Chapter 8 – VDOM

8-2 Inter-VDOM routing

Learning Objectives

  • Configure a VDOM to pass traffic between VDOMs
  • Configure an Inter-VDOM routing

 

Scenario: Inter-VDOM routing is the communication between VDOMs. VDOM links are virtual interfaces that connect VDOMs. A VDOM link contains a pair of interfaces, each one connected to a VDOM and forming either end of the inter-VDOM connection. We want to create a link between VDOM Sales and Accounting, then the traffic from webterm1 should be reached to webterm2.
Inter-VDOM routing main scenario
Figure 8-19: main scenario
Table 8-2: Devices configuration
Device IP address Access
WebTerm-1 192.168.1.2/24
WebTerm-2 172.16.1.2/24
FortiGate Port 1: DHCP Client

Port 2: 172.16.1.1/24

Port 3: 192.168.1.1/24

 Port 1: https, ping
Cloud1

1- First, enable VDOMs in the firewall

FGVM01TM19008000 # config system global

FGVM01TM19008000 (global) # set vdom-mode multi-vdom

FGVM01TM19008000 (global) # end

2- Create two VDOMs, Sales and Accounting.

Create a VDOM sales
Figure 8-20: Create a VDOM sales
Create a VDOM Accounting
Figure 8-21: Create a VDOM Accounting

3- Configure IP addresses for the Interfaces Port2 and Port3. Assign port3 to Sales Vdom and port2 to Accounting Vdom.

port2 and port3 IP Address configuration
Figure 8-22: Port2 and Port3 IP Address configuration
Port2 Configuration
Figure 8-23: Port2 Configuration
Port3 Configuration
Figure 8-24: Port3 Configuration

4- Go to Global VDOM> Network Interfaces> Create a new VDOM Link, and configure it as Figure 8-25:

Create a VDOM link between Sales and Accounting
Figure 8-25: Create a VDOM link between Sales and Accounting

5- In Accounting VDOM, Create two static routes:

Destination:  192.168.1.0/255.255.255.0

Interface: Accounting-Sales

Gateway: 10.10.10.2

Create a static route in Accounting VDOM
Figure 8-26: Create a static route in Accounting VDOM

Destination:  172.16.1.0/255.255.255.0

Interface: Accounting-Sales

Gateway: 10.10.10.2

Create a static route in Accounting VDOM
Figure 8-27: Create a static route in Accounting VDOM

6- In Accounting VDOM, Create two Firewall Policies:

  • Incoming: Port 2
  •  Outgoing: AS0
  • NAT Disable
Create a Firewall Policy in Accounting VDOM from Port2 to AS0
Figure 8-28: Create a Firewall Policy in Accounting VDOM from Port2 to AS0

Incoming:

  • Incoming: AS0
  • Outgoing: Port2
  • NAT Disable
Create a Firewall Policy in Accounting VDOM from AS0 to Port2
Figure 8-29: Create a Firewall Policy in Accounting VDOM from AS0 to Port2

7- In Sales VDOM, Create two static routes:

  • Destination:  192.168.1.0/255.255.255.0
  • Interface: AS1
  • Gateway: 10.10.10.1
Create a static route in sales VDOM
Figure 8-30: Create a static route in sales VDOM
  • Destination:  172.16.1.0/255.255.255.0
  • Interface: AS1
  • Gateway: 10.10.10.1
Create a static route in sales VDOM
Figure 8-31: Create a static route in sales VDOM

8- In Sales VDOM, Create two Firewall Policies:

  • Incoming: Port3
  • Outgoing: AS1
  • NAT Disable
Create a Firewall Policy in sales VDOM from Port3 to AS1
Figure 8-32: Create a Firewall Policy in sales VDOM from Port3 to AS1
  • Incoming: AS1
  • Outgoing: Port3
  • NAT Disable
Create a Firewall Policy in sales VDOM from AS1 to Port3
Figure 8-33: Create a Firewall Policy in sales VDOM from AS1 to Port3

9- Now, you should verify your configuration and should be able to ping from WebTerm1 to WebTerm2.

you should verify your configuration and should be able to ping from WebTerm1 to WebTerm2
Figure 8-34: Verify configuration

To delete a VDOM link in the CLI:

config system vdom-link

delete <VDOM-LINK-Name>

end

 

License

Icon for the Creative Commons Attribution 4.0 International License

FortiGate Firewall: Practical Guidance and Hands-On Labs by Hamid Talebi is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book