None
Multi vdom at digidraft.net

Multi vdom

2017-01-21

   Recently I had the opportunity to configure Fortigate 1200D. The main idea was to find a way to simulate multi-context feature, that cisco asa have and to move customers to new equipment.

    FortiOS allows to create virtual domains that are divide the main unit into many virtual units. Each virtual domain can provide separate firewall policies, nat, routing and VPN services for each connected network.

    Below shows a diagram with the main domain vdom0 and two clients domains vdom1, vdom2.

fortigate1

    The Vdom0 have two lag interfaces contains two physical ports each. Outside lag contains vlan 5 with public ip-address on it. Vlans 10 and 20 on inside lag intended for private networks.

To enable virtual domains globaly use

config system global
    set vdom-admin enable
end

    Create vdom0, bind physical ports from 1 to 4 and create two lag interfaces:

config vdom
    edit vdom0
config system interface
    edit "port1"
        set vdom "vdom0"
    next
    edit "port2"
        set vdom "vdom0"
    next
    edit "port3"
        set vdom "vdom0"
    next
    edit "port4"
        set vdom "vdom0"
    next
    edit "OUTSIDE"
        set vdom "vdom0"
        set type aggregate
        set member "port1" "port3"
    next
    edit "INSIDE"
        set vdom "vdom0"
        set type aggregate
        set member "port2" "port4"
    next

    Then create interface-vlan with a public address on it and assign to OUTSIDE interface:

    edit "vl5"
        set vdom "vdom0"
        set ip 1.1.1.1 255.255.255.0
        set allowaccess ping
        set interface "OUTSIDE"
        set vlanid 5
    next

    Create default route for the vdom0:

config router static
    edit 1
        set gateway 1.1.1.254
        set device "vl5"
    next

    Here the fun part begins. FortiGate models have acceleration hardware that can offload resource intensive processing from main processing (CPU) resources. That contains three processors CP, SP and NP.  Network processor (NP) provides fastpath acceleration by offloading communication sessions from the FortiGate CPU. To accelerate inter-vdom traffic should be used inter-vdom links, named npu0_vlink and npu1_vlink. Other inter-vdom links will not be accelerated.

    Create remaining vdoms. Add vlan-interfaces to the accelerated inter-vdom links to create inter-vdom links between vdom0<>vdom1 and vdom0<>vdom2. For the links to work, the vlan interfaces must be added to the same inter-vdom link, must be on the same subnet and must have the same vlan id.

config vdom
    edit vdom1
config system interface
    edit "vl10_npu1"
        set vdom "vdom0"
        set ip 192.168.10.1 255.255.255.252
        set interface "npu0_vlink0"
        set vlanid 11
    next
    edit "vl10_npu2"
        set vdom "vdom1"
        set ip 192.168.10.2 255.255.255.252
        set interface "npu0_vlink1"
        set vlanid 11
    next
end
end
config vdom
    edit vdom2
    edit "vl20_npu1"
        set vdom "vdom0"
        set ip 192.168.10.5 255.255.255.252
        set interface "npu0_vlink0"
        set vlanid 12
    next
    edit "vl20_npu2"
        set vdom "vdom2"
        set ip 192.168.10.6 255.255.255.252
        set interface "npu0_vlink1"
        set vlanid 12
    next
end
end
 

Then create interface-vlan with a privat networks, assign to INSIDE interface:

config system interface   
    edit "vl10"
        set vdom "vdom1"
        set ip 192.168.0.1 255.255.255.252
        set allowaccess ping
        set interface "INSIDE"
        set vlanid 10
    next
    edit "vl20"
        set vdom "vdom2"
        set ip 192.168.0.5 255.255.255.252
         set allowaccess ping
        set interface "INSIDE"
        set vlanid 20
    next
end

Add routes:

config vdom
    edit vdom1
config router static
    edit 1
        set gateway 192.168.10.1
        set device "vl10_npu2"
    next
    edit 2
        set dst 192.168.1.0 255.255.255.0
        set gateway 192.168.0.2
        set device "vl10"
    next
end
config vdom
    edit vdom2
config router static
    edit 1
        set gateway 192.168.10.5
        set device "vl20_npu2"
    next
    edit 2
        set dst 192.168.2.0 255.255.255.0
        set gateway 192.168.0.6
        set device "vl20"
    next
end
config vdom
    edit vdom0
config router static
    edit 2
        set dst 2.2.2.1 255.255.255.255
        set gateway 192.168.10.2
        set device "vl10_npu1"
    next
    edit 3
        set dst 2.2.2.2 255.255.255.255
        set gateway 192.168.10.6
        set device "vl20_npu1"
    next
end

Create a firewall policy:

config vdom
    edit vdom0
config firewall policy
    edit 1
        set name "ALLOW_vl10"
        set srcintf "vl10_npu1"
        set dstintf "vl5"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set name "ALLOW_vl20"
        set srcintf "vl20_npu1"
        set dstintf "vl5"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Allow nat to 2.2.2.1 and 2.2.2.2 for vdoms 1,2 respectively

config vdom
    edit vdom1
config firewall ippool
    edit "vl10_pool"
        set startip 2.2.2.1
        set endip 2.2.2.1
    next
end
config firewall policy
    edit 1
        set name "allow_all_nat"
        set srcintf "vl10"
        set dstintf "vl10_npu2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
        set ippool enable
        set poolname "vl10_pool"
    next
end
config vdom
    edit vdom2
config firewall ippool
    edit "vl20_pool"
        set startip 2.2.2.2
        set endip 2.2.2.2
    next
end
config firewall policy
    edit 1
        set name "allow_all_nat"
        set srcintf "vl20"
        set dstintf "vl20_npu2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
        set ippool enable
        set poolname "vl20_pool"
    next
end
Leave a Comment: