Scribd Logo
Upload

Welcome to Scribd!

  • 81 views

    Hosting More Than One Fortios Instance On A Single Fortigate Unit Using Vdoms and Vlans

    Uploaded by

    Ratheesh Ravindran
    This document describes configuring a FortiGate unit to host multiple virtual domains (VDOMs) to provide network services for two companies, Company A and Company B, and an ISP. It involves: 1. Creating three VDOMs - VDOM-A and VDOM-B for Company A and B respectively, each with their own interfaces and policies, and VDOM-C operating in transparent mode for the ISP. 2. Configuring VDOM-A to use VLANs to separate Company A's internal networks and set up DHCP servers for each. 3. Configuring VDOM-B to implement DHCP with reserved IP addresses, a local DNS server, traffic shaping for sensitive traffic,

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Hosting More Than One Fortios Instance On A Single Fortigate Unit Using Vdoms and Vlans

    Uploaded by

    Ratheesh Ravindran
    81 views35 pages
    This document describes configuring a FortiGate unit to host multiple virtual domains (VDOMs) to provide network services for two companies, Company A and Company B, and an ISP. It involves: 1. Creating three VDOMs - VDOM-A and VDOM-B for Company A and B respectively, each with their own interfaces and policies, and VDOM-C operating in transparent mode for the ISP. 2. Configuring VDOM-A to use VLANs to separate Company A's internal networks and set up DHCP servers for each. 3. Configuring VDOM-B to implement DHCP with reserved IP addresses, a local DNS server, traffic shaping for sensitive traffic,

    Original Description:

    Detial about Vdom and vlans

    Original Title

    VDOMs_VLANs

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document describes configuring a FortiGate unit to host multiple virtual domains (VDOMs) to provide network services for two companies, Company A and Company B, and an ISP. It involves: 1. Creating three VDOMs - VDOM-A and VDOM-B for Company A and B respectively, each with their own interfaces and policies, and VDOM-C operating in transparent mode for the ISP. 2. Configuring VDOM-A to use VLANs to separate Company A's internal networks and set up DHCP servers for each. 3. Configuring VDOM-B to implement DHCP with reserved IP addresses, a local DNS server, traffic shaping for sensitive traffic,

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    81 views35 pages

    Hosting More Than One Fortios Instance On A Single Fortigate Unit Using Vdoms and Vlans

    Uploaded by

    Ratheesh Ravindran
    This document describes configuring a FortiGate unit to host multiple virtual domains (VDOMs) to provide network services for two companies, Company A and Company B, and an ISP. It involves: 1. Creating three VDOMs - VDOM-A and VDOM-B for Company A and B respectively, each with their own interfaces and policies, and VDOM-C operating in transparent mode for the ISP. 2. Configuring VDOM-A to use VLANs to separate Company A's internal networks and set up DHCP servers for each. 3. Configuring VDOM-B to implement DHCP with reserved IP addresses, a local DNS server, traffic shaping for sensitive traffic,

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 35

    HostingmorethanoneFortiOSinstanceon

    asingleFortiGateunitusingVDOMsand
    VLANs
    1. Network topology

    UseVirtualdomains(VDOMs)todividetheFortiGateunitintotwoormorevirtualinstancesofFortiOS
    thatfunctionsimilartoindependentFortiGateunits.EachVDOMhasitsownphysicalinterfaces,routing
    configuration,andsecuritypolicies.

    ThisexamplesimulatesanISPthatprovidesCompanyAandCompanyBwithInternetservicesandoffer
    tothemdailynetworkmanagementandsecurityviaTLS(TransparentLANService)connections.Alsothe
    ISPneedstoprotectitsserverssettopublicrouteableIPaddresses.
    EachcompanywouldhaveitsownInternetIPaddressandinternalnetwork.Thisconfigurationrequires:

    TwoVDOMs:VDOMAandVDOMBoperatinginNAT/Routemode,VDOMAforcompanyAand
    VDOMBforcompanyB
    OneVDOMCoperatingintransparentmodefortheISP

    Thisscenariowillcoverthefollowingfeatures:

    VDOMA:
    o SettingupVLANStoseparateinternalnetworks
    o ConfigureDHCPserveronVLANinterface

    VDOMB:
    o ConfigurelocalDNSserverresolvinginternalwebsitesandservers
    o UseDHCPtoassignsomeIPsaccordingtodeviceMACaddresses
    o Configuretrafficshapingforsensitivetraffic
    o Configureexplicitwebproxyandwebcachingonsomenetwork

    VDOMC:
    o AllowingsecureaccesstoawebserverssettopublicIPaddress
    o ProtectingthiswebserverusingUTMsecurityprofiles

    2. Creating VDOMA, VDOMB and VDOMC

    GotoSystem>Dashboard>StatusandenableVirtualDomain


    GotoGlobal>VDOM>VDOMandaddVDOMA,VDOMB,VDOMCandamanagementIPforVDOMC
    sinceitstransparent

    Bydefault,rootisthemanagementVDOManditshouldhaveaninterfaceconnectedtotheinternetfor
    managementtrafficsuchasFortiGuardservices,NTP,SNMP,etc.themanagementVDOMcanbemoved
    toVDOMAorVDOMBorVDOMC.

    TheadminaccounthasfullcontrolofallVDOMsintheFortiGateunit.Adminaccountcanaccessthe
    FortiGateonanyinterfaceofanyVDOMasfarastheinterfacehasanIPaddressandallowinghttps
    access.

    GotoGlobal>Network>Interfaceandaddport1andport2toVDOMA

    GotoRouter>Static>StaticRoutetoaddadefaultrouteforVDOMA

    GotoGlobal>Network>Interfaceandaddport3andport4toVDOMB,andaddDHCPservertoport4

    GotoRouter>Static>StaticRoutetoaddadefaultrouteforVDOMB

    GotoGlobal>Network>Interfaceandaddport5andport6toVDOMC

    GotoSystem>Network>RoutingTabletoaddadefaultrouteforVDOMC

    GotoGlobal>Admin>AdministratorstocreateadministratorsforeachVDOM.Theadministrators
    shouldonlyhaveaccesstotheirown

    3. Configuring VDOMA using VLANs

    LogontotheFortiGateunitVDOMAonport1orport2interfaceusingaadminaccount,thiswillletyou
    manageonlyVDOMA

    CompanyAseparatestheirthreeinternalnetworks(engineering,salesandmarketing)usingVLANs
    ThissolutionusesVLANstoconnectthreenetworkstoVDOMAinternalinterfaceinthefollowingway:

    PacketsfromeachnetworkpassthroughaVLANswitchbeforereachingtheVDOMA.TheVLAN
    switchaddsdifferentVLANtagstopacketsfromeachnetwork.
    TohandleVLANsonVDOMA,addVLANinterfacestotheinternalinterfaceforeachnetwork
    AddaDHCPservertoeachVLANinterface.
    CreatesecuritypoliciestoalloweachnetworktoaccesstheInternet.

    ThissolutionassumesyouhaveconfiguredaVLANswitchtotagpacketsfromthethreenetworks

    GotoSystem>Network>Interfacetocreatethreenewvlaninterfacesforengineering,marketingand
    salesnetworks

    GotoPolicy>Policy>Policytoaddfirewallpoliciesthatallowsusersontheengineering,marketingand
    salesnetworkstoaccesstheinternetseparately

    4. Showing results

    FromengineeringnetworksetallhostsIPsinthesamesubnetastheEngineeringnetvlan
    (192.168.10.x/24)withthegateway192.168.10.1orsethoststouseDHCP

    FrommarketingnetworksetallhostsIPsinthesamesubnetastheMarketingnetvlan
    (192.168.20.x/24)withthegateway192.168.20.1orsethoststouseDHCP
    AndfromsalesnetworksetallhostsIPsinthesamesubnetastheSalesnetvlan(192.168.30.x/24)
    withthegateway192.168.30.1orsethoststouseDHCP

    ThenusersfromanyofthenetworksshouldbeabletoconnecttotheInternet

    Policy>Policy>Policytoseetrafficcountforeachfirewallpolicy

    GotoPolicy>Monitor>PolicyMonitortoseetheactivesessions


    ClickoneachbluebarfordetailsforsourceIPandpolicyId

    GotoLog&Report>TrafficLog>ForwardTraffic

    Selectanentryformoredetails

    5. Configuring VDOMB

    LogontotheFortiGateunitVDOMBonport3orport4interfaceusingbadminaccount,thiswillletyou
    manageonlyVDOMB

    CompanyBrequiresreservedIPaccordingtodeviceMACaddressusingDHCP,localDNSserver,
    guaranteedbandwidthforsensitivetrafficandfasterwebbrowsing.Consequentlythefollowing
    featureswillbecovered:

    DHCPservertoassignsomeIPaddressesaccordingtodeviceMACaddresses
    LocalDNSserverlistingforinternalwebsitesandservers
    Trafficshapingtomakesurehighpriorityservicesalwayshaveenoughbandwidth
    Explicitwebproxyandwebcachingusersonsomenetworks

    6. Configure DHCP to assign some IP addresses according to device


    MAC addresses

    GotoSystem>Network>DHCPServerandaddnewfortheinternalinterface(port4)

    MakesuretospecifytheDNSServertotheinternalIPoftheFortiGateVDOMB(10.10.1.99).Thiswillbe
    usefultoresolveinternalDNSrequests

    ExtendMACAddressAccessControlListandcreateanewthenentertheMACaddressofthedevice
    anditsdesiredreservedIPaddress.YoucanalsouseAddfromDHCPClientList

    7. Creating a local DNS server listing for internal web sites and
    servers

    GotoSystem>Network>DNSServerandcreatenewunderDNSServiceonInterface.Makesureto
    setModetoRecursive

    ThencreatenewunderDNSDatabaseandaddDNSZoneandDomainName

    ThencreatenewunderDNSEntriesandaddhostnames

    TheDNSzonewillbelookinglikefollowing:

    Fromanyhostontheinternalnetwork,setyournetworkconnectionstousetheinternalinterfaceof
    FortiGateVDOMBIPaddress(10.10.1.99)asaprimaryDNSserver,thenyouwillbeabletosurftothe
    webserverusingitsIPaddress(10.10.1.101)anditsdomainname(fortidocs.comor
    www.fortidocs.com)

    8. Configuring guaranteed bandwidth for sensitive traffic using traffic


    shaping

    Sensitivetraffic,suchasVoIP,flowingthroughtheFortigateVDOMBneedstohaveenoughguaranteed
    bandwidthtoassurethevoicequality.

    ThisscenarioinvolvestrafficshapingforVoIP/SIPtraffic.ToseehowtoconfigureSIPontheFortiGate
    unit,refertoAllowinginboundandoutboundVoIP/SIPtrafficthroughtheFortiGaterecipe.

    Usingtrafficshaping,youcanconfiguresharedshapersthatensureaconsistentamountofreserved
    bandwidthforVoIP/SIPcommunicationsandstillmaintainbandwidthforotherInternettrafficsuchas
    emailandwebbrowsing.Dependsthetotalavailablebandwidthyouhaveyoucandedicatea
    guaranteedandamaximumbandwidthforeachfirewallpolicy(youcanverifyyourtotalbandwidth
    usinghttp://speedtest.net/).Forthissolution,totalavailablebandwidthis70000Kbits/s,10000kbits/s
    isguaranteedtobeavailableforVoIPandVoIPtrafficisgivenhigherprioritythanothertraffic.Other
    trafficislimitedtoamaximumbandwidthof600000kbits/s.
    InthisconfigurationtheinternalIPphonesandinternalnetworkareconnectedtotheFortiGateVDOM
    Binternalinterface(port4).

    GotoFirewallObjects>TrafficShaper>SharedandVoIPandDaily_TrafficShapers

    GotoPolicy>Policy>PolicyandapplytheVoIPtrafficshapertothefirewallpolicycontrollingVoIP/SIP
    traffic


    ThenapplytheDaily_Trafficshapertothefirewallpolicycontrollingothertraffic


    GotoFirewallObjects>Monitor>TrafficShaperMonitor


    GotoLog&Report>TrafficLog>ForwardTraffictoseethatVoIPandDaily_Trafficshaperswere
    appliedsuccessfully

    Selectanentryforeachshapertoseedetails

    9. Adding the explicit web proxy and web caching on the internal
    network

    Forfasterwebbrowsing,internaluserswillconnecttoanexplicitwebproxyusingport8080insteadof
    surfingdirectlytotheInternetusingport80

    GotoSystem>Network>ExplicitProxyandenablehttp/httpsexplicitwebproxy

    MakesuretosettheDefaultFirewallPolicyActionheretoDeny,becausewewillcreateapolicyfor
    webproxytrafficwithwebcacheenabledonit.

    GotoSystem>Network>Interfaceandenablewebproxyonport4

    GotoPolicy>Policy>Policytocreatenewoneforwebproxytrafficandenablewebcache

    Configurewebbrowsersontheprivatenetworktoconnecttothenetworkusingaproxyserver.TheIP
    addressoftheHTTPproxyserveris10.10.1.99(theIPaddressoftheFortiGateinternalinterface)and
    theportis8080(thedefaultexplicitwebproxyport).

    WebbrowsersconfiguredtousetheproxyserverareabletoconnecttotheInternet.

    Gotopolicy>Policy>PolicytoseetheIDofthepolicyallowingwebproxytraffic(hereitsID3)

    Webproxytrafficisnotcountedbyfirewallpolicy!

    GotoLog&Report>TrafficLog>ForwardTrafficandfilterbypolicyID3

    Selectanentryfordetails

    10.

    Configuring VDOMC

    ThisVDOMCintransparentmodewillbesettoprotecttheISPsserverssettopublicIPsusingUTM
    Profiles

    LogontotheFortiGateunitVDOMConport5interface(managementIP172.20.120.23)usingcadmin
    account,thiswillletyoumanageonlyVDOMC

    GotoFirewallObjects>Address>AddresstosetwebserverIP

    GotoPolicy>Policy>PolicytocreateoneforoutboundtrafficandapplyUTMsecurityprofilesthen
    anotheroneforinboundtrafficwithsecurityUTMprofilesaswell


    Youcanusethedefaultprofilesandcustomizethemifyouwantto.

    YoucannowconnecttoyourwebserversecurelyfromtheinternetusingitspublicIPaddress
    (eventuallyusingthesameFQDN)althoughthewebserverisbehindaFortiGateunit.Alsotheweb
    serverisabletoconnecttotheinternetforupdatesandothers.

    GotoLog&Report>TrafficLog>ForwardTraffictoseeinandoutboundtraffic


    Selectanentryforoutboundandanotherentryforinboundtrafficfordetails

    GotoUTMSecurityProfiles>MonitortoseeallUTMstatus

    HereisanexampleofApplicationmonitorfromthatwebserverwithIPaddress172.20.120.226

    You might also like