of the FortiGate-800 unit. From a computer on VLAN 200, access an MS Windows command prompt and enter the following command. C:\>tracert 40.1.1.32 Tracing route to 40.1.1.32 over a maximum of 30 hops: 1 <10 ms <10 ms <10 ms 10.1.2.1 2 <10 ms <10 ms <10 ms 40.1.1.32 Trace complete. Figure 27: Example trace route from VLAN 200 to the DMZ network FortiGate-800 unit VLAN 200 subinterface 10.1.2.1 DMZ interface 40.1.1.32 Internet tracert Switch VL AN 200 network 74 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex) Example VDOM configuration in NAT/Route mode (complex) In this example, a FortiGate-800 unit operates in NAT/Route mode, serving two organizations. Two virtual domains are used. The ABCdomain domain serves a school with student and instructor networks. The second domain, Commercial, serves a business that has product development and sales networks. The internal and external interfaces of the FortiGate unit are connected to Cisco switches through 801.1Q trunks that carry the traffic for both virtual domains. Figure 28 illustrates this network topology, with the Commercial domain network connections in red. The remainder of this chapter describes how to configure a FortiGate-800 unit and Cisco Catalyst 2950 ethernet switches for this topology. The ABCdomain domain is configured as follows: • The internal interface is configured with two VLAN subinterfaces: VLAN 10 for the students network and VLAN 20 for the instructors network. • The external interface is configured with a VLAN subinterface, VLAN 30, for the ATT-ISP network. • Firewall policies allow both the instructors and students networks to access the internet through the ATT-ISP network. For students there is a more strict protection profile governing their online activities. • A firewall policy allows instructors access to the students network. The Commercial domain is configured as follows: • The internal interface is configured with two VLAN subinterfaces: VLAN 80 for the Sales network and VLAN 90 for the Development network. • The external interface is configured with two VLAN subinterfaces, VLAN 40 and VLAN 50, for access to the Internet via the redundant XO-ISP and XS-ISP networks. • Firewall policies allow access to the Internet through the XO-ISP and XS-ISP networks from both Sales and Development networks. • Firewall policies allow access from the Sales network to the Development network and from the Development network to the Sales network. You might have noticed that the Student network and the Development network have the same network address ranges. This does not cause a problem because the two address ranges reside in different virtual domains. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 75 Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode Figure 28: Example VLAN/VDOM topology (FortiGate unit in NAT/Route mode) Internet ATT ISP XO ISP XS ISP VLAN 30 VLAN 40 VLAN 50 Fa 0/9 Fa 0/3 Cisco 2900 Switch (external) Fa 0/19 Fa 0/24 802.1Q trunk VLAN 30 VLAN 40 VLAN 50 External FortiGate unit Internal VLAN VLAN 802.1Q trunk VLAN VLAN Fa 0/24 Cisco 2900 Switch (internal) Fa 0/3 VLAN 10 Student network 192.168.10.0 VLAN 20 Instructors network 192.168.20.0 76 Fa 0/4 10 20 80 90 Fa 0/9 Fa 0/14 VLAN 80 Development network 192.168.10.0 VLAN 90 Sales network 192.168.15.0 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex) General configuration steps This example has many parts that need to be configured. This is a brief overview of the steps involved. These steps are covered in more detail in the following sections. Note that the procedures are intended to follow one another, and for that reason do not repeat the login and ‘go to’ steps each time. 1 Create the Commercial domain. 2 Configure the ABCdomain domain: • Add the VLAN subinterfaces. • Configure a default route. • Add firewall addresses for the networks connected to the VLANs. • Add firewall policies to allow: • • • 3 the instructors network to access the students network the instructors network to access the external network the students network to access the external network with a strict protection profile Configure the Commercial domain: • Add the VLAN subinterfaces. • Configure a default route and a secondary default route. • Add firewall addresses for the VLANs. • Add firewall policies to allow: • • • • the development network to access the sales network the sales network to access the development network the sales network to access the external network the development network to access the external network 4 Configure the Cisco switches. 5 Test the implementation. Creating the virtual domains In this example, two virtual domains are created: ABCdomain for the school and Commercial for the business. To create the virtual domains - web-based manager 1 Log in as admin. 2 Go to System > VDOM and select Create New. 3 Enter “ABCdomain“ and select OK. 4 Select Create New. 5 Enter “Commercial“ and select OK. To create the virtual domains - CLI config vdom edit ABCdomain next edit Commercial end FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 77 Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode Configuring the ABCdomain VDOM In this example, the ABCdomain VDOM is used to serve a school. You configure two VLAN subinterfaces on the Internal interface and one on the External interface. A firewall policy allows connections from the internal VLANs to the VLAN on the External interface. Selecting the ABCdomain virtual domain Before you follow the rest of the procedures for configuring the ABCdomain VDOM, you must ensure that the current domain is ABCdomain. To select the ABCdomain virtual domain - web-based manager 1 Go to System > VDOM. 2 Select the ABCdomain VDOM, and select Switch. To select the ABCdomain virtual domain - CLI config vdom edit ABCdomain Adding the VLAN subinterfaces In the ABCdomain VDOM, you need two VLAN subinterfaces on the internal physical interface to receive the VLAN 10 and VLAN 20 packets from the students and instructors networks. You need a VLAN subinterface on the external interface to send packets to the ATT-ISP network on VLAN 30. To add the VLAN subinterfaces - web-based manager 1 Select << Global if you are not in the root domain. 2 Go to System > Network > Interface. 3 Select Create New. 4 Enter the following information for the students network and select OK: Name students Type VLAN Interface internal VLAN ID 10 Virtual Domain ABCdomain Addressing mode Manual IP/Netmask 192.168.10.1/255.255.255.0 Configure other fields as required. 5 78 Select Create New. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode 6 Example VDOM configuration in NAT/Route mode (complex) Enter the following information for the instructors network and select OK: Name instructors Type VLAN Interface internal VLAN ID 20 Virtual Domain ABCdomain Addressing mode Manual IP/Netmask 192.168.20.1/255.255.255.0 Configure other fields as required. 7 Select Create New. 8 Enter the following information for the ATT ISP network and select OK: Name ATT-ISP Type VLAN Interface external VLAN ID 30 Virtual Domain ABCdomain Addressing mode Manual IP/Netmask 30.1.1.1/255.255.255.0 Configure other fields as required. Figure 29: VLAN subinterfaces for ABCdomain VDOM FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 79 Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode To add the VLAN subinterfaces - CLI config system interface edit students set interface internal set vlanid 10 set vdom ABCdomain set mode static set ip 192.168.10.1 255.255.255.0 next edit instructors set interface internal set vlanid 20 set vdom ABCdomain set mode static set ip 192.168.20.1 255.255.255.0 edit ATT-ISP set interface external set vlanid 30 set vdom ABCdomain set mode static set ip 30.1.1.1 255.255.255.0 end Adding a default route You need to define a default route for packets with destinations that are not on the FortiGate unit networks connected to the ABCdomain VDOM. The simplest way to do this is to set the ISP gateway address as the route for all packets leaving the VLAN subinterface that is connected to the ISP. To add a default route - web-based manager 1 Go to System > VDOM. 2 Select ABCdomain, and select Switch. 3 Go to Router > Static. 4 Select Create New to add a new route. 5 Enter the following information to add a default route to ATT-ISP for network traffic leaving the external interface from the ABCdomain domain and select OK: Destination IP/Mask 0.0.0.0/0.0.0.0 Device ATT-ISP Gateway 30.1.1.2 Distance 10 To add a default route - CLI config router static edit 1 set device ATT-ISP set gateway 30.1.1.2 next end 80 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex) Adding the firewall addresses You need to define the addresses of the ABCdomain VDOM subnets for use in firewall policies. In the ABCdomain VDOM, the FortiGate unit provides one default address, “all”, that you can use when a firewall policy applies to all addresses as a source or destination of a packet. In other VDOMs, you have to create this address. To add firewall addresses - web-based manager 1 Go to Firewall > Address. 2 Select Create New. 3 Enter the following information and select OK: Address Name student_net Type Subnet/IP Range IP Range/Subnet 192.168.10.0/255.255.255.0 Interface Any 4 Select Create New. 5 Enter the following information and select OK: Address Name instructor_net Type Subnet/IP Range IP Range/Subnet 192.168.20.0/255.255.255.0 Interface Any Figure 30: Firewall addresses for ABCdomain domain To add firewall addresses - CLI config firewall address edit all set subnet 0.0.0.0 0.0.0.0 next edit student_net set subnet 192.168.10.0 255.255.255.0 next edit instructor_net set subnet 192.168.20.0 255.255.255.0 end FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 81 Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode Adding the firewall policies Each internal network needs a policy to permit it to access the ATT-ISP network for connection to the Internet. By choosing different protection profiles in each policy, the two groups of users can be subject to different levels of web filtering, web category filtering and content logging. For simplicity, this example uses the pre-configured protection profiles “strict” and “scan”. You can modify these or create custom protection profiles as needed. To add firewall policies - web-based manager 1 Go to Firewall > Policy. 2 Select Create New. 3 Enter the following information and select OK: Source Interface/Zone students Address Name student_net Destination Interface/Zone ATT-ISP Address Name all Schedule Always Service ANY Action ACCEPT NAT Select Protection profile strict Configure other fields as required. 4 Select Create New. 5 Enter the following information and select OK: Source Interface/Zone instructors Address Name instructor_net Destination Interface/Zone ATT-ISP Address Name all Schedule Always Service ANY Action ACCEPT NAT Select Protection profile scan Configure other fields as required. 6 82 Select Create New. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode 7 Example VDOM configuration in NAT/Route mode (complex) Enter the following information and select OK: Source Interface/Zone instructors Address Name instructor_net Destination Interface/Zone students Address Name student_net Schedule Always Service ANY Action ACCEPT NAT Select Configure other fields as required. The list of firewall policies looks like this: Figure 31: Firewall policies for ABCdomain VDOM FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 83 Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode To add firewall policies - CLI config firewall policy edit 1 set srcintf students set dstintf ATT-ISP set srcaddr student_net set dstaddr all set action accept set schedule always set service ANY set profile_status enable set profile strict set nat enable next edit 2 set srcintf instructors set dstintf ATT-ISP set srcaddr instructor_net set dstaddr all set action accept set schedule always set service ANY set nat enable next edit 3 set srcintf instructors set dstintf students set srcaddr student_net set dstaddr student_net set action accept set schedule always set service ANY set nat enable next end Configuring the Commercial VDOM The Commercial VDOM serves a company with development and sales networks. The VLANs on the Commercial VDOM organize traffic from the departments, and make sure only computers on that VLAN receive the traffic. They also help with routing through the multiple ISP connections, in effect load balancing. Start the web-based manager to configure the FortiGate-800 unit. 84 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex) Selecting the Commercial VDOM Before you follow the rest of the procedure for configuring the Commercial domain, you must ensure that the current domain is Commercial. To select the Commercial VDOM - web-based manager 1 Select << Global if you are not in the root domain. 2 Go to System > VDOM. 3 Select the Commercial virtual domain, and select Switch. To select the Commercial VDOM - CLI config vdom edit Commercial Adding the VLAN subinterfaces In the Commercial VDOM, you need two VLAN subinterfaces on the internal physical interface to receive VLAN 80 and VLAN 90 packets from the Sales and Development networks. You need two VLAN subinterfaces on the external interface to send packets to the XO-ISP network on VLAN 40, and to send packets to the XS-ISP network on VLAN 50. To add the VLAN subinterfaces - web-based manager 1 Go to System > Network > Interface. 2 Select Create New. 3 Enter the following information for the Sales network and select OK: Name Sales Type VLAN Interface internal VLAN ID 80 Virtual Domain Commercial Addressing mode Manual IP/Netmask 192.168.15.1/255.255.255.0 Configure other fields as required. 4 Select Create New. 5 Enter the following information for the Development network and select OK: Name Development Type VLAN Interface internal VLAN ID 90 Virtual Domain Commercial Addressing mode Manual IP/Netmask 192.168.10.1/255.255.255.0 Configure other fields as required. 6 Select Create New. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 85 Example VDOM configuration in NAT/Route mode (complex) 7 Using VDOMs in NAT/Route mode Enter the following information for the XO ISP network and select OK: Name XO-ISP Type VLAN Interface external VLAN ID 40 Virtual Domain Commercial Addressing mode Manual IP/Netmask 40.1.1.1/255.255.255.0 Configure other fields as required. 8 Select Create New. 9 Enter the following information for the XS ISP network and select OK: Name XS-ISP Interface external VLAN ID 50 Virtual Domain Commercial Addressing mode Manual IP/Netmask 145.1.1.1/255.255.255.0 Configure other fields as required. Figure 32: 4 VLAN subinterfaces for Commercial VDOM 86 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex) To add the VLAN subinterfaces - CLI config system interface edit Sales set interface internal set vlanid 80 set vdom Commercial set mode static set ip 192.168.15.1 255.255.255.0 next edit Development set interface internal set vlanid 90 set vdom Commercial set mode static set ip 192.168.10.1 255.255.255.0 next edit XO-ISP set interface external set vlanid 40 set vdom Commercial set mode static set ip 40.1.1.1 255.255.255.0 next edit XS-ISP set interface external set vlanid 50 set vdom Commercial set mode static set ip 145.1.1.1 255.255.255.0 end Adding a default route You need to define a default static route for packets with destinations that are not on the FortiGate unit’s networks. The simplest way to do this is to set the ISP gateway address as the route for all packets leaving the VLAN subinterface connected to the ISP. As this example includes redundant ISPs, you also define a route to the secondary ISP with a greater distance. The FortiGate unit will send packets over this route only if the default route is not available. This is the behavior we want - a main and a backup connection to the Internet. You can configure dynamic routing if you want to, but that is beyond the scope of this example. For this example we will configure static routing. To add a default route - web-based manager 1 Go to System > VDOM. 2 Select the Commercial virtual domain, and select Switch. 3 Go to Router > Static. 4 Select Create New to add a new route. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 87 Example VDOM configuration in NAT/Route mode (complex) 5 Using VDOMs in NAT/Route mode Enter the following information to add a default route to XO-ISP for network traffic leaving the external interface from the Commercial domain and select OK: Destination IP/Mask 0.0.0.0/0.0.0.0 Gateway 40.1.1.2 Device XO-ISP Distance 10 6 Select Create New to add a new route. 7 Enter the following information to add a secondary default route to XS-ISP for network traffic leaving the external interface from the Commercial domain and select OK: Destination IP/Mask 0.0.0.0/0.0.0.0 Gateway 145.1.1.2 Device XS-ISP Distance 20 To add a default route - CLI config router static edit 1 set device XO-ISP set gateway 40.1.1.2 set distance 10 next edit 2 set device XS-ISP set gateway 145.1.1.2 set distance 20 end Adding the firewall addresses You need to define the addresses of the Commercial VDOM subnets for use in firewall policies. In the ABCdomain VDOM, the FortiGate unit provides one default address, “all”, that you can use when a firewall policy applies to all addresses as a source or destination of a packet. In other VDOMs, you have to create this address. To add the firewall addresses - web-based manager 1 Go to Firewall > Address. 2 Select Create New. 3 Enter the following information and select OK: 4 88 Address Name all Type Subnet/IP Range IP Range/Subnet 0.0.0.0/0.0.0.0 Select Create New. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode 5 Example VDOM configuration in NAT/Route mode (complex) Enter the following information and select OK: Address Name development_net Type Subnet/IP Range IP Range/Subnet 192.168.10.0/255.255.255.0 6 Select Create New. 7 Enter the following information and select OK: Address Name sales_net Type Subnet/IP Range IP Range/Subnet 192.168.15.0/255.255.255.0 Figure 33: Firewall addresses for Commercial domain To add the firewall addresses - CLI config firewall address edit all set subnet 0.0.0.0 0.0.0.0 next edit development_net set subnet 192.168.10.0 255.255.255.0 next edit sales_net set subnet 192.168.15.0 255.255.255.0 next end Adding the firewall policies Firewall policies limit the types of traffic in one direction or between two specific networks. For example you might allow instant message programs within the company for collaboration, but not allow them over the internet due to potential time wasting and resource limitations. But you would likely allow all HTTP traffic in both directions between all the networks. Due to these different behaviors it is common to have more than one firewall policy between the same networks. Generally you want to allow all traffic from your ISP to your FortiGate unit. You can then establish firewall policies to prevent unwanted traffic from entering your internal network. Any traffic coming from the internal networks must pass through a firewall before leaving on the external network, so an extra layer would be redundant. Each internal network needs a policy to permit it to access the XO-ISP and XSISP networks for connection to the Internet. Also, each internal network needs a policy to allow it to connect to the other internal network. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 89 Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode To add the firewall policies - web-based manager 1 Go to Firewall > Policy. 2 Select Create New. 3 Enter the following information and select OK: Source Interface/Zone Sales Address Name sales_net Destination Interface/Zone XO-ISP Address Name all Schedule Always Service ANY Action ACCEPT NAT Select Protection profile scan Configure other fields as required. 4 Select Create New. 5 Enter the following information and select OK: Source Interface/Zone Sales Address Name sales_net Destination Interface/Zone XS-ISP Address Name all Schedule Always Service ANY Action ACCEPT NAT Select Protection profile scan Configure other fields as required. 6 90 Select Create New. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode 7 Example VDOM configuration in NAT/Route mode (complex) Enter the following information and select OK: Source Interface/Zone Development Address Name development_net Destination Interface/Zone XO-ISP Address Name all Schedule Always Service ANY Action ACCEPT NAT Select Protection profile scan Configure other fields as required. 8 Select Create New. 9 Enter the following information and select OK: Source Interface/Zone Development Address Name development_net Destination Interface/Zone XS-ISP Address Name all Schedule Always Service ANY Action ACCEPT NAT Select Protection profile scan Configure other fields as required. 10 Select Create New. 11 Enter the following information and select OK: Source Interface/Zone Sales Address Name sales_net Destination Interface/Zone Development Address Name development_net Schedule Always Service ANY Action ACCEPT NAT Select Configure other fields as required. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 91 Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode 12 Select Create New. 13 Enter the following information and select OK: Source Interface/Zone Development Address Name development_net Destination Interface/Zone Sales Address Name sales_net Schedule Always Service ANY Action ACCEPT NAT Select Configure other fields as required. The list of firewall policies looks like this: Figure 34: Firewall policies for Commercial VDOM To add the firewall policies - CLI config firewall policy edit 1 set srcintf Sales set dstintf XO-ISP set srcaddr sales_net set dstaddr all set action accept set schedule always set service ANY set profile_status enable set profile strict set nat enable next edit 2 set srcintf Sales set dstintf XS-ISP set srcaddr sales_net set dstaddr all set action accept set schedule always 92 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex) set service ANY set profile_status enable set profile strict set nat enable next edit 3 set srcintf Development set dstintf XO-ISP set srcaddr development_net set dstaddr all set action accept set schedule always set service ANY set profile_status enable set profile strict set nat enable next edit 4 set srcintf Development set dstintf XS-ISP set srcaddr development_net set dstaddr all set action accept set schedule always set service ANY set profile_status enable set profile strict set nat enable next edit 5 set srcintf Sales set dstintf Development set srcaddr sales_net set dstaddr development_net set action accept set schedule always set service ANY set nat enable next edit 6 set srcintf Development set dstintf Sales set srcaddr development_net set dstaddr sales_net set action accept set schedule always set service ANY set nat enable end Note: To complete the setup, configure devices on the VLANs with default gateways. The default gateway for VLAN 10 is the FortiGate VLAN 10 subinterface. The default gateway for VLAN 20 is the FortiGate VLAN 20 subinterface and so on. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 93 Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode Configuring the Cisco switch Now to add a configuration file to each of Cisco Catalyst 2950 ethernet switches. The configuration file defines the VLAN subinterfaces and the 802.1Q trunk interface on the switch. If the switch is not properly configured, it will be the broken link in the network and VLANs will not pass any traffic. For more information on configuring your Cisco switch, please consult the manual for your CIsco switch. Configuring the VLAN subinterfaces and the trunk interfaces You want to configure different interfaces on the Cisco switches to pass spiffiest VLAN traffic. If the switch is not properly configured, there will be no traffic on the network. Add this file to the Cisco switch connected to the FortiGate-800 internal interface: ! interface FastEthernet0/3 switchport access vlan 10 ! interface FastEthernet0/4 switchport access vlan 20 ! interface FastEthernet0/14 switchport access vlan 80 ! interface FastEthernet0/16 switchport access vlan 90 ! interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk ! The switch has the following configuration: 94 Port 0/3 VLAN ID 10 Port 0/4 VLAN ID 20 Port 0/14 VLAN ID 80 Port 0/16 VLAN ID 90 Port 0/24 802.1Q trunk FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VDOMs in NAT/Route mode Example VDOM configuration in NAT/Route mode (complex) Add this file to the Cisco switch connected to the FortiGate-800 external interface: ! interface FastEthernet0/3 switchport access vlan 30 ! interface FastEthernet0/9 switchport access vlan 40 ! interface FastEthernet0/19 switchport access vlan 50 ! interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk ! The switch has the following configuration: Port 0/3 VLAN ID 30 Port 0/9 VLAN ID 40 Port 0/19 VLAN ID 50 Port 0/24 802.1Q trunk Testing the configuration You can use simple diagnostic commands (tracert, ping) to test traffic routed through the FortiGate unit and the Cisco switches. Testing traffic from instructors network to student network In this example, a route is traced from the instructors network to the student network. The route target is a host on the student network. From the instructors network, access an MS Windows command prompt and enter this command: C:\>tracert 192.168.10.2 Tracing route to 192.168.10.2 over a maximum of 30 hops: 1 <10 ms <10 ms <10 ms 192.168.20.1 2 <10 ms <10 ms <10 ms 192.168.10.2 Trace complete. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 95 Example VDOM configuration in NAT/Route mode (complex) Using VDOMs in NAT/Route mode Figure 35: Example trace route from VLAN 20 to VLAN 10 FortiGate-800 unit VLAN 20 subinterface 192.168.20.1 VLAN 10 subinterface 192.168.10.1 tracert VLAN 20 Instructors Network Switch VLAN 10 Student network 192.168.10.2 Other tests Using the preceding method, you can also test traffic from the Development network to the Sales network and vice-versa, as well as traffic from each of the internal networks to locations on the Internet. 96 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs and VDOMs in Transparent mode Overview Using VLANs and VDOMs in Transparent mode Overview In Transparent mode, the FortiGate unit can provide services such as antivirus scanning, web filtering, spam filtering and intrusion protection to traffic on an IEEE 802.1Q VLAN trunk. You can insert the FortiGate unit operating in Transparent mode into the trunk without making changes to your network. In a typical configuration, the FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal VLANs. The FortiGate external interface forwards tagged packets through another trunk to an external VLAN switch or router connected to external networks or the Internet. You can configure the FortiGate unit to apply different policies for traffic on each VLAN in the trunk. To pass VLAN traffic through the FortiGate unit, you add two VLAN subinterfaces with the same VLAN ID, one to the internal interface and the other to the external interface. You then create a firewall policy to permit packets to flow from the internal VLAN interface to the external VLAN interface. If required, you create another firewall policy to permit packets to flow from the external VLAN interface to the internal VLAN interface. Network protection, such as spam filtering, web filtering and anti-virus scanning, are applied through the protection profile specified in each firewall policy. For each VLAN you are protecting with the FortiGate unit, you need to define a pair of VLAN subinterfaces and the necessary firewall policies. Usually in Transparent mode you do not permit packets to move between different VLANs. When the FortiGate unit receives a VLAN tagged packet at a physical interface, the packet is directed to the VLAN subinterface with the matching VLAN ID. The VLAN tag is removed from the packet and the FortiGate unit then applies firewall policies in the same way as it does for non-VLAN packets. If the packet exits the FortiGate unit through a VLAN subinterface, the VLAN ID for that subinterface is added to the packet and the packet is sent to the corresponding physical interface. VLANs and virtual domains When you add each VLAN subinterface, you associate it with a virtual domain. By default the FortiGate configuration includes one virtual domain, named root and you can add as many VLAN subinterfaces as you require to this virtual domain. Any virtual domain can have a maximum of 255 interfaces in NAT or TP mode. This includes VLANs, other virtual interfaces, and physical interfaces. To have more than 255 interfaces configured you need to configure multiple VDOMs with many interfaces on each. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 97 Configuring the FortiGate unit in Transparent mode Using VLANs and VDOMs in Transparent mode You can add more virtual domains if you want to separate groups of VLAN subinterfaces into virtual domains. When using a FortiGate unit to serve multiple organizations, this simplifies administration because you see only the firewall policies for the VDOM you are configuring. For information on adding and configuring virtual domains, see “Getting started with VDOMs” on page 55. One essential application of virtual domains is to prevent problems caused when a FortiGate unit is connected to a layer-2 switch that has a global MAC table. FortiGate units normally forward ARP requests to all interfaces, including VLAN subinterfaces. It is then possible for the switch to receive duplicate ARP packets on different VLANs. Some layer-2 switches reset when this happens. As ARP requests are only forwarded to interfaces in the same virtual domain, you can solve this problem by creating a virtual domain for each VLAN. For an example of this type of configuration, see “Example configuration Transparent mode (multiple virtual domains)” on page 109. Configuring the FortiGate unit in Transparent mode There are two essential steps to configure of your FortiGate unit to work with VLANs: • Add VLAN subinterfaces • Create firewall policies You can also configure the protection profiles that govern virus scanning, web filtering and spam filtering. Protection profiles are covered in the documentation for your FortiGate unit. In Transparent mode, you can access the FortiGate unit web-based manager by connecting to an interface configured for administrative access and using HTTPS to access the management IP address. On the FortiGate-800 used as an example in this document, administrative access is enabled by default on the Internal interface and the default management IP address is 10.10.10.1. If you need more information, see the Quick Start Guide or Installation Guide for your unit. The procedures in this section assume that you have not enabled VDOM configuration. If VDOM configuration is enabled, you need to navigate to the global or VDOM configuration as needed before following each procedure. Adding VLAN subinterfaces The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4096. You add VLAN subinterfaces to the physical interface that receives VLAN-tagged packets. 98 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs and VDOMs in Transparent mode Configuring the FortiGate unit in Transparent mode To add VLAN subinterfaces in Transparent mode 1 Go to System > Network > Interface. 2 Select Create New to add a VLAN subinterface. 3 Enter a Name to identify the VLAN subinterface. 4 Select the physical interface that receives the VLAN packets intended for this VLAN subinterface. 5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. 6 Select the virtual domain to which to add this VLAN subinterface. 7 Configure other settings as required. 8 Select OK to save your changes. The FortiGate unit adds the new subinterface to the interface that you selected. 9 10 Repeat Step 2 through Step 8, but choose the physical interface through which the VLAN packets exit the FortiGate unit. Use the same VLAN ID and VDOM as before. For each of the VLAN subinterfaces you added, select Bring Up to start the interface. Creating firewall policies Firewall policies permit communication between the FortiGate unit network interfaces based on source and destination IP addresses. Optionally, you can limit communication to particular times and services. In Transparent mode, the FortiGate unit subjects the packets on each VLAN to antivirus and antispam scanning as they pass through the unit. You need firewall policies to permit packets to pass from the VLAN interface where they enter the unit to the VLAN interface where they exit the unit. If there are no firewall policies configured, no packets will be allowed to pass from one interface to another. To add firewall policies for VLAN subinterfaces 1 Go to Firewall > Address. 2 Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets. 3 Go to Firewall > Policy. 4 Select Create New. 5 From the Source Interface/Zone list, select the VLAN interface where packets enter the unit. 6 From the Destination Interface/Zone list, select the VLAN interface where packets exit the unit. 7 Select the Source and Destination Address names. 8 Select Protection Profile and select the profile from the list. 9 Configure other settings as required. 10 Select OK. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 99 Example configuration Transparent mode (simple) Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (simple) In this example, the FortiGate-800 unit is operating in Transparent mode. The FortiGate-800 unit is configured with two VLANs, one with an ID of 100 and the other with ID 200. The Internal and External physical interfaces each have two VLAN subinterfaces, one for VLAN 100 and one for VLAN 200. The FortiGate unit is connected to a Cisco 2900 switch on its internal network interface and to a Cisco 2620 router on its external network interface. The switch and the router add VLAN IDs to packets and then forward the packets to the FortiGate unit. When the FortiGate units receives a tagged packet, it directs it from one VLAN subinterface to another. For example, when the switch receives a packet from VLAN 100, it adds VLAN ID 100 and forwards the packet to VLAN subinterface 100 on the internal network interface on the FortiGate unit. The FortiGate unit directs the packet to VLAN subinterface 100 on the external network interface. From here the packet is forwarded to the router. This section describes how to configure a FortiGate-800 unit, a Cisco switch and a Cisco router, for the example network topology shown in Figure 36. Figure 36: Example VLAN topology (FortiGate unit in Transparent mode) Internet VLAN router 10.1.1.1 10.1.2.1 VLAN switch 802.1Q trunk VLAN 1 VLAN 2 External FortiGate-300 unit in Transparent mode Internal VLAN 1 802.1Q trunk VLAN 2 VLAN switch Fa0/3 VLAN 100 10.1.1.2 100 Fa0/24 Fa0/9 VLAN 200 10.1.2.2 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (simple) General configuration steps 1 Configure the FortiGate-800 unit. • Add four VLAN subinterfaces: • • • VLAN ID 100 added to internal and external network interfaces VLAN ID 200 added to internal and external network interfaces Add firewall policies to allow: • • the VLAN networks to access the external network. the external network to access the VLAN networks. 2 Configure the Cisco switch to support VLAN tags. 3 Configure the Cisco router to support VLAN tags. 4 Test the implementation. Configuring the FortiGate-800 unit Start the FortiGate web-based manager to configure the FortiGate-800 unit. Adding VLAN subinterfaces For each VLAN, you need to create a VLAN subinterface on the internal interface and another one on the external interface, both with the same VLAN ID. To add VLAN subinterfaces - web-based manager 1 Go to System > Network > Interface. 2 Select Create New. 3 Enter the following information and select OK: Table 1: Name VLAN_100_int Interface internal VLAN ID 100 Configure other settings as required. 4 Select Create New. 5 Enter the following information and select OK: Table 2: Name VLAN_100_ext Interface external VLAN ID 100 Configure other settings as required. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 101 Example configuration Transparent mode (simple) Using VLANs and VDOMs in Transparent mode 6 Select Create New. 7 Enter the following information and select OK: Name VLAN_200_int Interface internal VLAN ID 200 Configure other settings as required. 8 Select Create New. 9 Enter the following information and select OK: Name VLAN_200_ext Interface external VLAN ID 200 Configure other settings as required. Figure 37: VLAN subinterfaces To add VLAN subinterfaces - CLI config system interface edit VLAN_100_int set status down set interface internal set vlanid 100 next edit VLAN_100_ext set status down set interface external set vlanid 100 next edit VLAN_200_int set status down set interface internal set vlanid 200 next edit VLAN_200_ext set status down set interface external set vlanid 200 end 102 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (simple) Adding the firewall policies Firewall policies allow packets to travel from the VLAN_100_int interface to the VLAN_100_ext interface and from the VLAN_200_int interface to the VLAN_200_ext interface. To add the firewall policies - web-based manager 1 Go to Firewall > Policy. 2 Select Create New. 3 Enter the following information and select OK: Source Interface/Zone VLAN_100_int Address Name all Destination Interface/Zone VLAN_100_ext Address Name all Schedule Always Service ANY Action ACCEPT Configure other fields as required. 4 Select Create New. 5 Enter the following information and select OK: Source Interface/Zone VLAN_100_ext Address Name all Destination Interface/Zone VLAN_100_int Address Name all Schedule Always Service ANY Action ACCEPT Configure other fields as required. 6 Go to Firewall > Policy. 7 Select Create New. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 103 Example configuration Transparent mode (simple) 8 Using VLANs and VDOMs in Transparent mode Enter the following information and select OK: Source Interface/Zone VLAN_200_int Address Name all Destination Interface/Zone VLAN_200_ext Address Name all Schedule Always Service ANY Action ACCEPT Configure other fields as required. 9 10 Select Create New. Enter the following information and select OK: Source Interface/Zone VLAN_200_ext Address Name all Destination Interface/Zone VLAN_200_int Address Name all Schedule Always Service ANY Action ACCEPT Configure other fields as required. Figure 38: Firewall policies for VLANs 104 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (simple) To add the firewall policies - CLI config firewall policy edit 1 set srcintf VLAN_100_int set dstintf VLAN_100_ext set srcaddr all set dstaddr all set action accept set schedule always set service ANY next edit 2 set srcintf VLAN_100_ext set dstintf VLAN_100_int set srcaddr all set dstaddr all set action accept set schedule always set service ANY next edit 3 set srcintf VLAN_200_int set dstintf VLAN_200_ext set srcaddr all set dstaddr all set action accept set schedule always set service ANY next edit 4 set srcintf VLAN_200_ext set dstintf VLAN_200_int set srcaddr all set dstaddr all set action accept set schedule always set service ANY end FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 105 Example configuration Transparent mode (simple) Using VLANs and VDOMs in Transparent mode Configuring the Cisco switch On the Cisco Catalyst 2900 ethernet switch, you need to define VLANs 100 and 200 in the VLAN database and then add a configuration file to define the VLAN subinterfaces and the 802.1Q trunk interface. Configuring the VLAN subinterfaces and the trunk interfaces Add this file to the Cisco switch: interface FastEthernet0/3 switchport access vlan 100 ! interface FastEthernet0/9 switchport access vlan 200 ! interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk ! The switch has the following configuration: Port 0/3 VLAN ID 100 Port 0/9 VLAN ID 200 Port 0/24 802.1Q trunk Configuring the Cisco router Add a configuration file to the Cisco Multiservice 2620 ethernet router. The file defines the VLAN subinterfaces and the 802.1Q trunk interface on the router. (The 802.1Q trunk is the physical interface on the router.) 106 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (simple) Configuring the VLAN subinterfaces and the trunk interfaces Add this file to the Cisco router: ! interface FastEthernet0/0 ! interface FastEthernet0/0.1 encapsulation dot1Q 100 ip address 10.1.1.1 255.255.255.0 ! interface FastEthernet0/0.2 encapsulation dot1Q 200 ip address 10.1.2.1 255.255.255.0 ! The router has the following configuration: Port 0/0.1 VLAN ID 100 Port 0/0.2 VLAN ID 200 Port 0/0 802.1Q trunk Note: To complete the setup, configure devices on VLAN 100 and VLAN 200 with default gateways. The default gateway for VLAN 100 is the Cisco router VLAN 100 subinterface. The default gateway for VLAN 200 is the Cisco router VLAN 200 subinterface. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 107 Example configuration Transparent mode (simple) Using VLANs and VDOMs in Transparent mode Testing the configuration Use diagnostic commands (tracert, ping) to test traffic routed through the network. Testing traffic from VLAN 100 to VLAN 200 In this example, a route is traced between the two internal networks. The route target is a host on VLAN 200. From VLAN 100, access a command prompt and enter this command: C:\>tracert 10.1.2.2 Tracing route to 10.1.2.2 over a maximum of 30 hops: 1 <10 ms <10 ms <10 ms 10.1.1.1 2 <10 ms <10 ms <10 ms 10.1.2.2 Trace complete. Figure 39: Example trace route from VLAN 100 to VLAN 200 Router 10.1.1.1 10.1.1.2 External FortiGate-300 unit Internal tracert VL AN 100 10.1.1.2 108 Switch VL AN 200 10.1.2.2 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains) Example configuration Transparent mode (multiple virtual domains) In this example, the FortiGate-800 unit provides network protection to three organizations that quite different policies for incoming and outgoing traffic. This requires that they have different firewall policies and protection profiles. Although this might be achieved without using virtual domains, the administration is simpler using the virtual domains to view and configure only one organization’s policies at a time. The procedures in this section assume that you have enabled virtual domain configuration on your FortiGate unit. For more information, see “Getting started with VDOMs” on page 55. Figure 40: Transparent mode operation with multiple domains Internet Router Untagged packets Fa0/3 VLAN Switch 2 Fa0/6 VLAN_100_ext VLAN Trunk VLAN_200_ext External VLAN_300_ext FortiGate unit in Transparent mode Internal VLAN Trunk VLAN Switch 1 Fa0/1 VLAN_100_int VLAN_200_int VLAN_300_int Fa0/8 Fa0/5 Fa0/2 ABC Inc VLAN ID = 100 DEF Inc VLAN ID = 200 XYZ Inc. VLAN = 300 Configuring global items Some components of the protection profiles that you create are global, rather than per-domain. Creating schedules The FortiGate-800 unit in this example serves organizations that are all businesses that vary their policies according to the time of day. For simplicity, this example assumes that they all have the same lunch hours. It would be possible to accommodate different definitions of lunchtime by creating multiple schedules tailored to the needs of each organization. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 109 Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode To create a recurring schedule for lunchtime - web-based manager 1 Go to Firewall > Schedule > Recurring. 2 Select Create New. 3 Enter Lunch as the name for the schedule. 4 Select Monday, Tuesday, Wednesday, Thursday and Friday. 5 Set the Start time as 11:45 and set the Stop time as 14:00. 6 Select OK. To create a recurring schedule for lunchtime - CLI config firewall schedule recurring edit Lunch set day monday tuesday wednesday thursday friday saturday set start 11:45 set end 14:00 end Creating protection profiles The FortiGate-800 provides pre-configured protection profiles: strict, scan, web and unfiltered. This example also requires custom protection profiles to take advantage of the FortiGate content blocking features. Protection profiles are global, but you can create as many as you need to cover the requirements of different organizations. This example creates the following protection profiles: 110 Profile name Description Used by BusinessOnly Antivirus, spam filtering, banned word ABC Inc., DEF Inc. list, IPS. Web category filtering designed to prevent non-business activity. Lunch Antivirus, spam filtering, banned word list, IPS. Relaxed web category filtering to allow some general-interest web browsing during lunch hour. ABC Inc., DEF Inc. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains) To create the BusinessOnly protection profile - web-based manager 1 Go to Firewall > Protection Profile. 2 Select Create New. 3 Enter BusinessOnly as the Profile Name. 4 Select Anti-Virus and enable Virus Scan for HTTP, FTP, IMAP, POP3 and SMTP. 5 Select Web Category Filtering and enable category block. Configure categories as follows: Potentially Liable (group) Block Objectionable or Controversial (group) Block Potentially Non-productive (group) Block Potentially Bandwidth Consuming (group) Block Potentially Security Violating (group) Block General Interest (group) Block Business Oriented Allow Other Block 6 Select Spam Filtering and enable RBL & ORDBL check for IMAP, POP3 and SMTP. 7 Select Banned word check for IMAP, POP3 and SMTP. 8 For Spam action, select tagged for IMAP and POP3, discard for SMTP. 9 Select IPS and enable IPS Signature and IPS Anomaly. 10 Select OK. To create the BusinessOnly protection profile - CLI config firewall profile edit BusinessOnly set ftp scan set http scan catblock set imap scan fragmail spamrbl bannedword set pop3 scan fragmail spamrbl bannedword set smtp scan fragmail spamrbl bannedword set ips signature anomaly set cat_allow 49-50-51-52-53 set cat_deny g01-g02-g03-g04-g05-g06-g08 end To create the Relaxed protection profile - web-based manager 1 Go to Firewall > Protection Profile. 2 Select Create New. 3 Enter Relaxed as the Profile Name. 4 Select Anti-Virus and enable Virus Scan for HTTP, FTP, IMAP, POP3 and SMTP. 5 Select Web Category Filtering and enable category block. Configure categories as follows: FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 111 Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode Potentially Liable (group) Block Objectionable or Controversial (group) Block Potentially Non-productive (group) Monitor Potentially Bandwidth Consuming (group) Monitor Potentially Security Violating (group) Block General Interest (group) Allow Business Oriented Allow Others Allow 6 Select Spam Filtering and enable RBL & ORDBL check for IMAP, POP3 and SMTP. 7 Select Banned word check for IMAP, POP3 and SMTP. 8 For Spam action, select tagged for IMAP and POP3, discard for SMTP. 9 Select IPS and enable IPS Signature and IPS Anomaly. 10 Select OK. To create the Relaxed protection profile - CLI config firewall profile edit Relaxed set ftp scan set http scan catblock set imap scan set pop3 scan set smtp scan spamrbl set ips anomaly set ips signature set cat_allow g06-g07-g08 set cat_deny g01-g02-g05 set cat_monitor g03-g04 end Creating virtual domains The FortiGate-800 supports 10 virtual domains. The root domain is the default domain. It cannot be deleted or renamed. In this example, the root domain is not used. New virtual domains are created for company ABC, company DEF and company XYZ. To create the virtual domains - web-based manager 112 1 Log in as admin. 2 Select Create New. 3 Type “ABCdomain“ and select OK. 4 Select Create New. 5 Type “DEFdomain“ and select OK. 6 Select Create New. 7 Type “XYZdomain“ and select OK. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains) To create the virtual domains - CLI config edit next edit next edit end system vdom ABCdomain DEFdomain XYZdomain Configuring the ABCdomain This section describes how to add VLAN subinterfaces and configure firewall policies for the ABCdomain VDOM. Adding VLAN subinterfaces You need to create a VLAN subinterface on the internal interface and another one on the external interface, both with the same VLAN ID. To add VLAN subinterfaces - web-based manager 1 Go to System > Network > Interface. 2 Select Create New. 3 Enter the following information and select OK: Name VLAN_100_int Interface internal VLAN ID 100 Virtual Domain ABCdomain Configure other settings as required. 4 Select Create New. 5 Enter the following information and select OK: Name VLAN_100_ext Interface external VLAN ID 100 Virtual Domain ABCdomain Configure other settings as required. Figure 41: Interfaces for ABCdomain FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 113 Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode To add the VLAN subinterfaces - CLI config system interface edit VLAN_100_int set interface internal set vlanid 100 set vdom ABCdomain next edit VLAN_100_ext set interface external set vlanid 100 set vdom ABCdomain end Selecting the ABCdomain VDOM Before you follow the rest of the procedure for configuring VLAN 100, you must ensure that the current domain is ABCdomain. To select the ABCdomain VDOM - web-based manager 1 Go to System > Virtual domain > Virtual domains. 2 Select Change following the current virtual domain name above the table. 3 Choose the ABCdomain VDOM. To select the ABCdomain VDOM - CLI config vdom edit ABCdomain Creating service groups ABC Inc. does not want their employees to use online chat or gaming software. To simplify the creation of firewall policies for this purpose, you create a service group that contains all of the services you want to restrict. A firewall policy can manage only one service or one group. To create a games and chat service group - web-based manager 1 Go to Firewall > Service > Group. 2 Select Create New. 3 Type games-chat in the Group Name field. 4 For each of AOL, IRC, NetMeeting, Quake, SIP-MSNmessenger and Talk, select the service in the Available Services list and select the right arrow to add it to the Members list. 5 Select OK. To create a games and chat service group - CLI config firewall service group edit games-chat set member IRC NetMeeting QUAKE SIP-MSNmessenger AOL TALK end 114 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains) Configuring ABCdomain firewall addresses The “all” address is present by default in the root domain. In other domains, you must create it. To configure ABCdomain firewall addresses - web-based manager 1 Go to Firewall > Address > Address. 2 Select Create New. 3 Type “new” in the Address Name field. 4 Type 0.0.0.0/0.0.0.0 in the IP Range/Subnet field. 5 Select OK. To configure ABCdomain firewall addresses - CLI config firewall address edit all set type ipmask set subnet 0.0.0.0 0.0.0.0 end Configuring ABCdomain firewall policies Firewall policies allow packets to travel from the VLAN 100 interface to the external interface subject to the restrictions of the protection profile. To configure ABCdomain firewall policies - web-based manager 1 Go to Firewall > Policy > Policy. 2 Select Create New. 3 Enter the following information and select OK: Interface/Zone Source VLAN_100_int Interface/Zone Destination VLAN_100_ext Address Name Source all Address Name Destination all Schedule BusinessDay Service games-chat Action DENY Configure other fields as required. This policy prevents the use of network games or chat programs during business hours. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 115 Example configuration Transparent mode (multiple virtual domains) 4 Using VLANs and VDOMs in Transparent mode Enter the following information and select OK: Interface/Zone Source VLAN_100_int Interface/Zone Destination VLAN_100_ext Address Name Source all Address Name Destination all Schedule Lunch Service HTTP Action ACCEPT Protection Profile Relaxed Configure other fields as required. This policy relaxes the web category filtering during lunch hour. 5 Enter the following information and select OK: Interface/Zone Source VLAN_100_int Interface/Zone Destination VLAN_100_ext Address Name Source all Address Name Destination all Schedule BusinessDay Service HTTP Action ACCEPT Protection Profile BusinessOnly Configure other fields as required. This policy provides rather strict web category filtering during business hours. Figure 42: ABCdomain firewall policies To configure ABCdomain firewall policies - CLI config firewall policy edit 1 set srcintf VLAN_100_int set dstintf VLAN_100_ext set srcaddr all set dstaddr all set schedule BusinessDay set service games-chat next edit 2 116 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains) set srcintf VLAN_100_int set dstintf VLAN_100_ext set srcaddr all set dstaddr all set action accept set schedule Lunch set service HTTP set profile_status enable set profile Relaxed next edit 3 set srcintf VLAN_100_int set dstintf VLAN_100_ext set srcaddr all set dstaddr all set action accept set schedule BusinessDay set service HTTP set profile_status enable set profile BusinessOnly end Configuring the DEFdomain This section describes how to add VLAN subinterfaces and configure firewall policies for the DEFdomain VDOM. Adding VLAN subinterfaces You need to create a VLAN subinterface on the internal interface and another one on the external interface, both with the same VLAN ID. To add VLAN subinterfaces - web-based manager 1 Go to System > Network > Interface. 2 Select Create New. 3 Enter the following information and select OK: Name VLAN_200_int Interface internal VLAN ID 200 Virtual Domain DEFdomain Configure other settings as required. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 117 Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode 4 Select Create New. 5 Enter the following information and select OK: Name VLAN_200_ext Interface external VLAN ID 200 Virtual Domain DEFdomain Configure other settings as required. Figure 43: Interfaces for DEFdomain To add the VLAN subinterfaces - CLI config system interface edit VLAN_200_int set interface internal set vlanid 200 set vdom DEFdomain next edit VLAN_200_ext set interface external set vlanid 200 set vdom DEFdomain end Selecting the DEFdomain VDOM Before you follow the rest of the procedure for configuring VLAN 200, you must ensure that the current domain is DEFdomain. To select the DEFdomain VDOM - web-based manager 1 Go to System > Virtual domain > Virtual domains. 2 Select Change following the current virtual domain name above the table. 3 Choose the DEFdomain VDOM. To select the DEFdomain VDOM - CLI config vdom edit DEFdomain 118 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains) Creating service groups DEF Inc. does not want their employees to use online gaming software or any online chat software except NetMeeting, which they use for net conferencing. To simplify the creation of a firewall policy for this purpose, you create a service group that contains all of the services you want to restrict. A firewall policy can manage only one service or one group. The administrator decided to simply name this group “Games” although it also restricts chat software. To create a games service group - web-based manager 1 Go to Firewall > Service > Group. 2 Select Create New. 3 Type Games in the Group Name field. 4 For each of AOL, IRC, Quake, SIP-MSNmessenger and Talk, select the service in the Available Services list and select the right arrow to add it to the Members list. 5 Select OK. To create a games and chat service group - CLI config firewall service group edit Games set member IRC QUAKE SIP-MSNmessenger AOL TALK end Configuring DEFdomain firewall addresses The “all” address is present by default in the root domain. In other domains, you must create it. To configure DEFdomain firewall addresses - web-based manager 1 Go to Firewall > Address > Address. 2 Select Create New. 3 Type “new” in the Address Name field. 4 Type 0.0.0.0/0.0.0.0 in the IP Range/Subnet field. 5 Select OK. To configure DEFdomain firewall addresses - CLI config firewall address edit all set type ipmask set subnet 0.0.0.0 0.0.0.0 end Configuring DEFdomain firewall policies Firewall policies allow packets to travel from the VLAN 200 interface to the external interface subject to the restrictions of the protection profile. To configure DEFdomain firewall policies - web-based manager 1 Go to Firewall > Policy > Policy. 2 Select Create New. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 119 Example configuration Transparent mode (multiple virtual domains) 3 Using VLANs and VDOMs in Transparent mode Enter the following information and select OK: Interface/Zone Source VLAN_200_int Interface/Zone Destination VLAN_200_ext Address Name Source all Address Name Destination all Schedule BusinessDay Service games-chat Action DENY Configure other fields as required. This policy prevents the use of network games or chat programs (except NetMeeting) during business hours. 4 Enter the following information and select OK: Interface/Zone Source VLAN_200_int Interface/Zone Destination VLAN_200_ext Address Name Source all Address Name Destination all Schedule Lunch Service HTTP Action ACCEPT Protection Profile Relaxed Configure other fields as required. This policy relaxes the web category filtering during lunch hour. 5 Enter the following information and select OK: Interface/Zone Source VLAN_200_int Interface/Zone Destination VLAN_200_ext Address Name Source all Address Name Destination all Schedule BusinessDay Service HTTP Action ACCEPT Protection Profile BusinessOnly Configure other fields as required. This policy provides rather strict web category filtering during business hours. 120 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs and VDOMs in Transparent mode 6 Example configuration Transparent mode (multiple virtual domains) Enter the following information and select OK: Interface/Zone Source VLAN_200_int Interface/Zone Destination VLAN_200_ext Address Name Source all Address Name Destination all Schedule always Service ANY Action ACCEPT Protection Profile Relaxed Configure other fields as required. Because it is last in the list, this policy applies to the times and services not covered in preceding policies. This means that outside of regular business hours the Relaxed protection profile applies to email and web browsing and that online chat and games are permitted. DEF Inc. needs this policy because its employees sometimes work overtime. The other companies in this example maintain fixed hours and don’t want any after-hours internet access. Figure 44: DEFdomain firewall policies FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 121 Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode To configure DEFdomain firewall policies - CLI config firewall policy edit 1 set srcintf VLAN_200_int set dstintf VLAN_200_ext set srcaddr all set dstaddr all set schedule BusinessDay set service Games set action deny next edit 2 set srcintf VLAN_200_int set dstintf VLAN_200_ext set srcaddr all set dstaddr all set action accept set schedule Lunch set service HTTP set profile_status enable set profile Relaxed next edit 3 set srcintf VLAN_200_int set dstintf VLAN_200_ext set srcaddr all set dstaddr all set action accept set schedule BusinessDay set service HTTP set profile_status enable set profile BusinessOnly next edit 4 set srcintf VLAN_200_int set dstintf VLAN_200_ext set srcaddr all set dstaddr all set action accept set schedule always set service ANY set profile_status enable set profile Relaxed end Configuring the XYZdomain This section describes how to add VLAN subinterfaces and configure firewall policies for the XYZdomain VDOM. 122 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains) Adding VLAN subinterfaces You need to create a VLAN subinterface on the internal interface and another one on the external interface, both with the same VLAN ID. To add VLAN subinterfaces - web-based manager 1 Go to System > Network > Interface. 2 Select Create New. 3 Enter the following information and select OK: Name VLAN_300_int Interface internal VLAN ID 300 Virtual Domain XYZdomain Configure other settings as required. 4 Select Create New. 5 Enter the following information and select OK: Name VLAN_300_ext Interface external VLAN ID 300 Virtual Domain XYZdomain Configure other settings as required. Figure 45: Interfaces for XYZdomain To add the VLAN subinterfaces - CLI config system interface edit VLAN_300_int set interface internal set vlanid 300 set vdom XYZdomain next edit VLAN_300_ext set interface external set vlanid 300 set vdom XYZdomain end FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 123 Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode Selecting the XYZdomain VDOM Before you follow the rest of the procedure for configuring VLAN 300, you must ensure that the current domain is XYZdomain. To select the XYZdomain VDOM - web-based manager 1 Go to System > Virtual domain > Virtual domains. 2 Select Change following the current virtual domain name above the table. 3 Choose the XYZdomain VDOM. To select the XYZdomain VDOM - CLI config vdom edit XYZdomain Creating service groups XYZ Inc. wants network protection for email and web services. To simplify creation of firewall policies, you can create a email service group for POP3, IMAP and SMTP and a web service group for HTTP, HTTPS and FTP. To create an email service group - web-based manager 1 Go to Firewall > Service > Group. 2 Select Create New. 3 Type Email in the Group Name field. 4 For each of POP3, IMAP and SMTP, select the service in the Available Services list and select the right arrow to add it to the Members list. 5 Select OK. To create an email service group - CLI config firewall service group edit Email set member POP3 IMAP SMTP end To create a web service group - web-based manager 1 Go to Firewall > Service > Group. 2 Select Create New. 3 Type Web in the Group Name field. 4 For each of HTTP, HTTPS and FTP, select the service in the Available Services list and select the right arrow to add it to the Members list. 5 Select OK. To create an email service group - CLI config firewall service group edit Web set member HTTP HTTPS FTP end 124 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains) Configuring XYZdomain firewall addresses The “all” address is present by default in the root domain. In other domains, you must create it. To configure XYZdomain firewall addresses - web-based manager 1 Go to Firewall > Address > Address. 2 Select Create New. 3 Type “new” in the Address Name field. 4 Type 0.0.0.0/0.0.0.0 in the IP Range/Subnet field. 5 Select OK. To configure XYZdomain firewall addresses - CLI config firewall address edit all set type ipmask set subnet 0.0.0.0 0.0.0.0 end Configuring XYZdomain firewall policies Firewall policies allow packets to travel from the VLAN 300 interface to the external interface subject to the restrictions of the protection profile. To configure XYZdomain firewall policies - web-based manager 1 Go to Firewall > Policy > Policy. 2 Select Create New. 3 Enter the following information and select OK: Interface/Zone Source VLAN_300_int Interface/Zone Destination VLAN_300_ext Address Name Source all Address Name Destination all Schedule always Service Email Action ACCEPT Protection Profile strict Configure other fields as required. This policy provides network protection for email using the default strict protection profile. The administrator must also set up the antivirus, web filter and spam filter settings. These procedures are not described in this document. 4 Enter the following information and select OK: FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 125 Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode Interface/Zone Source VLAN_300_int Interface/Zone Destination VLAN_300_ext Address Name Source all Address Name Destination all Schedule always Service Web Action ACCEPT Protection Profile web Configure other fields as required. This policy provides network protection for HTTP, HTTPS and FTP using the default web protection profile. The administrator must also set up the antivirus and web filter settings. These procedures are not described in this document. Figure 46: XYZdomain firewall policies To configure XYZdomain firewall policies - CLI config firewall policy edit 1 set srcintf VLAN_300_int set dstintf VLAN_300_ext set srcaddr all set dstaddr all set action accept set schedule always set service Email set profile_status enable set profile strict next edit 2 set srcintf VLAN_300_int set dstintf VLAN_300_ext set srcaddr all set dstaddr all set action accept set schedule always set service Web set profile_status enable set profile web end 126 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Using VLANs and VDOMs in Transparent mode Example configuration Transparent mode (multiple virtual domains) Configuring the Cisco switch On the Cisco Catalyst 2900 ethernet switches, you need to define the VLANs 100, 200 and 300 in the VLAN database and then add configuration files to define the VLAN subinterfaces and the 802.1Q trunk interface. Configuring switch 1 Add this file to Cisco VLAN switch 1: ! interface FastEthernet0/1 switchport access vlan 100 ! interface FastEthernet0/2 switchport access vlan 200 ! interface FastEthernet0/5 switchport access vlan 300 ! interface FastEthernet0/6 switchport trunk encapsulation dot1q switchport mode trunk ! Switch 1 has the following configuration: Port 0/1 VLAN ID 100 Port 0/2 VLAN ID 200 Port 0/3 VLAN ID 300 Port 0/6 802.1Q trunk Configuring switch 2 Add this file to Cisco VLAN switch 2: interface FastEthernet0/3 switchport ! interface FastEthernet0/6 switchport trunk encapsulation dot1q switchport mode trunk ! FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 127 Example configuration Transparent mode (multiple virtual domains) Using VLANs and VDOMs in Transparent mode Switch 1 has the following configuration: Port 0/1 VLAN ID 100 Port 0/2 VLAN ID 200 Port 0/3 VLAN ID 300 Port 0/6 802.1Q trunk Testing the configuration Use diagnostic commands (tracert, ping) to test traffic routed through the network. Testing traffic from VLAN 100 to the Internet In this example, a route is traced from VLANs to a host on the Internet. The route target is www.fortinet.com. 1 From a host on VLAN 100, access a command prompt and enter this command: C:\>tracert www.fortinet.com Tracing route to www.fortinet.com [128.242.109.135] over a maximum of 30 hops: 1 <10 ms <10 ms <10 ms 172.20.120.2 172 ms 141 ms 140 ms 128.242.109.135 ... 14 Trace complete. 2 128 Repeat for VLAN 200 and VLAN 300. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Inter-VDOM routing Overview Inter-VDOM routing Overview In the past VDOMs were separate from each other. There was no internal communication between them. Any communication between VDOMs had to leave on a physical interface and re-enter the FortiGate unit on another physical interface. Inter-VDOM routing changes this. With the introduction of inter-VDOM links in FortiOS v3.0 MR1, VDOMs can communicate internally without using additional physical interfaces. FortiManager units support inter-VDOM routing on managed FortiGate units starting with FortiManager v3.0 MR1. This chapter contains the following sections: • Benefits of inter-VDOM routing • Getting started with inter-VDOM routing • Advanced inter-VDOM issues • FortiManager and inter-VDOMs • Inter-VDOM Configurations • Inter-VDOM planning Benefits of inter-VDOM routing Inter-VDOM routing has a number of benefits over independent VDOM routing. These benefits include: • Freeing up physical interfaces • Faster than physical interfaces • Continuing to use secure firewall policies • More flexible configurations FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 129 Benefits of inter-VDOM routing Inter-VDOM routing Freeing up physical interfaces Tying up physical interfaces on the FortiGate unit presents a problem. With a limited number of interfaces available, configuration options for the old style of communication between VDOMs are very limited. VLANs can be an answer to this, but they have some limitations. For example a FortiGate-800 has 8 ports and if they are assigned 2 per VDOM (one each for external and internal traffic) we can only have 4 VDOMs at most configured, not the 10 VDOMs the license will allow. Adding even one additional interface per VDOM to be used for inter-VDOM communication and we are down to only 2 VDOMs for that configuration, since it would required 9 interfaces for 3 VDOMs. Even using one physical interface for both external traffic and interVDOM communication would severely lower the available bandwidth for external traffic on that interface. With the introduction of inter-VDOM routing, traffic can travel between VDOMs internally, freeing up physical interfaces for external traffic. Using the above example we can use the 4 VDOM configuration and all the interfaces will have their full bandwidth. Faster than physical interfaces Internal interfaces have the advantage over physical interfaces in that they are faster. Their speed depends on the CPU and its load. That means that an interVDOM link interface will be faster than a outbound physical interface connected to another inbound physical interface. While one virtual interface with normal traffic would be considerably faster than on a physical interface, the more traffic and more internal interfaces you configure, the slower they will become until they are slower than the physical interfaces. CPU load can come from other sources such as AV or content scanning. This produces the same effect - internal interfaces such as inter-VDOM links will be slower. Continuing to use secure firewall policies VDOMs help to separate traffic based on your needs. This is an important step in satisfying regulations that require proof of secure data handling. This is especially important to health, law and accounting industries and the sensitive data they handle every day. By keeping things separate, traffic has to leave the FortiGate unit and re-enter to change VDOMs. This forces traffic to go through the firewall when leaving and enter through another firewall, keeping traffic secure. The need for the physical interfaces is gone with inter-VDOM routing, but as with all FortiGate interfaces, firewall policies need to be in place for traffic to be allowed to pass through any interface - physical or virtual. This provides the same level of security both internally and externally. In fact you will be able to configure more VDOMs which will allow you more flexibility. Your data will continue to have the high level of security you have come to expect. 130 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Inter-VDOM routing Getting started with inter-VDOM routing More flexible configurations A typical VDOM uses at least two interfaces, typically physical interfaces - one for internal and one for external traffic. Depending on the configuration, more interfaces may be required. As explained earlier, the maximum number of VDOMs configurable on a FortiGate unit is the number of physical interfaces available divided by two. VLANs can be an answer to this, but they have some limitations. Using physical interfaces for inter-VDOM communication severely limits the number of possible configurations on your FortiGate unit, but inter-VDOM routing allows these connections to be moved inside the FortiGate unit. Using virtual interfaces for inter-VDOM communication frees up the physical interfaces for external traffic. Using Inter-VDOM routing on a FortiGate unit with 8 interfaces, you can have 4 VDOMs communicating with each other (meshed configuration) and continue to have 2 physical interfaces each for internal and external connections. This configuration would have required 20 physical interfaces without inter-VDOM routing. With inter-VDOM routing it only requires 8 physical interfaces, with the other 12 interfaces being internal virtual interfaces. Inter-VDOM routing allows you the freedom to select Stand alone VDOM configuration, Management VDOM configuration and Meshed VDOM configuration configurations without being limited by the number of physical interfaces on your FortiGate unit. Getting started with inter-VDOM routing Once the VDOMs are configured, there are very few steps to configure interVDOM routing. Inter-VDOM configuration and removal can only be accomplished through the CLI. This example assumes that your FortiGate unit is set to multiple VDOM mode and that you have 2 VDOMs called customer1 and customer2 already configured. To configure an inter-VDOM routing connection 1 Create an internal point-to-point interface called vlink. config global config system vdom-link edit vlink next end In creating the point-to-point interface, you also created two additional interface objects by default. They are called vlink0 and vlink1 - the interface name you chose with a 1 or a 0 on the end to designate the two ends of the link. Note: At this point you can see the two end point interface objects for the new inter-VDOM link on the GUI under System > Network. You can only view inter-VDOM interfaces in the GUI, not modify them. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 131 Advanced inter-VDOM issues Inter-VDOM routing 2 Bind the interface objects to the VDOMs. config system interface edit vlink0 set vdom customer1 next edit vlink1 set vdom customer2 next end 3 These point-to-point interfaces are now treated like normal FortiGate interfaces and need to be configured as regular interfaces would. This includes IP address and netmask and what types of administrative access are allowed. 4 Configure the appropriate firewalls and policies. To remove an inter-VDOM routing connection When you delete the inter-VDOM link, the link objects will also be deleted. Before deleting the inter-VDOM link, make sure that all policies, firewalls and other configurations that include the link are deleted, removed or changed to no longer include the inter-VDOM link. The following are the commands to remove an inter-VDOM routing connection called vlink. This will also remove its two link objects vlink0 and vlink1. config global config system vdom-link delete vlink end For more information see FortiGate CLI reference. Advanced inter-VDOM issues While inter-VDOM links behave almost exactly like a physical interface, there are some situations where they have limitations or slightly different behavior. These areas include: • Advanced routing over inter-VDOM links • HA virtual clusters and inter-VDOM links Advanced routing over inter-VDOM links As of FortiOS v3.0 MR3, BGP is supported over inter-VDOM links. Before then multiple VDOMs on one FortiGate unit could not be neighbors. Unless otherwise indicated, routing works as expected over inter-VDOM links. 132 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Inter-VDOM routing FortiManager and inter-VDOMs HA virtual clusters and inter-VDOM links FortiGate HA is implemented by configuring two or more FortiGate units to operate as an HA cluster. To the network, the HA cluster appears to function as a single FortiGate unit, processing network traffic and providing normal security services such as firewalling, VPN, IPS, virus scanning, web filtering, and spam filtering services. Virtual clustering extends HA features to provide failover protection and load balancing for a FortiGate operating with virtual domains. A virtual cluster consists of a cluster of two FortiGate units operating with virtual domains. Traffic on different virtual domains can be load balanced between the cluster units. With virtual clusters (vclusters) configured, inter-VDOM links must be entirely within one vcluster. You cannot create links between vclusters, and you cannot move a VDOM that is linked into another virtual cluster. In HA mode, with multiple vclusters when you create the vdom-link the CLI command config system vdom-link has an option to set which vcluster the link will be in. For more information on HA configurations, see FortiGate HA Guide. FortiManager and inter-VDOMs FortiManager helps you manage FortiGate units with features such as monitoring and multiple device configuration. Starting with v3.0 MR1, FortiManager supports inter-VDOM routing. Configuring inter-VDOMs with FortiManager Before configuring inter-VDOM routing • you must have at least two virtual domains configured on the FortiGate device • the virtual domains must all be in NAT/route mode • each virtual domain to be linked must have at least one interface or subinterface assigned to it • device locks are enabled on your FortiManager unit and the FortiGate device is locked by you In Device Manager you can access the VDOM information for the selected FortiGate device by selecting the FortiGate device and going to System > Virtual Domain. Inter-VDOM link information can also be viewed on System > Status. To create an inter-VDOM link 1 On your FortiManager unit, select Device Manager, and then select the VDOM under the FortiGate device. The FortiGate device has a plus or minus beside it indicating that device has VDOMs configured. Selecting the plus sign expands the VDOM list for that device. 2 Select the blue arrow to expand Configure Inter-VDOM Routing. If there are no VDOMs listed for Inter-VDOM Routing, there is only one virtual domain on this device. You must create at least one more virtual domain before continuing. 3 Select the checkbox next to the VDOM to be linked to the current VDOM (the one selected in step 1. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 133 Inter-VDOM Configurations Inter-VDOM routing 4 Enter a name for the inter-VDOM link. Both virtual interfaces will use this name. For example if the link is “my_vlink”, the virtual interfaces will be “my_vlink0” and “my_vlink1”. 5 Enter the IP address and netmask for the virtual interface for this link on the current VDOM and the peer VDOM. For example if the current VDOM is vdom1, root could be the peer VDOM. Once the inter-VDOM link is created, these IP addresses cannot be changed without deleting the link. 6 Select Traffic Log to log the traffic on this new interface. 7 Select Apply to save your settings. 8 Deploy the new configuration to the FortiGate device. See the FortiManager Administration Guide. You can repeat these steps to create other inter-VDOM links if you have more than two VDOMs. To remove an inter-VDOM link, clear the checkbox next to it and select Apply. Both ends of the link will be removed. Any changes to the FortiGate device configuration requires deploying the new configuration to the device. For more information on using FortiManager, see the FortiManager Administration Guide. Inter-VDOM Configurations By using fewer physical interfaces to inter-connect VDOMs, inter-VDOM links provide you with more configuration options. The inter-VDOM configurations are: 134 • Stand alone VDOM configuration • Independent VDOMs configuration • Management VDOM configuration • Meshed VDOM configuration FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Inter-VDOM routing Inter-VDOM Configurations Stand alone VDOM configuration The stand alone VDOM configuration uses a single VDOM - the root VDOM that all FortiGate units have by default. This is the VDOM configuration you are likely familiar with. Figure 47: Stand-alone VDOM >ciZgcZi 2OOT6$/- >ciZgcVaCZildg` >ciZgcVaCZildg` >ciZgcVaCZildg` This configuration has no VDOM inter-connections and requires no special configurations or settings. The stand alone VDOM configuration can be used for simple network configurations that only have one department or one company administering the connections, firewalls and other VDOM dependant settings. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 135 Inter-VDOM Configurations Inter-VDOM routing Independent VDOMs configuration The Independent VDOMs configuration uses multiple VDOMs that are completely separate from each other. This is likely another VDOM configuration you are familiar with. Figure 48: Independent VDOMs >ciZgcZi 6$/- 6$/- >ciZgcVaCZildg` >ciZgcVaCZildg` 6$/- >ciZgcVaCZildg` This configuration has no communication between VDOMs and apart from initially setting up each VDOM, this configuration requires no special configurations or settings. Any communications between VDOMs is treated as if communication was with a separate physical device. The independent VDOMs configuration can be used where more than one department or one company is sharing the FortiGate unit. They can each administer the connections, firewalls and other VDOM dependant settings of only their own VDOM. To each company or department it appears as if they have their own FortiGate unit. 136 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Inter-VDOM routing Inter-VDOM Configurations Management VDOM configuration In the Management VDOM configuration, the root VDOM is the management VDOM and the other VDOMs are connected to the management VDOM with interVDOM links. There are no other inter-VDOM connections. Figure 49: Management VDOM >ciZgcZi 2OOT6$/INTER6$/-LINKS 6$/- >ciZgcVaCZildg` 6$/- >ciZgcVaCZildg` 6$/- >ciZgcVaCZildg` Only the management VDOM is connected to the Internet. The other VDOMs are connected to internal networks and possibly to very small secure external networks, say a VPN dialup connection. All external traffic is routed through the management VDOM using inter-VDOM links between the VDOMs. This ensures the management VDOM has full control over access to the Internet including what types of traffic are allowed in both directions. Security is greatly increased with only one point of entry and exit. Only the management VDOM needs to be professionally managed to ensure network security in this case. The management VDOM configuration is ideally suited for a service provider business. The service provider is the management VDOM and the other VDOMs are customers. These customers do not require a dedicated IT person to manage their network. The service provider controls the traffic and can prevent the customers from using banned services and prevent Internet connections from initiating those same banned services. One example of a banned service might be Instant Messaging (IM) at a company concerned about intellectual property. Another example could be to limit bandwidth used by file sharing applications without banning it completely. Firewall policies control the traffic between a customer VDOM and the management VDOM and can be customized for each customer. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 137 Inter-VDOM Configurations Inter-VDOM routing Meshed VDOM configuration The Meshed VDOMs configuration, including partial and full mesh, has VDOMs inter-connected with other VDOMs. There is no special feature to do this - they are just complex VDOM configurations. Partial mesh means only some VDOMs are inter-connected. In a full mesh configuration, all VDOMs are inter-connected to all other VDOMs. This can be useful when you want to provide full access between VDOMs but handle traffic differently depending on which VDOM it originates from or is going to. Figure 50: Meshed VDOMs >ciZgcZi 2OOT6$/INTER6$/-LINKS 6$/- >ciZgcVaCZildg` 6$/- >ciZgcVaCZildg` 6$/- >ciZgcVaCZildg` With full access to all VDOMs being possible, it is important to ensure proper security. This can be accomplished by establishing extensive proper firewall policies and ensuring secure account access for administrators and users. Meshed VDOM configurations can become complex very quickly, with full mesh VDOMs being the most complex. Ensure this is the proper solution for your situation before using this configuration. 138 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Inter-VDOM routing Inter-VDOM planning Inter-VDOM planning Inter-VDOM routing enables more FortiGate unit configurations than were previously possible. This additional flexibility has benefits, but also has potential difficulties. Complexity With more connections possible in inter-VDOM configurations, complexity quickly becomes an issue. VDOMs are not trivial to understand and with additional settings and issues to consider things can easily get out of hand. To prevent this, you should carefully plan your move to the inter-VDOM configuration to ensure you are aware of the differences between your new and old setups as well as how these changes affect the interaction between the VDOMs. Making changes Once configured, this new complex configuration means that any changes you make to the system have a greater chance of introducing problems into the system. Extra care should be taken to make sure any changes do not negatively affect your existing FortiGate unit configuration. For example using the old method to change communication between VDOMs, cable connections had to be physically changed. When compared to inter-VDOM where all the changes are internal, there is generally more checking built into the physical process than there is for simple CLI commands.This lowered level of checking may allow un-intended changes in VDOM interactions to slip into the configuration undetected. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 139 Inter-VDOM planning 140 Inter-VDOM routing FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Avoiding Problems with VLANs Overview Avoiding Problems with VLANs Overview There are several issues that can cause problems with your VLANs: • Asymmetric routing • Layer 2 traffic • NetBIOS • STP forwarding • Too many VLAN interfaces Asymmetric routing You might discover, unexpectedly, that hosts on some networks are unable to reach certain other networks. This occurs when request and response packets follow different paths. If the FortiGate unit sees the response packets, but not the requests, it blocks them as invalid. Also, if the FortiGate unit sees the same packets repeated on multiple interfaces, it blocks the session as a potential attack. These are instances of asymmetric routing. By default, FortiGate units block packets or drop the session when this happens. You can configure the FortiGate unit to permit asymmetric routing using the following Command Line Interface (CLI) command: config system settings set asymroute enable end If this solves your blocked traffic problem, you know that asymmetric routing is the cause. But allowing asymmetric routing is not the best solution because it can reduce the security of your system. It is better to change routing or change how your FortiGate unit connects into your network. The Asymmetric Routing and Other FortiGate Layer-2 Installation Issues technical note provides detailed examples of asymmetric routing situations and possible solutions. ! Caution: If you enable asymmetric routing, antivirus and intrusion prevention systems will not be effective. Your FortiGate unit will be unaware of connections and treat each packet individually. It will be a stateless firewall. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 141 Layer 2 traffic Avoiding Problems with VLANs Layer 2 traffic By default, FortiGate units do not pass Layer-2 traffic. If there are Layer-2 protocols such as IPX, PPTP or L2TP in use on your network, you need to configure FortiGate interfaces to pass them. You can do this using the CLI: config system interface edit <name_str> set l2forward enable end where <name_str> is the name of an interface. Enabling Layer 2 traffic can cause a problem if it is possible for packets to repeatedly loop through the network. This occurs when there is more than one Layer 2 path from a source to a destination. Traffic can be impeded. One method of addressing the loop that is created is to configure Spanning Tree Protocol (STP) on switches and routers on the network. Using STP with FortiGate units is covered in “STP forwarding” on page 144. ARP traffic Address Resolution Protocol (ARP) traffic is vital to communication on a network and is enabled on FortiGate interfaces by default. Normally you want ARP packets to pass through the FortiGate unit, especially if it is sitting between a client and a server or between a client and a router. ARP traffic can cause problems, especially in Transparent mode where ARP packets arriving on one interface are sent to all other interfaces, including VLAN subinterfaces. Some Layer 2 switches become unstable when they detect the same MAC address originating on more than one switch interface or from more than one VLAN. This instability can occur if the Layer 2 switch does not maintain separate MAC address tables for each VLAN. Unstable switches may reset causing network traffic to slow down. Multiple VDOMs solution One solution is to configure multiple VDOMs on the FortiGate unit, one for each VLAN. This means one inbound and one outbound VLAN interface in each virtual domain. ARP packets are not forwarded between VDOMs. By default, physical interfaces are in the root domain. Do not configure any of your VLANs in the root domain. As a result of this VDOM configuration, the switches do not receive multiple ARP packets with the same source MAC but different VLAN IDs and the instability does not occur. 142 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Avoiding Problems with VLANs Layer 2 traffic Forward-domain solution You may run into problems using the multiple VDOMs solution to solve the same MAC address seeming to originate on multiple interfaces. It is possible that you have more VLANs than licensed VDOMs, not enough physical interfaces or your configuration may work better by grouping some VLANs together. In these situations the separate VDOMs solution may not work for you. In these situations, the solution is to use the forward-domain <collision_group> CLI command. This command tags VLAN traffic as belonging to a particular forward-domain collision group and only VLANs tagged as part of that collision group recieve that traffic. By default interfaces and VLANs are part of forward-domain collision group 0. There are many benefits for this solution from reduced administration, to using fewer physical interfaces to being able to allowing you more flexible network solutions. In the following example, forward-domain collision group 340 includes VLAN 340 traffic on Port1 and untagged traffic on Port2. Forward-domain collision group 341 includes VLAN 341 traffic on Port1 and untagged traffic on Port3. All other interfaces are part of forward-domain collision group 0 by default. These are the CLI commands to accomplish this setup. config system interface edit “port1” next edit "port2" set forward_domain 340 next edit “port3” set forward_domain 341 next edit "port1-340" set forward_domain 340 set interface "port1" set vlanid 340 next edit "port1-341" set forward_domain 341 set interface "port1" set vlanid 341 next end There is a more detailed discussion of this issue in the Asymmetric Routing and Other FortiGate Layer-2 Installation Issues technical note. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 143 NetBIOS Avoiding Problems with VLANs NetBIOS Networked computers running Microsoft Windows operating systems rely on a WINS server to resolve host names to IP addresses. The hosts communicate with the WINS server using NetBIOS protocol. To support this type of network you need to enable the forwarding of NetBIOS requests to a WINS server. Enter the following CLI commands: config system interface edit <interface> set netbios_forward enable set wins-ip <wins_server_ip> end where <interface> is the name of the interface and <wins_server_ip> is the IP address of the WINS server. These commands apply only in NAT/Route mode. STP forwarding The FortiGate unit does not participate in the Spanning Tree protocol (STP). STP is an IEEE 802.1 protocol to ensure there are no Layer-2 loops on the network. Loops happen when there is more than one route for traffic to take and that traffic is broadcasted back to the original switch - creating a loop that floods the network with never ending traffic. If you use the FortiGate unit in a network topology that relies on STP for network loop protection, you need to make changes to the FortiGate configuration. Otherwise, STP sees the FortiGate unit as a blocked link and forwards the data to another path. By default, the FortiGate unit blocks STP as well as other non-IP protocol traffic. Using the CLI, you can enable forwarding of STP and other Layer 2 protocols through the interface: config system interface edit <name_str> set l2forward enable set stpforward enable end where <name_str> is the name of the interface. This configuration will also allow Layer-2 protocols such as IPX, PPTP or L2TP to be used on the network. For more information see “Layer 2 traffic” on page 142. 144 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Avoiding Problems with VLANs Too many VLAN interfaces Too many VLAN interfaces Any virtual domain can have a maximum of 255 interfaces in NAT or TP mode. This includes VLANs, other virtual interfaces, and physical interfaces. Your FortiGate unit may allow you to configure more interfaces than this, however if you configure more than 255 interfaces your system will become unstable and not work properly over time. These problems are due to routing limitations. When you try to add additional interfaces you will see an error message stating the maximum limit has already been reached. If you see the maximum limit has been reached error message, chances are you already have too many VLANs on your system and your routing has become unstable. To verify this, delete a VLAN and try to add it back. If you have too many, you will not be able to add it back on to the system. In this case you will need to remove enough interfaces (including VLANs) so the total number of interfaces is 255 or less. After doing this you should also reboot your FortiGate unit to clean up its memory and buffers. To configure more than 255 interfaces on your FortiGate unit, you will have to configure multiple VDOMs and many interfaces within each VDOM. However, if you want to configure more than 2550 interfaces you will need to purchase additional VDOM licenses if your FortiGate model supports them. With these extra lusciousness, you will be able to configure up to 250 VDOMs each with up to 255 VLANs for a theoretical maximum of over 63 000 interfaces. However, in such a configuration you would quickly run into a lack of system resources before reaching that number. FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 145 Too many VLAN interfaces 146 Avoiding Problems with VLANs FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Index Index Numerics F 802.1Q 13, 14, 16, 24 file sharing 137 Firewall settings 20 firewall address complex VDOM NAT/Route mode example 81, 88 complex VLAN NAT/Route example 40 multiple VDOM example 125 multiple VDOM Transparent example 119 policy 25 simple VDOM NAT/Route example 66, 70 simple VLAN NAT/Route example 29 Transparent multiple VDOM example 115 firewall policy 130 complex VDOM NAT/Route example 82, 89 complex VLAN NAT/Route example 41 multiple VDOM example 115, 119, 125 simple Transparent VDOM example 103 simple VDOM NAT/Route example 67, 71 simple VDOM NAT/Routeexample 67, 71 simple VLAN NAT/Route example 30 Transparent mode 99 VDOM 61 very complex 138 VLAN subinterface 25 firewall schedule multiple VDOM example 109 FortiClient 49 FortiGate CLI 26, 37 web-based manager 37 FortiGate-800 130 FortiManager v3.0 133 MR1 129, 133 Fortinet customer service 11, 56 services 19 FortiOS v3.0 MR1 129 MR3 132 MR5 19 A administrators access profiles 19 common 19 super_admin 19 VDOM 57 antivirus (AV) scanning 130 asymmetric routing 145 B border gateway protocol (BGP). See routing, BGP C Cisco router configuration IOS commands 26 simple Transparent VDOM example 106 Cisco switch configuration complex VDOM NAT/Route example 94 complex VLAN NAT/Route example 51 IOS commands 26 multiple VDOM Transparent example 127 simple Transparent VDOM example 106 simple VDOM NAT/Route example 73 simple VLAN NAT/Route example 33 CLI 26, 37 CPU load 130 customer service 11, 56 D default route 25, 61 complex VDOM NAT/Route example 80 complex VLAN NAT/Route example 39, 40 NAT/Route 25 simple VDOM NAT/Route example 68, 71, 72 default route, setting complex VDOM example 87 diagnostics ping 25, 34 tracert 34 E example complex VDOM NAT/Route 75 simple VLAN NAT/Route topology 62 external logging 19 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 G gateway, VPN 45 H HA 133 vcluster 133 HTTP 25 HTTPS 25 147 Index I O ID tag 16, 18 IEEE 802.1Q 13, 14, 16, 24 independent configuration 136 Instant Messaging (IM) 137 interfaces 802.1Q trunk 23, 33 DMZ, simple VDOM NAT/Route example 64 external, simple VDOM NAT/Route example 64 external, simple VLAN NAT/Route 27 external, simple VLAN NAT/Route example 27 maximum number 14, 97, 145 physical 130, 134 point-to-point 131 virtual 131 VLAN subinterface 23 inter-VDOM delete link 132 FortiManager 133 independent configuration 136 management configuration 131, 137 meshed configuration 131, 138 physical interfaces 130 stand alone configuration 131, 135 virtual interface 131 IP address, overlapping 24 IPX, layer-2 forwarding 142 ISP 87 open shortest path first (OSPF). See routing, OSPF L L2TP, layer-2 forwarding 142 layer-2 14 forwarding 142 layer-3 16 license 18 M management configuration 131, 137 management VDOM 19 meshed configuration 131, 138 multicast. See routing, multicast N NAT/Route complex VDOM example 80, 87 complex VLAN example 35, 37 simple VDOM example 65, 70 simple VLAN example 26, 27, 28 NetBIOS, for Windows networks 144 148 P packets handling 18 VLAN-tagged 24 physical interface 134 physical interfaces 130 ping 25, 34 PPTP, layer-2 forwarding 142 protection profile Transparent VDOM example 110 R redundant ISPs 87 remote management 19 Router settings 20 routing asymmetric 145 BGP 132 multicast OSPF RIP STP 144 routing information protocol (RIP). See routing, RIP routing, default route 25, 87 complex VDOM NAT/Route example 80 complex VLAN NAT/Route example 39, 40 NAT/Route 25 simple VDOM NAT/Route example 68, 71, 72 VDOM 61 rules, VLAN ID 18 S schedule, firewall multiple VDOM example 109 service group multiple VDOM Transparent example 119, 124 Transparent mode multiple VDOM example 114 settings shared by VDOMs 21 Spanning Tree Protocol. See STP SSH 25 stand alone configuration 131, 135 STP, forwarding 144 subinterface VDOM 60 VLAN NAT/Route 24 System settings 20 system settings 21 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 Index T V tag, VLAN 16 technical support 11, 56 TELNET 25 testing VDOM NAT/Route 73, 95 VDOM Transparent 108 VLAN NAT/Route 34, 52 tracert 34 traffic, management 19 Transparent multiple VDOM example 109, 112, 115, 119, 127 simple VDOM example 101, 103, 106 simple VLAN example 100 Transparent mode 97 firewall policy 99 VLAN subinterface 98 trunk interface 23, 33 tunnel 46 vcluster 133 VDOM 18 administration 57 administrators 19 complex VDOM NAT/Route example 77 exclusive settings 20 firewall policy 61 independent configuration 136 license 18 management configuration 131, 137 management traffic 19 management VDOM 19 maximum interfaces 14, 97, 145 meshed configuration 131, 138 multiple VDOMs 112 packet handling 18 routing 61 settings, exclusive 20 settings, global 21 simple VDOM NAT/Route example 63, 65 simple VDOM NAT/Route VDOM example 69 stand alone configuration 131, 135 Transparent mode 97 VLAN subinterface 60 VPN settings 61 Virtual 55 virtual domain, See VDOM. virtual interface 131 Virtual Private Network, see VPN. VLAN Cisco switch 51 complex VLAN NAT/Route 51 maximum number 14, 97, 145 subinterface 23 tagged packets 24 Transparent mode 97 VLAN ID layer-3 16 rules 18 VLAN subinterface complex VDOM NAT/Route example 78, 85 complex VLAN NAT/Route example 37 firewall policy 25 multiple VDOM example 113, 117, 123 simple VDOM NAT/Route example 65 simple VDOM Transparent example 101 simple VLAN NAT/Route example 28 Transparent mode 98 VDOM NAT/Route 60 VPN client 49 dialup connection 137 FortiClient 49 gateway 45 policies 48 tunnel 46 VDOM 61 U User settings 20 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 149 Index W web-based manager 20, 37 Windows networks enabling NetBIOS 144 WINS 144 150 FortiGate VLANs and VDOMs Version 3.0 User Guide 01-30005-0091-20070910 www.fortinet.com www.fortinet.com
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project