Monday, March 4, 2013

Using Virtual Domains to host more than one FortiOS instance on a single FortiGate unit





Scenario
Providing Internet connectivity and security for two private networks with a single FortiGate unit.
Solution
Use Virtual domains (VDOMs) to divide the FortiGate unit into two or more virtual instances of FortiOS that function similar to two independent FortiGate units. Each VDOM has its own physical interfaces, routing configuration, and security policies.
This example simulates an ISP that provides Company A and Company B with Internet services. Each company would have its own Internet IP address and internal network. This configuration requires:
Two VDOMs: VDOM-A and VDOM-B each operating in NAT/Route mode with two interfaces, one for a connection to the Internet and one for a connection to the internal network.
The routing configuration of the example is simplified to only require a default static route from each VDOM to an Internet gateway router.
Create VDOM-A and VDOM-B
Enable multiple VDOM mode, create the VDOMS, configure interfaces and add them to their VDOMs.
1 Connect to the FortiGate web‑based manager and from the Dashboard System Information widget select Enable beside Virtual Domain.
2 Go to System > VDOM > VDOM and select Create New to create two VDOMs with the following configuration:
For company A:
Name
VDOM-A
Enable
Select
Operation Mode
NAT
For company B:
Name
VDOM-B
Enable
Select
Operation Mode
NAT
3 Go to System > Network > Interface and Edit port1 and add it to VDOM-A.
Name
port1
Virtual Domain
VDOM-A
Addressing Mode
Manual
IP/Netmask
172.20.120.10/255.255.255.0
Edit port2 and add it to VDOM-A:
Name
port2
Virtual Domain
VDOM-A
Addressing Mode
Manual
IP/Netmask
192.168.10.1/255.255.255.0
Administrative Access
HTTPS, PING, SSH
Edit port3 and add it to VDOM-B:
Name
port3
Virtual Domain
VDOM-B
Addressing Mode
Manual
IP/Netmask
172.20.120.20/255.255.255.0
Edit port4 and add it to VDOM-B:
Name
port4
Virtual Domain
VDOM-B
Addressing Mode
Manual
IP/Netmask
192.168.20.1/255.255.255.0
Administrative Access
HTTPS, PING, SSH
4 Go to System > Admin > Administrators and select Create New to add an administrator for VDOM-A.
Administrator
a-admin
Type
Regular
Password
passw0rda
Confirm Password
passw0rda
Admin Profile
prof_admin
Virtual Domain
VDOM-A
5 Go to System > Admin > Administrators and select Create New to add an administrator for VDOM-B.
Administrator
b-admin
Type
Regular
Password
passw0rdb
Confirm Password
passw0rdb
Admin Profile
prof_admin
Virtual Domain
VDOM-B
Create a basic configuration for VDOM-A
Add a default route, a DHCP server, and security policy to allow company-A users to get their IP configuration from the FortiGate unit, and connect to the Internet.
1 Beside Current VDOM select VDOM-A.
2 Go to Router > Static > Static Route and select Create New to add the default route for VDOM_A.
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
port1
Gateway
172.20.120.2
3 Go to System > Network > DHCP Server and select Create New to add a DHCP server.
Interface Name
port2
Mode
Server
Type
Regular
IP
192.168.10.100-192.168.10.200
Network Mask
255.255.255.0
Default Gateway
192.168.10.1
4 Configure the DNS Service as required for the network.
5 Select OK to save the port2 DHCP server.
6 Connect a PC to the port2 interface and configure it to get an IP address automatically using DHCP.
7 Log in to VDOM-A by browsing to https://192.168.10.1 and entering a-admin as the Name and passw0rda as the Password.
8 Go to Policy > Policy > Policy and select Create New to create a security policy that allows users on the company A internal network to connect to the Internet.
Source Interface/Zone
port2
Source Address
all
Destination Interface/Zone
port1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
9 Select Enable NAT and Use Destination Interface Address.
10 Select OK to save the security policy.
11 Test the configuration by connecting to the Internet from the PC.

 
You should be able to connect to the Internet, if not check the configuration or use the steps described in “Troubleshooting NAT/Route mode installations” to find the problem.
12 Configure the computers on the company A network to get their IP configuration automatically using DHCP.
Create a basic configuration for VDOM-B
Add a default route, a DHCP server, and security policy to allow company-B users to get their IP configuration from the FortiGate unit, and connect to the Internet.
1 Log in to the FortiGate unit as the admin administrator (or any administrator with the super_admin profile).
2 Beside Current VDOM select VDOM-B.
3 Go to Router > Static > Static Route and select Create New to add the default route for VDOM_A.
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
port3
Gateway
172.20.120.2
4 Go to System > Network > DHCP Server and select Create New to add a DHCP server.
Interface Name
port4
Mode
Server
Type
Regular
IP
192.168.20.100-192.168.20.200
Network Mask
255.255.255.0
Default Gateway
192.168.20.1
5 Configure the DNS Service as required for the network.
6 Select OK to save the port4 DHCP server.
7 Connect a PC to the port4 interface and configure it to get an IP address automatically using DHCP.
8 Log in to VDOM-B by browsing to https://192.168.20.1 and entering b-admin as the Name and passw0rdb as the Password.
9 Go to Policy > Policy > Policy and select Create New to create a security policy that allows users on the company B internal network to connect to the Internet.
Source Interface/Zone
port4
Source Address
all
Destination Interface/Zone
port3
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
10 Select Enable NAT and Use Destination Interface Address.
11 Select OK to save the security policy.
12 Test the configuration by connecting to the Internet from the PC.

 
You should be able to connect to the Internet, if not check the configuration or use the steps described in “Troubleshooting NAT/Route mode installations” to find the problem.
13 Configure the computers on the company B network to get their IP configuration automatically using DHCP.
Results
Connect to the Internet from the company A and company B networks. From either VDOM, go to Policy > Monitor > Policy Monitor and confirm that the policies that you added are allowing traffic through the individual VDOMs.
You can use the packet sniffer to verify that traffic is staying in a VDOM. For example, enter the following command from the FortiGate CLI and then ping from one of the internal networks to an address on the Internet.
diagnose sniffer packet any 'icmp' 4 10
interfaces=[any]
filters=[icmp]
10.728968 port4 in 192.168.20.100 -> 66.171.121.34: icmp: echo request
10.729158 port3 out 172.20.120.20 -> 66.171.121.34: icmp: echo request
10.821152 port3 in 66.171.121.34 -> 172.20.120.20: icmp: echo reply
10.821288 port4 out 66.171.121.34 -> 192.168.20.100: icmp: echo reply
11.729230 port4 in 192.168.20.100 -> 66.171.121.34: icmp: echo request
11.729431 port3 out 172.20.120.20 -> 66.171.121.34: icmp: echo request
11.821349 port3 in 66.171.121.34 -> 172.20.120.20: icmp: echo reply
11.821481 port4 out 66.171.121.34 -> 192.168.20.100: icmp: echo reply
The command output shows sessions only uses the port4 and port3 interfaces, both of which are in VDOM-B.
 
If you log in as an administrator with the super_admin profile, you can sniff any interface. If you log in as a-admin or b-admin (an administrator for a single VDOM), you can only sniff interfaces in the administrator’s VDOM. To access the packet sniffer, you must log in to a VDOM, you cannot access the packet sniffer from the global configuration.




Thanks
R.karthikeyan
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Share this

Labels

WINDOWS SERVER (22) Windows (20) IIS (15) Interview questions (10) TFS (9) Troubleshooting Tips (9) Fortigate Firewall (8) SQL (8) Backup (6) Team Foundation Server (6) Webserver (6) Windows Administration Task (6) Microsoft certification (5) Virtualization (5) ADDS (4) Active Directory (4) FTP (4) PHP (4) SQL 2012 (4) SQL Server (4) server (4) DBA (3) MSSQL (3) Networking (3) Offer (3) Webhosting (3) Windows 8 (3) 74-409 (2) Agile Methodology (2) Apache (2) CLI Commands (2) DNS (2) Dedicated server (2) Difference between Active and Passive Connection Mode (2) Fortinet (2) GPO (2) IIS8 (2) IPAddress (2) IPV6 (2) MVA (2) Microsoft News (2) NAT (2) Software Development (2) TFS2013 (2) Uncategorized Post (2) XAMPP (2) firewall Administration. (2) powershell (2) .htaccess (1) ALM (1) Agile vs Scrum Difference (1) Blogging TIPS (1) CPanel (1) Command for Administrator (1) DC (1) DHCP (1) Domain joining nano server (1) Exam 74-409 (1) Excel TIps (1) File server (1) Fortigate Firewall HA (1) Fortigate Firmware Upgrade (1) Free Exam 70-740 (1) Free Voucher (1) Generation2 VM (1) Group Policy (1) HP (1) HP ILO IP CHange (1) HP OA IP Change (1) HP Proliant Servers (1) HTTP to HTTPS (1) Hyper-V (1) IAS (1) IIS Server hardening (1) ILO (1) Install dll (1) MCSA 2016 (1) Microsoft Virtual Academy (1) Microsoft file sharing Port (1) Migration (1) MySQL (1) NPS (1) Nano server (1) Network Drive (1) OA (1) Plesk Panel (1) Ports (1) Ports for windows file sharing (1) RADIUS (1) RDP (1) Remote Desktop Connection (1) SCRUM (1) SQL ErrorLog (1) SQL TEMPDB (1) Second Shot (1) Server 2012 (1) Startup Parameters (1) TEMPDB Movement (1) TIPS (1) Team Foundation Server 2013 (1) Temp profile. (1) Troubleshooting DNS (1) URL Rewriting (1) VDOM (1) VPS (1) VSS (1) Virtual Labs (1) Visual Studio (1) Visual Studio 2012 (1) Visual Studio 2013 (1) Visual source safe (1) Waterfall Model vs Agile Methodology (1) Windows 2016 (1) Windows 7 (1) Windows Server 2012 (1) Windows command line (1) XP (1) certification path (1) exam (1) free online courses (1) protocols/ports for windows file sharing on a firewall (1) sql error (1) what features has been installed in your SQL Server (1) windows 2012 (1) windows Time Service (1) work item types difference (1)

E-Books

Blogger Gadgets