Академический Документы
Профессиональный Документы
Культура Документы
www.fortinet.com
FortiGate VLANs and VDOMs User Guide
Version 3.0
18 July 2006
01-30002-0091-20060718
Copyright 2006 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-
Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS,
FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are
trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies
and products mentioned herein may be the trademarks of their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
Caution: If you install a battery that is not the correct type, it could
! explode. Dispose of used batteries according to local regulations.
Contents
Contents
Introduction ........................................................................................ 9
About FortiGate VLANs and VDOMs ............................................................... 9
About this document......................................................................................... 9
Document conventions.................................................................................. 9
Typographic conventions...................................................................... 10
FortiGate documentation ................................................................................ 10
Related documentation ................................................................................... 11
FortiManager documentation ...................................................................... 11
FortiClient documentation ........................................................................... 11
FortiMail documentation .............................................................................. 12
FortiAnalyzer documentation ...................................................................... 12
Fortinet Knowledge Center ......................................................................... 12
Comments on Fortinet technical documentation ......................................... 12
Customer service and technical support ...................................................... 12
Index................................................................................................ 135
Introduction
This chapter introduces you to FortiGate VLANs and VDOMs and the following
topics:
About FortiGate VLANs and VDOMs
About this document
FortiGate documentation
Related documentation
Customer service and technical support
Document conventions
The following document conventions are used in this guide:
In the examples, private IP addresses are used for both private and public IP
addresses.
Notes and Cautions are used to provide important information:
Caution: Warns you about commands or procedures that could have unexpected or
! undesirable results including loss of data or damage to equipment.
Typographic conventions
FortiGate documentation uses the following typographical conventions:
Convention Example
Keyboard input In the Gateway Name field, type a name for the remote VPN
peer or client (for example, Central_Office_1).
Code examples config sys global
set ips-open enable
end
CLI command syntax config firewall policy
edit id_integer
set http_retry_count <retry_integer>
set natip <address_ipv4mask>
end
Document names FortiGate Administration Guide
File content <HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Menu commands Go to VPN > IPSEC > Phase 1 and select Create New.
Program output Welcome!
Variables <address_ipv4>
FortiGate documentation
Information about FortiGate products is available from the following guides:
FortiGate QuickStart Guide
Provides basic information about connecting and installing a FortiGate unit.
FortiGate Installation Guide
Describes how to install a FortiGate unit. Includes a hardware reference,
default configuration information, installation procedures, connection
procedures, and basic configuration procedures. Choose the guide for your
product model number.
FortiGate Administration Guide
Provides basic information about how to configure a FortiGate unit, including
how to define FortiGate protection profiles and firewall policies; how to apply
intrusion prevention, antivirus protection, web content filtering, and spam
filtering; and how to configure a VPN.
FortiGate online help
Provides a context-sensitive and searchable version of the Administration
Guide in HTML format. You can access online help from the web-based
manager as you work.
Related documentation
Additional information about Fortinet products is available from the following
related documentation.
FortiManager documentation
FortiManager QuickStart Guide
Explains how to install the FortiManager Console, set up the FortiManager
Server, and configure basic settings.
FortiManager System Administration Guide
Describes how to use the FortiManager System to manage FortiGate devices.
FortiManager System online help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the FortiManager Console as you work.
FortiClient documentation
FortiClient Host Security User Guide
Describes how to use FortiClient Host Security software to set up a VPN
connection from your computer to remote networks, scan your computer for
viruses, and restrict access to your computer and applications by setting up
firewall policies.
FortiMail documentation
FortiMail Administration Guide
Describes how to install, configure, and manage a FortiMail unit in gateway
mode and server mode, including how to configure the unit; create profiles and
policies; configure antispam and antivirus filters; create user accounts; and set
up logging and reporting.
FortiMail online help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the web-based manager as you work.
FortiMail Web Mail Online Help
Describes how to use the FortiMail web-based email client, including how to
send and receive email; how to add, import, and export addresses; and how to
configure message display preferences.
FortiAnalyzer documentation
FortiLog Administration Guide
Describes how to install and configure a FortiLog unit to collect FortiGate and
FortiMail log files. It also describes how to view FortiGate and FortiMail log
files, generate and view log reports, and use the FortiLog unit as a NAS server.
FortiLog online help
Provides a searchable version of the Administration Guide in HTML format.
You can access online help from the web-based manager as you work.
For information about our priority support hotline (live support), see
http://support.fortinet.com.
When requesting technical support, please provide the following information:
your name
your companys name and location
your email address
your telephone number
your support contract number (if applicable)
the product name and model number
the product serial number (if applicable)
the software or firmware version number
a detailed description of the problem
Virtual LANs (VLANs) use ID tags to logically separate devices on a LAN into
smaller broadcast domains. Each VLAN is its own broadcast domain. Smaller
broadcast domains reduce traffic and increase network security. The IEEE 802.1Q
standard defines VLANs. Layer 2 and layer 3 devices must be 802.1Q-compliant
to support VLANs. For more information see VLAN layer-2 switching on page 16
and VLAN layer-3 routing on page 18.
VLANs reduce the size of the broadcast domains by only forwarding packets to
ports that are part of that VLAN, or part of a trunk link. Trunk links form switch-
switch or switch-router connections and forward all VLAN traffic. This enables
VLANs to include devices that are on the network but physically distant.
A good example of when to use VLANs is an accounting department within a
company. The accounting computers can be located in different buildings (main
and branch offices). However, accounting computers need to communicate with
each other frequently and require increased security. VLANs allow the accounting
data to only be sent only to accounting computers and connect accounting
computers in different locations as if they were on the same physical subnet.
The VLAN ID tags used to define VLANs are a 4-byte frame extension that is
applied by switches and routers to every packet sent and received by the devices
in the VLAN. Workstations and desktop computers are not an active part of the
VLAN process - all the VLAN tagging and tag removal is done after the packet has
left the computer. For more information see Rules for VLAN IDs on page 19.
Ports 5 - 7
Port 6
Port 1
Let's follow a data frame sent from a computer on subnet 1 that is part of VLAN
100.
A computer on port 1 of switch A sends a data frame over the network. Switch A
tags the data frame with a VLAN 100 ID tag upon arrival because port 1 is part of
VLAN 100. Switch A forwards the tagged data frame to the other VLAN 100 ports
- ports 2 through 4. Switch A also forwards the data frame to the 802.1Q trunk link
(port 8) so other parts of the network that may contain VLAN 100 groups will
receive VLAN 100 traffic.
This data frame is not forwarded to the other ports on switch A because they are
not part of VLAN 100. This increases security and decreases network traffic.
Switch B receives the data frame over the trunk link (port 8). There are VLAN 100
ports on switch B (ports 4 and 5) and the data frame is forwarded to those ports.
As with switch A, the data frame is not delivered to VLAN 200
If there were no VLAN 100 ports on switch B, the switch would not forward the
data frame and it would stop there.
Frame Ports 5 - 7
Frame Frame with Port 6 Frame
Port 1 VLAN ID tag
Before a switch forwards the data frame to an end destination, it removes the
VLAN 100 ID tag. The sending computer and the receiving computers are not
aware of any VLAN tagging on the data frame. When any computer receives that
data frame, it appears as a normal data frame.
Switch A
This example explains how traffic originating on VLAN 100 arrives at a destination
on VLAN 300. Layer-2 switches alone cannot accomplish this, but a layer-3 router
can do it. Lets follow a data frame going from VLAN 100 at the Branch Office to
VLAN 300 on at the Main Office.
As in the layer-2 example, the VLAN 100 computer sends the data frame to switch
A and a VLAN 100 tag is added. Switch A forwards the tagged data frame to the
FortiGate unit over the 802.1Q trunk link. The FortiGate unit removes the VLAN
100 tag and uses the content of the data frame to select the correct firewall policy.
In this case, the FortiGate units firewall policy allows the data frame to go to
VLAN 300. It goes to all VLAN 300 interfaces, but in the example there is only one
- port 1 on the FortiGate unit. Before the data frame leaves the FortiGate unit, the
VLAN subinterface adds a VLAN ID 300 tag.
The FortiGate unit then forwards the data frame to switch B. Switch B removes
the VLAN ID 300 tag because this is the last hop and forwards the data frame to
the computer on port 5.
In this example a data frame arrives at the FortiGate unit tagged as VLAN 100 and
after checking its content, the FortiGate unit retags the data frame for VLAN 300.
It is this change from VLAN 100 to VLAN 300 that requires a layer-3 routing
device, in this case the FortiGate unit. Layer-2 switches cannot perform this
change.
One application of this capability is to use a single FortiGate unit to provide routing
and network protection for several organizations. Each organization has its own
network interfaces (physical or virtual), routing requirements and network
protection rules. By default, communication between organizations is possible
only if both allow access to an external network such as the internet. The chapter,
Using VDOMs in NAT/Route mode on page 53 provides two examples of this
application.
When a packet enters a virtual domain, it is confined to that virtual domain. In a
given domain, you can only create firewall policies for connections between VLAN
subinterfaces or zones in the virtual domain. The packet never crosses virtual
domain borders.
Inter-VDOM routing
FortiOS v3.0 MR1 introduced a new feature called inter-VDOM routing. When
configured, this feature allows traffic to pass between VDOMs without having to
leave the FortiGate unit on a physical interface and return on a different physical
interface. This feature also allows you to determine the level of inter-VDOM
routing varying from having only 2 VDOMs with limited interaction to having all
VDOMs fully inter-connected. All traffic between VDOMs must pass through
firewall policies as it does with all external interface connections.
The command to configure this feature, called vdom-link, is only available in the
CLI. Inter-VDOM routing is not available from the web-manager GUI. This topic is
dealt with in Inter-VDOM routing on page 125 and the VDOM-admin chapter in
the FortiOS CLI Reference.
Management VDOM
All management traffic leaves the FortiGate unit through the management VDOM.
This includes all external logging, remote management and other Fortinet
services. By default the management VDOM is the root VDOM. You can change
this to another VDOM so management traffic will originate from the new VDOM.
For more information see Changing the management VDOM on page 56.
You can use the admin administration account to create regular administrator
accounts and assign them to VDOMs. Each regular administrator account can
only configure its own VDOM. Global properties affect all VDOMs. Access to
global properties is available only through the admin administration account.
Access profiles configure read-only or read/write access for all administrators.
Administrators can have access to:
This makes it possible for you to have administrators for different services on
each VDOM. For example you can have one administrator responsible for logs
and reporting on a VDOM, while another administrator is responsible for security
policies on that same VDOM. For more information on access profiles, see the
FortiOS Administration Guide.
When you are configuring VDOMs using the admin administration account, the
web-based manager shows which VDOM you are editing in the center of the
status line at the bottom of the page. If you are configuring global properties, there
is no virtual domain indicator.
IM settings Statistics
User lists and policies
Overview
In NAT/Route mode the FortiGate unit functions as a layer-3 device. In this mode,
it controls the flow of packets between VLANs and can also remove VLAN tags
from incoming VLAN packets. The FortiGate unit can also forward untagged
packets to other networks, such as the Internet.
In NAT/Route mode, the FortiGate unit supports VLAN trunk links with IEEE
802.1Q-compliant switches (or routers). The trunk link transports VLAN tagged
packets between physical subnets or networks. When you add VLAN sub-
interfaces to the FortiGate physical interfaces, the VLANs have IDs that match the
VLAN IDs of packets on the trunk link. The FortiGate unit directs packets with
VLAN IDs to sub-interfaces with matching IDs.
Normally the FortiGate unit's internal interface is connected to a VLAN trunk and
the external interface connects to an untagged Internet router. In this configuration
the FortiGate unit can apply different policies for traffic on each VLAN connected
to the internal interface.
You can define VLAN sub-interfaces on all FortiGate physical interfaces. However
if multiple virtual domains are configured on the FortiGate unit, you will only have
access to the physical interfaces on your virtual domain. The FortiGate unit can
tag packets leaving on a VLAN subinterface. It can also remove VLAN tags from
incoming packets and add a different VLAN tag to outgoing packets.
Note: If you are unable to change your existing configurations to prevent IP overlap, enter
the CLI command config system global and set ip-overlap enable to allow IP
address overlap. If you enter this command, multiple VLAN interfaces can have an IP
address that is part of a subnet used by another interface. This command is recommended
for advanced users only.
Each VLAN subinterface must be configured with its own IP address and
netmask. The subinterface VLAN ID can be any number between 1 and 4096. The
VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE
802.1Q-compliant router. If the IDs do not match, the subinterface will not recieve
the VLAN tagged traffic.
Configuring routing
In the simplest case, you need to configure a default route for packets with
external destinations to the gateway of an external network. In more complex
cases, you might have to configure different routes based on packet source and
destination addresses. Routing is explained in the FortiGate Administration Guide
and the CLI Reference documentation.
As with firewalls, you need to configure routes for VLANs. VLANs need routing
and a gateway configured to send and recieve packets outside their local subnet.
Depending on the network you are connecting to it can be static or dynamic
routing. Dynamic routing can be routing information protocol (RIP), border
gateway protocol (BGP), open shortest path first (OSPF), or multicast.
If you enable protocols like SSH, PING, TELNET and HTTP on the VLAN you can
use them to confirm that routing is properly configured. Enabling logging on the
interfaces can also help locate any possible issues.
Internet
Untagged packets
External port
172.16.21.2
FortiGate unit
Internal port
192.168.110.126
802.1Q trunk
Fa 0/24
Fa 0/3 Fa 0/9
VL AN 100 VLAN Switch VL AN 200
When the Cisco switch receives packets from VLAN 100 and VLAN 200, it applies
VLAN ID tags and forwards the packets to local ports and across the trunk to the
FortiGate unit. The FortiGate unit has policies that allow traffic to flow between the
VLANs and from the VLANs to the external network.
This section describes how to configure a FortiGate 800 unit and a Cisco Catalyst
2950 switch for this example network topology. Cisco configuration commands
used in this section are IOS commands. It is assumed that both the FortiGate 800
and the Cisco 2950 switch are installed, connected and basic configuration has
been completed. On the switch you will need to be able to access the CLI to enter
commands. Refer to the manuals for each unit for more information.
Name VLAN_100
Interface internal
VLAN ID 100
Addressing mode Manual
IP/Netmask 10.1.1.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Configure other fields as required.
Name VLAN_200
Interface internal
VLAN ID 200
Addressing mode Manual
IP/Netmask 10.1.2.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Configure other fields as required.
If you do not wish to allow all services on a VLAN, you can create a firewall policy
for each service you want to allow. This example allows all services.
Source
Interface/Zone VLAN_100
Address Name VLAN_100_Net
Destination
Interface/Zone VLAN_200
Address Name VLAN_200_Net
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Source
Interface/Zone VLAN_200
Address Name VLAN_200_Net
Destination
Interface/Zone VLAN_100
Address Name VLAN_100_Net
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Source
Interface/Zone VLAN_100
Address Name VLAN_100_Net
Destination
Interface/Zone external
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Source
Interface/Zone VLAN_200
Address Name VLAN_200_Net
Destination
Interface/Zone external
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
!
The switch has the following configuration:
Note: To complete the setup, configure devices on VLAN 100 and VLAN 200 with default
gateways. The default gateway for VLAN 100 is the FortiGate VLAN 100 subinterface. The
default gateway for VLAN 200 is the FortiGate VLAN 200 subinterface.
FortiGate-800 unit
tracert
Switch
C:\>tracert 172.16.21.2
Tracing route to 172.16.83.1 over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 10.1.1.1
2 <10 ms <10 ms <10 ms 172.16.21.2
Trace complete.
Figure 9: Example trace route from VLAN 100 to the external network
FortiGate-800 unit
Internet
tracert
Switch
VL AN 100 Network
Internet
VPN client
VLAN 30 VLAN 40
FortiGate-800 unit
Internal
802.1Q
trunk
VLAN 10
VLAN 20
Fa 0/24
Fa 0/3 Fa 0/9
VLAN 10 Cisco 2950 Switch VLAN 20
(Internal)
Name Local-LAN
Interface internal
VLAN ID 10
Addressing mode Manual
IP/Netmask 192.168.10.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Name Finance
Interface internal
VLAN ID 20
Addressing mode Manual
IP/Netmask 192.168.20.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Name ATT-ISP
Interface external
VLAN ID 30
Addressing mode Manual
IP/Netmask 30.1.1.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Name XO-ISP
Interface external
VLAN ID 40
Addressing mode Manual
IP/Netmask 40.1.1.1/255.255.255.0
Access HTTPS, PING, TELNET
Select either the web-based manager or the CLI to add a default route.
4 Enter the following information to add a secondary default route to XO-ISP for
network traffic leaving the external interface and select OK:
Source
Interface/Zone Finance
Address Name Finance_users
Destination
Interface/Zone ATT-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Source
Interface/Zone Finance
Address Name Finance_users
Destination
Interface/Zone XO-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Source
Interface/Zone Finance
Address Name Finance_users
Destination
Interface/Zone Local-LAN
Address Name Local_users
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Source
Interface/Zone Local-LAN
Address Name Local_users
Destination
Interface/Zone ATT-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Source
Interface/Zone Local-LAN
Address Name Local_users
Destination
Interface/Zone XO-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Name Dialup_tunnel
Remote Gateway Dialup User
Local Interface ATT-ISP
Mode Aggressive
Authentication Method Preshared key
Pre-shared key The key must contain at least 6 printable characters and
should only be known by network administrators. For
optimum protection against currently known attacks, the
key should consist of a minimum of 16 randomly chosen
alphanumeric characters.
The client must use the same pre-shared key.
Advanced Select Advanced to configure the following options. The
values shown here are the defaults and should not need to
be changed.
P1 Proposal 1-Encryption 3DES, Authentication SHA1
2-Encryption 3DES, Authentication MD5
DH Group 5
Keylife 28800 (seconds)
Configure other fields as required.
Name Dialup-client
Phase 1 Dialup_tunnel
Advanced Select Advanced to configure the following options.
P2 Proposal 1-Encryption 3DES, Authentication SHA1
2-Encryption 3DES, Authentication MD5
Enable replay Select
detection
Enable perfect Select
forward secrecy
DH Group 5
Keylife 1800 seconds
Autokey Keep Alive Select
DHCP-IPsec Clear
Quick Mode Selector
Source address
Source port
Destination address
Destination port
Protocol
Configure other fields as required.
Source
Interface/Zone Local-LAN
Address Name Local_users
Destination
Interface/Zone ATT-ISP
Address Name ATT-net
Schedule Always
Service ANY
Action IPSEC
VPN Tunnel
Allow inbound Select
Allow outbound Clear
Inbound NAT Select
Outbound NAT Clear
Configure other fields as required.
4 Place the policy in the policy list above non-encrypt policies. If there is more than
one encrypt policy in the list, place the more specific ones above the more general
ones with similar source and destination addresses.
8 Select Advanced.
IP 30.1.1.0
Subnet mask 255.255.255.0
Note: To complete the setup, configure devices on VLAN 10 and VLAN 20 with default
gateways. The default gateway for VLAN 10 is the FortiGate VLAN 10 subinterface. The
default gateway for VLAN 20 is the FortiGate VLAN 20 subinterface.
Note: To complete the setup, configure devices on VLAN 30 and VLAN 40 with default
gateways. The default gateway for VLAN 30 is the FortiGate VLAN 30 subinterface. The
default gateway for VLAN 40 is the FortiGate VLAN 40 subinterface.
FortiGate-800 unit
VLAN 20 VLAN 10
subinterface subinterface
192.168.20.1 192.168.10.1
tracert
VL AN 20 Switch VL AN 10
Figure 16: Example trace route from VLAN 10 to the external network
FortiGate-800 unit
VLAN 10 External
subinterface interface
192.168.10.1 172.16.21.1
Internet
tracert
VL AN 10 Switch
Overview
Virtual Domains split your FortiGate unit into multiple separate units so that it can
serve multiple organizations. Each VDOM has separate routing and firewall
policies. Each interface, physical or VLAN, belongs exclusively to one virtual
domain. This simplifies administration because you can see only the interfaces,
routing tables and firewall policies for the VDOM you are configuring.
This chapter contains the following sections:
Getting started with VDOMs
Configuring virtual domains
Example VDOM configuration in NAT/Route mode (simple)
Example VDOM configuration in NAT/Route mode (complex)
Regular administrators can configure only the VDOM to which they are
assigned.
By default, there is no password for admin. To improve security, you should set a
password. Optionally, you can also rename the admin account. For more
information on this see the user sections of FortiGate Administration Guide.
2 Select the name of the virtual domain that you want to configure.
The main web-based manager page opens.
The footer of the web-based manager page displays the currently selected virtual
domain name, unless only the root domain exists.
5 Select OK.
The interface moves to the selected virtual domain. Firewall IP pools and virtual
IPs added for this interface are deleted. You should manually delete any routes
that include this interface.
4 Select Create new to add firewall policies to the current virtual domain.
Your firewall policies can involve only the interfaces, zones and firewall addresses
that are in the current virtual domain. The firewall policies that you add are only
visible when you are viewing the current virtual domain. Network traffic accepted
by the interfaces and VLAN subinterfaces in this virtual domain is controlled by
the firewall policies in this virtual domain
VLAN Switch
ABC Inc.
10.1.1.0
When the switch receives packets from VLAN 100 and VLAN 200, it applies the
proper VLAN ID tags and forwards the packets across the trunk link to the
FortiGate unit. The FortiGate unit is a layer-3 device - it has policies that allow
traffic to flow from VLAN 100 to the external network and from VLAN 200 to the
DMZ network.
This section describes how to configure a FortiGate-800 unit and a Cisco 2950
switch for this example network topology.
Name VLAN_100
Interface internal
VLAN ID 100
Virtual Domain ABCdomain
Addressing mode Manual
IP/Netmask 10.1.1.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Configure other fields as required.
2 Select ABCdomain.
Source
Interface/Zone VLAN_100
Address Name VLAN_100_Net
Destination
Interface/Zone External
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Name VLAN_200
Interface internal
VLAN ID 200
Virtual Domain DEFdomain
Addressing mode Manual
IP/Netmask 10.1.2.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Configure other fields as required.
Source
Interface/Zone VLAN_200
Address Name VLAN_200_Net
Destination
Interface/Zone dmz/ha
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Note: To complete the setup, configure devices on VLAN 100 and VLAN 200 with default
gateways. The default gateway for VLAN 100 is the FortiGate VLAN 100 subinterface. The
default gateway for VLAN 200 is the FortiGate VLAN 200 subinterface.
Figure 28: Example trace route from VLAN 100 to the external network
FortiGate-800 unit
Internet
tracert
Switch
VL AN 100 Network
Figure 29: Example trace route from VLAN 200 to the DMZ network
FortiGate-300 unit
Internet
tracert
Switch
Name students
Interface internal
VLAN ID 10
Virtual Domain ABCdomain
Addressing mode Manual
IP/Netmask 192.168.10.1/255.255.255.0
Configure other fields as required.
Name instructors
Interface internal
VLAN ID 20
Virtual Domain ABCdomain
Addressing mode Manual
IP/Netmask 192.168.20.1/255.255.255.0
Configure other fields as required.
Name ATT-ISP
Interface external
VLAN ID 30
Virtual Domain ABCdomain
Addressing mode Manual
IP/Netmask 30.1.1.1/255.255.255.0
Configure other fields as required.
Source
Interface/Zone students
Address Name student_net
Destination
Interface/Zone ATT-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Protection profile strict
Configure other fields as required.
Source
Interface/Zone instructors
Address Name instructor_net
Destination
Interface/Zone ATT-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Protection profile scan
Configure other fields as required.
Source
Interface/Zone instructors
Address Name instructor_net
Destination
Interface/Zone students
Address Name student_net
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Name Sales
Interface internal
VLAN ID 80
Virtual Domain Commercial
Addressing mode Manual
IP/Netmask 192.168.15.1/255.255.255.0
Configure other fields as required.
Name Development
Interface internal
VLAN ID 90
Virtual Domain Commercial
Addressing mode Manual
IP/Netmask 192.168.10.1/255.255.255.0
Configure other fields as required.
Name XO-ISP
Interface external
VLAN ID 40
Virtual Domain Commercial
Addressing mode Manual
IP/Netmask 40.1.1.1/255.255.255.0
Configure other fields as required.
9 Enter the following information for the XS ISP network and select OK:
Name XS-ISP
Interface external
VLAN ID 50
Virtual Domain Commercial
Addressing mode Manual
IP/Netmask 145.1.1.1/255.255.255.0
Configure other fields as required.
Source
Interface/Zone Sales
Address Name sales_net
Destination
Interface/Zone XO-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Protection profile scan
Configure other fields as required.
Source
Interface/Zone Sales
Address Name sales_net
Destination
Interface/Zone XS-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Protection profile scan
Configure other fields as required.
Source
Interface/Zone Development
Address Name development_net
Destination
Interface/Zone XO-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Protection profile scan
Configure other fields as required.
Source
Interface/Zone Development
Address Name development_net
Destination
Interface/Zone XS-ISP
Address Name all
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Protection profile scan
Configure other fields as required.
Source
Interface/Zone Sales
Address Name sales_net
Destination
Interface/Zone Development
Address Name development_net
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Source
Interface/Zone Development
Address Name development_net
Destination
Interface/Zone Sales
Address Name sales_net
Schedule Always
Service ANY
Action ACCEPT
NAT Select
Configure other fields as required.
Note: To complete the setup, configure devices on the VLANs with default gateways. The
default gateway for VLAN 10 is the FortiGate VLAN 10 subinterface. The default gateway
for VLAN 20 is the FortiGate VLAN 20 subinterface and so on.
Add this file to the Cisco switch connected to the FortiGate-800 external interface:
!
interface FastEthernet0/3
switchport access vlan 30
!
interface FastEthernet0/9
switchport access vlan 40
!
interface FastEthernet0/19
switchport access vlan 50
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
The switch has the following configuration:
FortiGate-300 unit
VLAN 20 VLAN 10
subinterface subinterface
192.168.20.1 192.168.10.1
tracert
VLAN 20 Switch VL AN 10
Other tests
Using the preceding method, you can also test traffic from the Development
network to the Sales network and vice-versa, as well as traffic from each of the
internal networks to locations on the Internet.
Overview
In Transparent mode, the FortiGate unit can provide services such as antivirus
scanning, web filtering, spam filtering and intrusion protection to traffic on an IEEE
802.1Q VLAN trunk. You can insert the FortiGate unit operating in Transparent
mode into the trunk without making changes to your network. In a typical
configuration, the FortiGate internal interface accepts VLAN packets on a VLAN
trunk from a VLAN switch or router connected to internal VLANs. The FortiGate
external interface forwards tagged packets through another trunk to an external
VLAN switch or router connected to external networks or the Internet. You can
configure the FortiGate unit to apply different policies for traffic on each VLAN in
the trunk.
To pass VLAN traffic through the FortiGate unit, you add two VLAN subinterfaces
with the same VLAN ID, one to the internal interface and the other to the external
interface. You then create a firewall policy to permit packets to flow from the
internal VLAN interface to the external VLAN interface. If required, you create
another firewall policy to permit packets to flow from the external VLAN interface
to the internal VLAN interface. Network protection, such as spam filtering, web
filtering and anti-virus scanning, are applied through the protection profile
specified in each firewall policy.
For each VLAN you are protecting with the FortiGate unit, you need to define a
pair of VLAN subinterfaces and the necessary firewall policies. Usually in
Transparent mode you do not permit packets to move between VLANs.
When the FortiGate unit receives a VLAN tagged packet at a physical interface,
the packet is directed to the VLAN subinterface with the matching VLAN ID. The
VLAN tag is removed from the packet and the FortiGate unit then applies firewall
policies in the same way as it does for non-VLAN packets. If the packet exits the
FortiGate unit through a VLAN subinterface, the VLAN ID for that subinterface is
added to the packet and the packet is sent to the corresponding physical
interface.
Internet
VLAN router
10.1.1.1
10.1.2.1
VLAN switch
VLAN 1
802.1Q trunk
VLAN 2
External
FortiGate-300 unit
in Transparent mode
Internal
VLAN 1
802.1Q trunk VLAN 2
Fa0/24
VLAN switch
Fa0/3 Fa0/9
10.1.1.2 10.1.2.2
Table 1:
Name VLAN_100_int
Interface internal
VLAN ID 100
Configure other settings as required.
Table 2:
Name VLAN_100_ext
Interface external
VLAN ID 100
Configure other settings as required.
Table 3:
Name VLAN_200_int
Interface internal
VLAN ID 200
Configure other settings as required.
Table 4:
Name VLAN_200_ext
Interface external
VLAN ID 200
Configure other settings as required.
Table 5:
Source
Interface/Zone VLAN_100_int
Address Name all
Destination
Interface/Zone VLAN_100_ext
Address Name all
Schedule Always
Service ANY
Action ACCEPT
Configure other fields as required.
Table 6:
Source
Interface/Zone VLAN_100_ext
Address Name all
Destination
Interface/Zone VLAN_100_int
Address Name all
Schedule Always
Service ANY
Action ACCEPT
Configure other fields as required.
Table 7:
Source
Interface/Zone VLAN_200_int
Address Name all
Destination
Interface/Zone VLAN_200_ext
Address Name all
Schedule Always
Service ANY
Action ACCEPT
Configure other fields as required.
Table 8:
Source
Interface/Zone VLAN_200_ext
Address Name all
Destination
Interface/Zone VLAN_200_int
Address Name all
Schedule Always
Service ANY
Action ACCEPT
Configure other fields as required.
Table 9:
!
The router has the following configuration:
Table 10:
Note: To complete the setup, configure devices on VLAN 100 and VLAN 200 with default
gateways. The default gateway for VLAN 100 is the Cisco router VLAN 100 subinterface.
The default gateway for VLAN 200 is the Cisco router VLAN 200 subinterface.
Figure 41: Example trace route from VLAN 100 to VLAN 200
Router
10.1.1.1 10.1.1.2
External
FortiGate-300 unit
Internal
tracert
10.1.1.2 10.1.2.2
Internet
Router
VLAN Switch 2
Fa0/6
VLAN_100_ext
VLAN Trunk VLAN_200_ext
External VLAN_300_ext
FortiGate unit
in Transparent mode
Internal
VLAN_100_int
VLAN Trunk VLAN_200_int
VLAN_300_int
Fa0/8
VLAN Switch 1
Fa0/1 Fa0/5
Fa0/2
Creating schedules
The FortiGate-800 unit in this example serves organizations that are all
businesses that vary their policies according to the time of day. For simplicity, this
example assumes that they all have the same lunch hours. It would be possible to
accommodate different definitions of lunchtime by creating multiple schedules
tailored to the needs of each organization.
6 Select OK.
Table 11:
6 Select Spam Filtering and enable RBL & ORDBL check for IMAP, POP3 and
SMTP.
7 Select Banned word check for IMAP, POP3 and SMTP.
8 For Spam action, select tagged for IMAP and POP3, discard for SMTP.
9 Select IPS and enable IPS Signature and IPS Anomaly.
10 Select OK.
6 Select Spam Filtering and enable RBL & ORDBL check for IMAP, POP3 and
SMTP.
7 Select Banned word check for IMAP, POP3 and SMTP.
8 For Spam action, select tagged for IMAP and POP3, discard for SMTP.
9 Select IPS and enable IPS Signature and IPS Anomaly.
10 Select OK.
Table 12:
Name VLAN_100_int
Interface internal
VLAN ID 100
Virtual Domain ABCdomain
Configure other settings as required.
Table 13:
Name VLAN_100_ext
Interface external
VLAN ID 100
Virtual Domain ABCdomain
Configure other settings as required.
Table 14:
This policy prevents the use of network games or chat programs during business
hours.
Table 15:
This policy relaxes the web category filtering during lunch hour.
5 Enter the following information and select OK:
Table 16:
This policy provides rather strict web category filtering during business hours.
Table 17:
Name VLAN_200_int
Interface internal
VLAN ID 200
Virtual Domain DEFdomain
Configure other settings as required.
Table 18:
Name VLAN_200_ext
Interface external
VLAN ID 200
Virtual Domain DEFdomain
Configure other settings as required.
Table 19:
This policy prevents the use of network games or chat programs (except
NetMeeting) during business hours.
4 Enter the following information and select OK:
Table 20:
This policy relaxes the web category filtering during lunch hour.
Table 21:
This policy provides rather strict web category filtering during business hours.
6 Enter the following information and select OK:
Table 22:
Because it is last in the list, this policy applies to the times and services not
covered in preceding policies. This means that outside of regular business hours
the Relaxed protection profile applies to email and web browsing and that online
chat and games are permitted. DEF Inc. needs this policy because its employees
sometimes work overtime. The other companies in this example maintain fixed
hours and dont want any after-hours internet access.
Name VLAN_300_int
Interface internal
VLAN ID 300
Virtual Domain XYZdomain
Configure other settings as required.
Name VLAN_300_ext
Interface external
VLAN ID 300
Virtual Domain XYZdomain
Configure other settings as required.
This policy provides network protection for email using the default strict protection
profile. The administrator must also set up the antivirus, web filter and spam filter
settings. These procedures are not described in this document.
4 Enter the following information and select OK:
Table 26:
This policy provides network protection for HTTP, HTTPS and FTP using the
default web protection profile. The administrator must also set up the antivirus and
web filter settings. These procedures are not described in this document.
Configuring switch 1
Add this file to Cisco VLAN switch 1:
!
interface FastEthernet0/1
switchport access vlan 100
!
interface FastEthernet0/2
switchport access vlan 200
!
interface FastEthernet0/5
switchport access vlan 300
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
Switch 1 has the following configuration:
Table 27:
Configuring switch 2
Add this file to Cisco VLAN switch 2:
interface FastEthernet0/3
switchport
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
Table 28:
Inter-VDOM routing
Overview
In the past VDOMs have been completely separate from each other - there has
been no internal communication between virtual domains on a FortiGate unit. Any
communication between VDOMs had to leave on a physical interface and re-enter
the FortiGate unit on another physical interface.
Inter-VDOM routing changes this. With the introduction of inter-VDOM routing in
FortiOS v3.0 MR1, VDOMs can communicate internally without using additional
physical interfaces. FortiManager units support inter-VDOM routing on managed
FortiGate units starting with FortiManager v3.0 MR1.
This chapter contains the following sections:
Benefits of inter-VDOM routing
Getting started with inter-VDOM routing
Available inter-VDOM configurations
FortiManager and inter-VDOMs
Inter-VDOM planning
With the introduction of inter-VDOM routing, traffic can travel between VDOMs
internally, freeing up physical interfaces for external traffic. Using the above
example we can use the 4 VDOM configuration and all the interfaces will have
their full bandwidth.
Stand-alone VDOM
Independent VDOMs
Management VDOM
Meshed VDOMs
Stand-alone VDOM
Stand-alone VDOM uses a single VDOM - the root VDOM that all FortiGate units
have by default. This is the VDOM configuration you are likely familiar with.
This configuration has no VDOM inter-connections and requires no special
configurations or settings.
The stand-alone VDOM configuration can be used for simple network
configurations that only have one department or one company administering the
connections, firewalls and other VDOM dependant settings.
Independent VDOMs
Independent VDOMs use multiple VDOMs that are completely separate from each
other. This is likely another VDOM configuration you are familiar with.
This configuration has no communication between VDOMs and apart from initially
setting up each VDOM this configuration requires no special configurations or
settings. Any communications between VDOMs is treated as if communication
was with a separate physical device.
The independent VDOMs configuration can be used where more than one
department or one company is sharing the FortiGate unit. They can each
administer the connections, firewalls and other VDOM dependant settings of only
their own VDOM. To each company or department it appears as if they have their
own FortiGate unit.
Management VDOM
In the management VDOM configuration, the root VDOM is the management
VDOM and the other VDOMs are connected to the management VDOM with inter-
VDOM links. There are no other inter-VDOM connections.
Only the management VDOM is connected to the Internet. The other VDOMs are
connected to internal networks and possibly to very small secure external
networks, say a VPN dialup connection. All external traffic is routed through the
management VDOM using inter-VDOM links between the VDOMs. This ensures
the management VDOM has full control over access to the Internet including what
types of traffic are allowed in both directions. Security is greatly increased with
only one point of entry and exit. Only the management VDOM needs to be
professionally managed to ensure network security in this case.
The management VDOM configuration is ideally suited for a service provider
business. The service provider is the management VDOM and the other VDOMs
are customers. These customers do not require a dedicated IT person to manage
their network. The service provider controls the traffic and can prevent the
customers from using banned services and prevent Internet connections from
initiating those same banned services. One example of a banned service might be
Meshed VDOMs
Meshed VDOMs, including partial and full mesh, has VDOMs inter-connected with
other VDOMs. Partial mesh means only some VDOMs are inter-connected. In a
full mesh configuration, all VDOMs are inter-connected to all other VDOMs. This
can be useful when you want to provide full access between VDOMs but handle
traffic differently depending on which VDOM it originates from or is going to.
With full access to all VDOMs being possible, it is important to ensure proper
security. This can be accomplished through proper firewall policies and secure
account access for admins and users.
Meshed VDOM configurations can become complex very quickly, with full mesh
VDOMs being the most complex. Ensure this is the proper solution for your
situation before using this configuration.
Inter-VDOM planning
Inter-VDOM routing enables more FortiGate unit configurations than were
previously possible. This additional flexibility has benefits, but also has potential
difficulties.
Complexity
With more connections possible in inter-VDOM configurations, complexity quickly
becomes an issue. VDOMs are not trivial to understand and with additional
settings and issues to consider things can easily get out of hand.
To prevent this, you should carefully plan your move to the inter-VDOM
configuration to ensure you are aware of the differences between your new and
old setups as well as how these changes affect the interaction between the
VDOMs.
Making changes
Once configured, this new complex configuration means that any changes you
make to the system have a greater chance of introducing problems into the
system. Extra care should be taken to make sure any changes do not negatively
affect your existing FortiGate unit configuration.
For example using the old method to change communication between VDOMs,
cable connections had to be physically changed. When compared to inter-VDOM
where all the changes are internal, there is generally more checking built into the
physical process than there is for simple CLI commands.This lowered level of
checking may allow un-intended changes in VDOM interactions to slip into the
configuration undetected.
Overview
There are several issues that can cause problems with your VLANs:
Asymmetric routing
Layer 2 traffic
NetBIOS
STP forwarding
Asymmetric routing
You might discover, unexpectedly, that hosts on some networks are unable to
reach certain other networks. This occurs when request and response packets
follow different paths. If the FortiGate unit sees the response packets, but not the
requests, it blocks them as invalid. Also, if the FortiGate unit sees the same
packets repeated on multiple interfaces, it blocks the session as a potential attack.
These are instances of asymmetric routing. By default, FortiGate units block
packets or drop the session when this happens. Using the Command Line
Interface (CLI), you can configure the FortiGate unit to permit asymmetric routing:
config system global
set asymroute enable
end
If this solves your blocked traffic problem, you know that asymmetric routing is the
cause. But allowing asymmetric routing is not the best solution because it can
reduce the security of your system. It is better to change routing or change how
FortiGate unit connects into your network. The Asymmetric Routing and Other
FortiGate Layer-2 Installation Issues technical note provides detailed examples of
asymmetric routing situations and possible solutions.
Layer 2 traffic
By default, FortiGate units do not pass Layer-2 traffic. If there are Layer-2
protocols such as IPX, PPTP or L2TP in use on your network, you need to
configure FortiGate interfaces to pass them. You can do this using the CLI:
config system interface
edit <name_str>
set l2forward enable
end
where <name_str> is the name of an interface.
ARP traffic
Forward-domain solution
You may run into problems using the multiple VDOMs solution to solve the same
MAC address seeming to originate on multiple interfaces. It is possible that you
have more VLANs than licensed VDOMs, not enough physical interfaces or your
configuration may work better by grouping some VLANs together. In these
situations the separate VDOMs solution may not work for you.
In these situations, the solution is to use the forward-domain
<collision_group> CLI command. This command tags VLAN traffic as
belonging to a particular forward-domain collision group and only VLANs tagged
as part of that collision group recieve that traffic. By default interfaces and VLANs
are part of forward-domain collision group 0.
There are many benefits for this solution from reduced administration, to using
fewer physical interfaces to being able to allowing you more flexible network
solutions.
In the following example, forward-domain collision group 340 includes VLAN 340
traffic on Port1 and untagged traffic on Port2. Forward-domain collision group 341
includes VLAN 341 traffic on Port1 and untagged traffic on Port3. All other
interfaces are part of forward-domain collision group 0 by default.
NetBIOS
Networked computers running Microsoft Windows operating systems rely on a
WINS server to resolve host names to IP addresses. The hosts communicate with
the WINS server using NetBIOS protocol. To support this type of network you
need to enable the forwarding of NetBIOS requests to a WINS server. Enter the
following CLI commands:
config system interface
edit <interface>
set netbios_forward enable
set wins-ip <wins_server_ip>
end
where <interface> is the name of the interface and <wins_server_ip> is
the IP address of the WINS server. These commands apply only in NAT/Route
mode.
STP forwarding
The FortiGate unit does not participate in the Spanning Tree protocol (STP). STP
is an IEEE 802.1 protocol to ensure there are no Layer-2 loops on the network.
Loops happen when there is more than one route for traffic to take and that traffic
is broadcasted back to the original switch - creating a loop that floods the network
with never ending traffic.
If you use the FortiGate unit in a network topology that relies on STP for network
loop protection, you need to make changes to the FortiGate configuration.
Otherwise, STP sees the FortiGate unit as a blocked link and forwards the data to
another path. By default, the FortiGate unit blocks STP as well as other non-IP
protocol traffic.
Using the CLI, you can enable forwarding of STP and other Layer 2 protocols
through the interface:
config system interface
edit <name_str>
set l2forward enable
set stpforward enable
end
where <name_str> is the name of the interface. This configuration will also allow
Layer-2 protocols such as IPX, PPTP or L2TP to be used on the network. For
more information see Layer 2 traffic on page 131.
Index
Numerics external logging 20