USER GUIDE. FortiGate VLANs and VDOMs Version

Transcription

1 USER GUIDE FortiGate VLANs and VDOMs Version 3.0

2 FortiGate VLANs and VDOMs User Guide Version July Copyright 2006 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard- Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Regulatory compliance FCC Class A Part 15 CSA/CUS! Caution: If you install a battery that is not the correct type, it could explode. Dispose of used batteries according to local regulations.

3 Contents Contents Introduction... 9 About FortiGate VLANs and VDOMs... 9 About this document... 9 Document conventions... 9 Typographic conventions FortiGate documentation Related documentation FortiManager documentation FortiClient documentation FortiMail documentation FortiAnalyzer documentation Fortinet Knowledge Center Comments on Fortinet technical documentation Customer service and technical support Introduction to VLANs and VDOMs Overview of VLAN technology VLAN layer-2 switching Layer-2 VLAN example VLAN layer-3 routing Layer-3 VLAN Example Rules for VLAN IDs Overview of Virtual Domains Maximum number of VDOMs Inter-VDOM routing Management VDOM Administration of virtual domains Global and virtual domain settings For more information Using VLANs in NAT/Route mode Overview Configuring FortiGate units in NAT/Route mode Adding VLAN subinterfaces Creating firewall policies Configuring routing Example configuration NAT/Route mode (simple) General configuration steps Configuring the FortiGate-800 unit Configuring the external interface Adding VLAN subinterfaces Adding the firewall addresses

4 Contents Adding the firewall policies Configuring the Cisco switch to support VLAN tags Testing the configuration Testing traffic from VLAN 100 to VLAN Testing traffic from VLAN 100 to the external network Example configuration NAT/Route mode (complex) General configuration steps Configuring the FortiGate-800 unit Adding the VLAN subinterfaces Adding a default route Adding the firewall addresses Adding the firewall policies Configuring the FortiGate-800 IPSec VPN tunnel and encrypt policy Configuring the VPN gateway Configuring the VPN tunnel Defining the VPN user IP address Adding the encrypt policy Configuring the VPN client Creating a new VPN connection Configuring the internal Cisco switch Configuring the VLAN subinterfaces and the trunk interfaces Configuring the external Cisco switch Configuring the VLAN subinterfaces and the trunk interfaces Testing the configuration Testing traffic from VLAN 20 to VLAN Testing traffic from VLAN 10 to the external network Using VDOMs in NAT/Route mode Overview Getting started with VDOMs Enabling virtual domain configuration Creating virtual domains Creating administrators for virtual domains Accessing virtual domains to configure them Configuring virtual domains Changing the management VDOM Adding interfaces and VLAN subinterfaces to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring VPNs for a virtual domain Example VDOM configuration in NAT/Route mode (simple) General configuration steps Creating the virtual domains Configuring the FortiGate-800 external and DMZ interfaces Start the FortiGate web-based manager to configure the FortiGate

5 Contents unit. Select Global Configuration. This section configures the interfaces for each company and their connections to the Internet. Configuring the external interface Configuring the DMZ interface Configuring the ABCdomain VDOM Adding the VLAN subinterface Selecting the ABCdomain VDOM Adding ABCdomain firewall addresses Adding the ABCdomain firewall policy Adding a default route Configuring the DEFdomain VDOM Adding the VLAN 200 subinterface Selecting the DEFdomain VDOM Adding the DEFdomain firewall address Adding the DEFdomain firewall policy Adding a default route Configuring the Cisco switch Configuring the VLAN subinterfaces and the trunk interfaces Testing the configuration Testing traffic from VLAN 100 to the external network Testing traffic from VLAN 200 to the DMZ network Example VDOM configuration in NAT/Route mode (complex) General configuration steps Creating the virtual domains Configuring the ABCdomain VDOM Selecting the ABCdomain virtual domain Adding the VLAN subinterfaces Adding a default route Adding the firewall addresses Adding the firewall policies Configuring the Commercial VDOM Selecting the Commercial VDOM Adding the VLAN subinterfaces Adding a default route Adding the firewall addresses Adding the firewall policies Configuring the Cisco switch Configuring the VLAN subinterfaces and the trunk interfaces Testing the configuration Testing traffic from instructors network to student network Other tests Using VLANs and VDOMs in Transparent mode Overview VLANs and virtual domains

6 Contents Configuring the FortiGate unit in Transparent mode Adding VLAN subinterfaces Creating firewall policies Example configuration Transparent mode (simple) General configuration steps Configuring the FortiGate-800 unit Adding VLAN subinterfaces Adding the firewall policies Configuring the Cisco switch Configuring the VLAN subinterfaces and the trunk interfaces Configuring the Cisco router Configuring the VLAN subinterfaces and the trunk interfaces Testing the configuration Testing traffic from VLAN 100 to VLAN Example configuration Transparent mode (multiple virtual domains) Configuring global items Creating schedules Creating protection profiles Creating virtual domains Configuring the ABCdomain Adding VLAN subinterfaces Selecting the ABCdomain VDOM Creating service groups Configuring ABCdomain firewall addresses Configuring ABCdomain firewall policies Configuring the DEFdomain Adding VLAN subinterfaces Selecting the DEFdomain VDOM Creating service groups Configuring DEFdomain firewall addresses Configuring DEFdomain firewall policies Configuring the XYZdomain Adding VLAN subinterfaces Selecting the XYZdomain VDOM Creating service groups Configuring XYZdomain firewall addresses Configuring XYZdomain firewall policies Configuring the Cisco switch Configuring switch Configuring switch Testing the configuration Testing traffic from VLAN 100 to the Internet Inter-VDOM routing Overview

7 Contents Benefits of inter-vdom routing Freeing up physical interfaces Continuing to use secure firewall policies More flexible configurations Getting started with inter-vdom routing Available inter-vdom configurations Stand-alone VDOM Independent VDOMs Management VDOM Meshed VDOMs FortiManager and inter-vdoms Configuring inter-vdoms with FortiManager Inter-VDOM planning Complexity Making changes Avoiding Problems with VLANs Overview Asymmetric routing Layer 2 traffic ARP traffic Multiple VDOMs solution Forward-domain solution NetBIOS STP forwarding Index

8 Contents

9 Introduction About FortiGate VLANs and VDOMs Introduction This chapter introduces you to FortiGate VLANs and VDOMs and the following topics: About FortiGate VLANs and VDOMs About this document FortiGate documentation Related documentation Customer service and technical support About FortiGate VLANs and VDOMs Virtual Local Area Networks (VLANs) and Virtual Domains (VDOMs) multiply the capabilities of your FortiGate unit. VLANs increase the number of network interfaces beyond the physical connections on the unit. VDOMs enable the unit to function as multiple independent units with common administration. About this document Document conventions This document describes how to implement IEEE 802.1Q VLAN technology on FortiGate units operating in both NAT/Route and Transparent mode. It also describes how to use FortiGate VDOMs to provide separate network protection, routing and VPN configurations for multiple organizations. This document contains the following chapters: Introduction to VLANs and VDOMs Using VLANs in NAT/Route mode Using VDOMs in NAT/Route mode Using VLANs and VDOMs in Transparent mode Inter-VDOM routing Avoiding Problems with VLANs Each of the Using sections contains detailed example configurations. The following document conventions are used in this guide: In the examples, private IP addresses are used for both private and public IP addresses. Notes and Cautions are used to provide important information: Note: Highlights useful additional information

10 FortiGate documentation Introduction! Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment. Typographic conventions FortiGate documentation uses the following typographical conventions: Convention Keyboard input Code examples CLI command syntax Document names File content Menu commands Program output Variables Example In the Gateway Name field, type a name for the remote VPN peer or client (for example, Central_Office_1). config sys global set ips-open enable end config firewall policy edit id_integer set http_retry_count <retry_integer> set natip <address_ipv4mask> end FortiGate Administration Guide <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</h4> Go to VPN > IPSEC > Phase 1 and select Create New. Welcome! <address_ipv4> FortiGate documentation Information about FortiGate products is available from the following guides: FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit. FortiGate Installation Guide Describes how to install a FortiGate unit. Includes a hardware reference, default configuration information, installation procedures, connection procedures, and basic configuration procedures. Choose the guide for your product model number. FortiGate Administration Guide Provides basic information about how to configure a FortiGate unit, including how to define FortiGate protection profiles and firewall policies; how to apply intrusion prevention, antivirus protection, web content filtering, and spam filtering; and how to configure a VPN. FortiGate online help Provides a context-sensitive and searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work

11 Introduction Related documentation FortiGate CLI Reference Describes how to use the FortiGate CLI and contains a reference to all FortiGate CLI commands. FortiGate Log Message Reference Describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units. FortiGate High Availability User Guide Contains in-depth information about the FortiGate high availability feature and the FortiGate clustering protocol. FortiGate IPS User Guide Describes how to configure the FortiGate Intrusion Prevention System settings and how the FortiGate IPS deals with some common attacks. FortiGate IPSec VPN User Guide Provides step-by-step instructions for configuring IPSec VPNs using the webbased manager. FortiGate PPTP VPN User Guide Explains how to configure a PPTP VPN using the web-based manager. FortiGate Certificate Management User Guide Contains procedures for managing digital certificates including generating certificate requests, installing signed certificates, importing CA root certificates and certificate revocation lists, and backing up and restoring installed certificates and private keys. Related documentation Additional information about Fortinet products is available from the following related documentation. FortiManager documentation FortiClient documentation FortiManager QuickStart Guide Explains how to install the FortiManager Console, set up the FortiManager Server, and configure basic settings. FortiManager System Administration Guide Describes how to use the FortiManager System to manage FortiGate devices. FortiManager System online help Provides a searchable version of the Administration Guide in HTML format. You can access online help from the FortiManager Console as you work. FortiClient Host Security User Guide Describes how to use FortiClient Host Security software to set up a VPN connection from your computer to remote networks, scan your computer for viruses, and restrict access to your computer and applications by setting up firewall policies

12 Customer service and technical support Introduction FortiMail documentation FortiClient Host Security online help Provides information and procedures for using and configuring the FortiClient software. FortiMail Administration Guide Describes how to install, configure, and manage a FortiMail unit in gateway mode and server mode, including how to configure the unit; create profiles and policies; configure antispam and antivirus filters; create user accounts; and set up logging and reporting. FortiMail online help Provides a searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work. FortiMail Web Mail Online Help Describes how to use the FortiMail web-based client, including how to send and receive ; how to add, import, and export addresses; and how to configure message display preferences. FortiAnalyzer documentation Fortinet Knowledge Center FortiLog Administration Guide Describes how to install and configure a FortiLog unit to collect FortiGate and FortiMail log files. It also describes how to view FortiGate and FortiMail log files, generate and view log reports, and use the FortiLog unit as a NAS server. FortiLog online help Provides a searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work. The most recent Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains short how-to articles, FAQs, technical notes, product and feature guides, and much more. Visit the Fortinet Knowledge Center at Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com. Customer service and technical support For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet Technical Support web site at You can also register Fortinet products and service contracts from and change your registration information at any time. Technical support is available through from any of the following addresses. Choose the address for your region:

13 Introduction Customer service and technical support For customers in the United States, Canada, Mexico, Latin America and South America. For customers in Japan, Korea, China, Hong Kong, Singapore, Malaysia, all other Asian countries, and Australia. For customers in the United Kingdom, Scandinavia, Mainland Europe, Africa, and the Middle East. For information about our priority support hotline (live support), see When requesting technical support, please provide the following information: your name your company s name and location your address your telephone number your support contract number (if applicable) the product name and model number the product serial number (if applicable) the software or firmware version number a detailed description of the problem

14 Customer service and technical support Introduction

15 Introduction to VLANs and VDOMs Overview of VLAN technology Introduction to VLANs and VDOMs Virtual Local Area Networks (VLANs) and Virtual Domains (VDOMs) multiply the capabilities of your FortiGate unit. VLANs use ID tags added to network frames to increase the number of network interfaces beyond the physical connections on the FortiGate unit. VDOMs enable the unit to function as multiple independent units with common administration. Both can provide added network security. Using VLANs, a single FortiGate unit can provide security services and control connections between multiple security domains. Using VDOMs, a single FortiGate unit can serve multiple organizations. It can provide separate firewall policies and, in NAT/Route mode, completely separate routing and VPN configurations for each organization. This document describes how to implement IEEE 802.1Q Virtual LAN (VLAN) technology on FortiGate units operating in both NAT/Route and Transparent mode. Example configurations illustrate how VLANs can be implemented between FortiGate units and other 802.1Q-compliant devices, such as Cisco switches and routers. This document also describes how to implement virtual domains (VDOMs) and presents example configurations to illustrate how VDOMs can be implemented on FortiGate units. The information in this document applies to all FortiGate units. All FortiGate models support VLANs and VDOMs. This document contains the following sections: Overview of VLAN technology Overview of Virtual Domains Using VLANs in NAT/Route mode Using VDOMs in NAT/Route mode Using VLANs and VDOMs in Transparent mode Inter-VDOM routing Avoiding Problems with VLANs Each of the Using sections contains detailed example configurations. Overview of VLAN technology A LAN consists of network broadcast domains. A network broadcast domain includes all the computers that receive a packet broadcast from any computer in the broadcast domain. Switches automatically forward the packets to all ports on that switch, whereas by default routers separate broadcast domains by not automatically forwarding network broadcast packets. If a network has only switches and no routers, that network is considered one broadcast domain no matter how large it is

16 Overview of VLAN technology Introduction to VLANs and VDOMs VLAN layer-2 switching Virtual LANs (VLANs) use ID tags to logically separate devices on a LAN into smaller broadcast domains. Each VLAN is its own broadcast domain. Smaller broadcast domains reduce traffic and increase network security. The IEEE 802.1Q standard defines VLANs. Layer 2 and layer 3 devices must be 802.1Q-compliant to support VLANs. For more information see VLAN layer-2 switching on page 16 and VLAN layer-3 routing on page 18. VLANs reduce the size of the broadcast domains by only forwarding packets to ports that are part of that VLAN, or part of a trunk link. Trunk links form switchswitch or switch-router connections and forward all VLAN traffic. This enables VLANs to include devices that are on the network but physically distant. A good example of when to use VLANs is an accounting department within a company. The accounting computers can be located in different buildings (main and branch offices). However, accounting computers need to communicate with each other frequently and require increased security. VLANs allow the accounting data to only be sent only to accounting computers and connect accounting computers in different locations as if they were on the same physical subnet. The VLAN ID tags used to define VLANs are a 4-byte frame extension that is applied by switches and routers to every packet sent and received by the devices in the VLAN. Workstations and desktop computers are not an active part of the VLAN process - all the VLAN tagging and tag removal is done after the packet has left the computer. For more information see Rules for VLAN IDs on page 19. Switches are generally 802.1Q compliant - they are layer-2 devices. Layer-2 refers to the second layer of the OSI networking model - the Data Link layer. FortiGate units act as layer-2 switches when they are in Transparent Mode. They simply tag and forward the VLAN traffic or receive and remove the tag from it. A VLAN can have any number of physical interfaces assigned to it. Physical interfaces can be assigned to multiple VLANs. Typically two or more physical interfaces are assigned to a VLAN - at least one for incoming and one for outgoing traffic. Multiple VLANs can be configured on the FortiGate unit, including trunk links. Trunk links are connections between switches or routers that pass all VLAN traffic along so that it can reach other parts of the network. This does not flood the network with traffic because switches and routers only deliver traffic to the VLAN it is addressed to. Layer-2 VLAN example To better understand VLAN operation, lets look at what happens to a data frame on a network that uses VLANs. Two 8-port switches are configured to support 2 VLANs on a network. Subnet 1 is connected to switch A and subnet 2 is connected to switch B. On switch A, ports 1 through 4 are part of VLAN 100. Port 8 on both switches is connected to an 802.1Q trunk link. Switch A's other ports (ports 5 through 7) belong to VLAN 200. On switch B, ports 4 and 5 are part of VLAN 100 and port 6 is part of VLAN 200. There are unassigned ports on switch B

17 Introduction to VLANs and VDOMs Overview of VLAN technology Figure 1: Example VLAN layer-2 switching configuration Ports 1-4 Switch A Port Q trunk link Port 8 Switch B Ports 4, 5 Port 1 Ports 5-7 Port 6 VLAN 100 VLAN 200 VLAN 200 VLAN 100 Branch Office Main Office Let's follow a data frame sent from a computer on subnet 1 that is part of VLAN 100. A computer on port 1 of switch A sends a data frame over the network. Switch A tags the data frame with a VLAN 100 ID tag upon arrival because port 1 is part of VLAN 100. Switch A forwards the tagged data frame to the other VLAN 100 ports - ports 2 through 4. Switch A also forwards the data frame to the 802.1Q trunk link (port 8) so other parts of the network that may contain VLAN 100 groups will receive VLAN 100 traffic. This data frame is not forwarded to the other ports on switch A because they are not part of VLAN 100. This increases security and decreases network traffic. Switch B receives the data frame over the trunk link (port 8). There are VLAN 100 ports on switch B (ports 4 and 5) and the data frame is forwarded to those ports. As with switch A, the data frame is not delivered to VLAN 200 If there were no VLAN 100 ports on switch B, the switch would not forward the data frame and it would stop there. Figure 2: Example VLAN Layer-2 packet delivery Switch A Ports 1-4 Port Q trunk link Switch B Port 8 Ports 4, 5 Port 1 Frame Frame Ports 5-7 Frame with VLAN ID tag Port 6 Frame VLAN 100 VLAN 200 VLAN 200 VLAN 100 Branch Office Main Office Before a switch forwards the data frame to an end destination, it removes the VLAN 100 ID tag. The sending computer and the receiving computers are not aware of any VLAN tagging on the data frame. When any computer receives that data frame, it appears as a normal data frame

18 Overview of VLAN technology Introduction to VLANs and VDOMs VLAN layer-3 routing Routers are layer-3 devices. Layer-3 refers to the third layer of the OSI networking model - the Network layer. FortiGate units act as layer-3 devices when they are in NAT/Route mode. As with layer-2, FortiGate units acting as layer-3 devices are 802.1Q-compliant. The main difference between layer-2 and layer-3 devices is how they process VLAN tags. Layer-2 switches just add, read and remove the tags - they do not alter the tags or do any other high level actions. Layer-3 routers not only add, read and remove tags but they analyze the data frame and its contents. This analysis allows layer-3 routers to change the VLAN tag if it is appropriate and send the data frame out on a different VLAN In a layer-3 environment, the 802.1Q-compliant router receives the data frame and assigns a VLAN ID. The router then forwards the data frame to other members of the same VLAN broadcast domain. The broadcast domain can include local ports, layer-2 devices and layer-3 devices such as routers and firewalls. When a layer-3 device receives the data frame, the device removes the VLAN tag and examines its contents to decide what to do with the data frame. The layer-3 device considers: source and destination addresses protocol port number The data frame may be forwarded to another VLAN, sent to a regular non-vlantagged network or just forwarded to the same VLAN as a layer-2 switch would do. It may be discarded if that is the proper firewall policy action. Layer-3 VLAN Example In the configuration for this example, subnet 1 is the same as the layer-2 previous example. In subnet 2, VLAN 300 is on port 5 of switch B. The FortiGate unit is connected to switch B on port 1 and the trunk link connects the FortiGate unit s port 3 to switch A. The other ports on switch B are unassigned. This configuration is shown in Figure 3 on page 18. Figure 3: Example VLAN layer-3 routing Switch A

19 Introduction to VLANs and VDOMs Overview of Virtual Domains Rules for VLAN IDs This example explains how traffic originating on VLAN 100 arrives at a destination on VLAN 300. Layer-2 switches alone cannot accomplish this, but a layer-3 router can do it. Let s follow a data frame going from VLAN 100 at the Branch Office to VLAN 300 on at the Main Office. As in the layer-2 example, the VLAN 100 computer sends the data frame to switch A and a VLAN 100 tag is added. Switch A forwards the tagged data frame to the FortiGate unit over the 802.1Q trunk link. The FortiGate unit removes the VLAN 100 tag and uses the content of the data frame to select the correct firewall policy. In this case, the FortiGate unit s firewall policy allows the data frame to go to VLAN 300. It goes to all VLAN 300 interfaces, but in the example there is only one - port 1 on the FortiGate unit. Before the data frame leaves the FortiGate unit, the VLAN subinterface adds a VLAN ID 300 tag. The FortiGate unit then forwards the data frame to switch B. Switch B removes the VLAN ID 300 tag because this is the last hop and forwards the data frame to the computer on port 5. In this example a data frame arrives at the FortiGate unit tagged as VLAN 100 and after checking its content, the FortiGate unit retags the data frame for VLAN 300. It is this change from VLAN 100 to VLAN 300 that requires a layer-3 routing device, in this case the FortiGate unit. Layer-2 switches cannot perform this change. Layer-2 switches and layer-3 devices add VLAN ID tags to the traffic as it arrives and remove them before they deliver the traffic to its final destination. Devices like PCs and servers on the network do not require any special configuration for VLANs. On a layer-2 switch, you can only have one VLAN subinterface per physical interface, unless that interface is configured as a trunk link. Trunk links can transport more than one VLANs traffic to other parts of the network. On a FortiGate unit, multiple VLANs can be added to the same physical interface. However, VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID or IP addresses on the same subnet. You can add VLAN subinterfaces with the same VLAN ID to different physical interfaces. Creating VLAN subinterfaces with the same VLAN ID does not create any internal connection between them. For example a VLAN ID of 300 on port1 and VLAN ID of 300 on port2 are allowed, but they are not connected.their relationship is the same as between any two FortiGate network interfaces. Overview of Virtual Domains Virtual Domains provide a way to divide your FortiGate unit and operate it as multiple separate units. You can configure and manage interfaces, VLAN subinterfaces, zones, firewall policies, routing and VPN configurations separately for each virtual domain. This separation simplifies configuration because you do not have to manage as many routes or firewall policies at one time

20 Overview of Virtual Domains Introduction to VLANs and VDOMs One application of this capability is to use a single FortiGate unit to provide routing and network protection for several organizations. Each organization has its own network interfaces (physical or virtual), routing requirements and network protection rules. By default, communication between organizations is possible only if both allow access to an external network such as the internet. The chapter, Using VDOMs in NAT/Route mode on page 53 provides two examples of this application. When a packet enters a virtual domain, it is confined to that virtual domain. In a given domain, you can only create firewall policies for connections between VLAN subinterfaces or zones in the virtual domain. The packet never crosses virtual domain borders. Maximum number of VDOMs Inter-VDOM routing Management VDOM If virtual domain configuration is enabled on your FortiGate unit and you log on as the default admin administrator, you can go to System > Status and look at Virtual Domain in the License Information section to see the maximum number of virtual domains supported on yourfortigate unit. By default, your FortiGate unit supports a maximum of 10 VDOMs in any combination of NAT/Route and Transparent modes. For FortiGate models numbered 3000 and higher, you can purchase a license key to increase the maximum number to 25, 50, 100 or 250 VDOMs. For more information see Creating virtual domains on page 54. FortiOS v3.0 MR1 introduced a new feature called inter-vdom routing. When configured, this feature allows traffic to pass between VDOMs without having to leave the FortiGate unit on a physical interface and return on a different physical interface. This feature also allows you to determine the level of inter-vdom routing varying from having only 2 VDOMs with limited interaction to having all VDOMs fully inter-connected. All traffic between VDOMs must pass through firewall policies as it does with all external interface connections. The command to configure this feature, called vdom-link, is only available in the CLI. Inter-VDOM routing is not available from the web-manager GUI. This topic is dealt with in Inter-VDOM routing on page 125 and the VDOM-admin chapter in the FortiOS CLI Reference. All management traffic leaves the FortiGate unit through the management VDOM. This includes all external logging, remote management and other Fortinet services. By default the management VDOM is the root VDOM. You can change this to another VDOM so management traffic will originate from the new VDOM. For more information see Changing the management VDOM on page 56. Administration of virtual domains You can manage virtual domains using either one common administrator or multiple separate administrators for each VDOM. The FortiGate default administrator account is the admin administration account. It is a common administrator that can access all of the virtual domains on the FortiGate unit. You cannot delete the admin administration account

21 Introduction to VLANs and VDOMs Overview of Virtual Domains You can use the admin administration account to create regular administrator accounts and assign them to VDOMs. Each regular administrator account can only configure its own VDOM. Global properties affect all VDOMs. Access to global properties is available only through the admin administration account. Access profiles configure read-only or read/write access for all administrators. Administrators can have access to: system configuration logs and reporting security policy user authorization administrator configuration FortiGuard Update configuration backup/restore This makes it possible for you to have administrators for different services on each VDOM. For example you can have one administrator responsible for logs and reporting on a VDOM, while another administrator is responsible for security policies on that same VDOM. For more information on access profiles, see the FortiOS Administration Guide. When you are configuring VDOMs using the admin administration account, the web-based manager shows which VDOM you are editing in the center of the status line at the bottom of the page. If you are configuring global properties, there is no virtual domain indicator. Figure 4: Status line virtual domain indicator Global and virtual domain settings When working with virtual domains, it is important to remember which settings belong exclusively to the virtual domain and which apply to the entire FortiGate unit. The following list of items are in the order they appear in the web-manager interface. Settings exclusive to virtual domains The following configuration settings are exclusively part of a virtual domain and are not shared between virtual domains: System settings Zones DHCP services Operation mode (NAT/Route or Transparent) Management IP (Transparent mode) Router configuration all

22 Overview of Virtual Domains Introduction to VLANs and VDOMs Firewall settings Policies Addresses Service groups and custom services Schedules Virtual IPs IP pools User settings Users User groups RADIUS and LDAP servers VPN settings IPSec PPTP SSL L2TP Policy Download IM settings Statistics User lists and policies

23 Introduction to VLANs and VDOMs Overview of Virtual Domains Settings shared by all virtual domains Virtual domains share the following global settings with other processes on the FortiGate unit: System settings Physical interfaces and VLAN subinterfaces (Each physical interface or VLAN subinterface belongs to only one VDOM. Each VDOM can use or configure only its own interfaces.) DNS settings Host name System time Firmware version Idle and authentication timeout Web-based manager language LCD panel PIN, where applicable Dead gateway detection HA configuration SNMP configuration Replacement messages Administrators Access profiles FortiManager configuration Configuration backup and restore FDN update configuration Bug reporting Firewall settings Predefined services Protection Profiles IPS settings all Antivirus settings all Web filter configuration all Spam filter configuration all Logging configuration and log reports all For more information Detailed information and procedures involving virtual domains are provided in the Using VDOMs in NAT/Route mode and Using VLANs and VDOMs in Transparent mode chapters

24 Overview of Virtual Domains Introduction to VLANs and VDOMs

25 Using VLANs in NAT/Route mode Overview Using VLANs in NAT/Route mode Overview In NAT/Route mode the FortiGate unit functions as a layer-3 device. In this mode, it controls the flow of packets between VLANs and can also remove VLAN tags from incoming VLAN packets. The FortiGate unit can also forward untagged packets to other networks, such as the Internet. In NAT/Route mode, the FortiGate unit supports VLAN trunk links with IEEE 802.1Q-compliant switches (or routers). The trunk link transports VLAN tagged packets between physical subnets or networks. When you add VLAN subinterfaces to the FortiGate physical interfaces, the VLANs have IDs that match the VLAN IDs of packets on the trunk link. The FortiGate unit directs packets with VLAN IDs to sub-interfaces with matching IDs. Normally the FortiGate unit's internal interface is connected to a VLAN trunk and the external interface connects to an untagged Internet router. In this configuration the FortiGate unit can apply different policies for traffic on each VLAN connected to the internal interface. You can define VLAN sub-interfaces on all FortiGate physical interfaces. However if multiple virtual domains are configured on the FortiGate unit, you will only have access to the physical interfaces on your virtual domain. The FortiGate unit can tag packets leaving on a VLAN subinterface. It can also remove VLAN tags from incoming packets and add a different VLAN tag to outgoing packets. Configuring FortiGate units in NAT/Route mode You can access FortiGate unit's web-based manager (GUI) with a supported web browser that connects to a FortiGate interface. The interface must be configured for administrative access. Use HTTPS to access the address of the interface. All FortiGate units have administrative access enabled by default on the default interface. On the FortiGate 800 the default interface is the Internal interface. For the examples presented in this chapter, the default interface has an address of If you need more information, refer to the Quick Start Guide or Installation Guide that came with your FortiGate unit. In this chapter, we assume you have not enabled VDOM configuration on your FortiGate unit. If have enabled it, you will need to navigate to the global or VDOM configuration as needed before following each procedure. This document does not explain how to configure the protection profiles for virus scanning, web filtering and spam filtering. Your FortiGate unit documentation explains Protection profiles. There are several essential steps to configuring your FortiGate unit for VLANs: Adding VLAN subinterfaces

26 Configuring FortiGate units in NAT/Route mode Using VLANs in NAT/Route mode Adding VLAN subinterfaces Creating firewall policies Creating firewall policies Configuring routing You add VLAN subinterfaces to the physical interface that receives VLAN-tagged packets. FortiGate interfaces cannot have overlapping IP addresses. That is, the IP addresses of all interfaces must be on different subnets. This rule applies to both physical interfaces and to VLAN subinterfaces. Note: If you are unable to change your existing configurations to prevent IP overlap, enter the CLI command config system global and set ip-overlap enable to allow IP address overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is part of a subnet used by another interface. This command is recommended for advanced users only. Each VLAN subinterface must be configured with its own IP address and netmask. The subinterface VLAN ID can be any number between 1 and The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router. If the IDs do not match, the subinterface will not recieve the VLAN tagged traffic. To add a VLAN subinterface in NAT/Route mode 1 Go to System > Network > Interface. 2 Select Create New to add a VLAN subinterface. 3 Enter a Name to identify the VLAN subinterface. 4 From the Interface list, select the physical interface that receives the VLAN packets intended for this VLAN subinterface. 5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. 6 Configure the VLAN subinterface settings as you would for any FortiGate interface. 7 Select OK to save your changes. The FortiGate unit adds the new VLAN subinterface to the interface that you selected in step 4. To view the new VLAN subinterface, select the blue arrow next to the parent physical interface. This will expand to display all VLAN subinterfaces on this physical interface. If there is no blue arrow displayed, there are no subinterfaces on this physical interface. Firewall policies permit communication between the FortiGate unit s network interfaces based on source and destination IP addresses. Optionally, you can limit communication to particular times and services. You need firewall policies to permit packets to pass from the VLAN interface where they enter the FortiGate unit to the interface where they exit. Each VLAN requires you create a firewall policy for each of the following permitted connections the VLAN will be using:

27 Using VLANs in NAT/Route mode Example configuration NAT/Route mode (simple) Configuring routing from the VLAN to an external network to the VLAN from an external network from the VLAN to another VLAN in the same virtual domain on the FortiGate unit to the VLAN from another VLAN in the same virtual domain on the FortiGate unit The packets on each VLAN are subject to antivirus and antispam scans as they pass through the FortiGate unit. To add firewall policies for VLAN subinterfaces 1 Go to Firewall > Address. 2 Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets. 3 Go to Firewall > Policy. 4 Add firewall policies as required. In the simplest case, you need to configure a default route for packets with external destinations to the gateway of an external network. In more complex cases, you might have to configure different routes based on packet source and destination addresses. Routing is explained in the FortiGate Administration Guide and the CLI Reference documentation. As with firewalls, you need to configure routes for VLANs. VLANs need routing and a gateway configured to send and recieve packets outside their local subnet. Depending on the network you are connecting to it can be static or dynamic routing. Dynamic routing can be routing information protocol (RIP), border gateway protocol (BGP), open shortest path first (OSPF), or multicast. If you enable protocols like SSH, PING, TELNET and HTTP on the VLAN you can use them to confirm that routing is properly configured. Enabling logging on the interfaces can also help locate any possible issues. Example configuration NAT/Route mode (simple) Figure 5 shows a simplified NAT/Route mode VLAN configuration. In this example, FortiGate internal interface connects to a Cisco 2950 VLAN switch using an 802.1Q trunk and is configured with two VLAN subinterfaces (VLAN 100 and VLAN 200). The external interface connects to the Internet and is not configured with VLAN subinterfaces

28 Example configuration NAT/Route mode (simple) Using VLANs in NAT/Route mode Figure 5: FortiGate unit in NAT/Route mode Internet External port Internal port Fa 0/24 Untagged packets FortiGate unit 802.1Q trunk Fa 0/3 Fa 0/9 VLAN 100 VLAN Switch VLAN 200 VLAN 100 Network VLAN 200 Network General configuration steps When the Cisco switch receives packets from VLAN 100 and VLAN 200, it applies VLAN ID tags and forwards the packets to local ports and across the trunk to the FortiGate unit. The FortiGate unit has policies that allow traffic to flow between the VLANs and from the VLANs to the external network. This section describes how to configure a FortiGate 800 unit and a Cisco Catalyst 2950 switch for this example network topology. Cisco configuration commands used in this section are IOS commands. It is assumed that both the FortiGate 800 and the Cisco 2950 switch are installed, connected and basic configuration has been completed. On the switch you will need to be able to access the CLI to enter commands. Refer to the manuals for each unit for more information. The following steps provide an overview of configuring and testing the hardware used in this example. The steps are explained in detail later in this section. 1 Configuring the FortiGate-800 unit Configuring the external interface Add two VLAN subinterfaces to the Internal network interface. Add Firewall addresses and address ranges for the internal and external networks. Add firewall policies to allow: the VLAN networks to access each other. the VLAN networks to access the external network. 2 Configuring the Cisco switch to support VLAN tags

29 Using VLANs in NAT/Route mode Example configuration NAT/Route mode (simple) 3 Testing the configuration. Configuring the FortiGate-800 unit Use the FortiGate web-based manager to configure the FortiGate-800 unit. Alternately the CLI can be used. Configuring the FortiGate unit includes: Configuring the external interface Adding VLAN subinterfaces Adding the firewall addresses Adding firewall policies Configuring the external interface The FortiGate unit s external interface will be the path to the Internet for our network. Configuring the external interface can be completed through the web-based manager or the CLI. To configure the external interface - web-based manager 1 Go to System > Network > Interface. 2 Select the Edit icon for the external interface. 3 Enter the following information for the external interface and select OK: Addressing mode Manual IP/Netmask / Configure other fields as required. To configure the external interface - CLI config system interface edit external set mode static set ip end Adding VLAN subinterfaces This step creates the VLANs on the FortiGate physical interfaces. The rest of this example is configuring the VLAN behavior on the FortiGate unit, configuring the switches to treat the VLANs the same way as the FortiGate unit and testing that all of the settings are correct. Adding VLAN subinterfaces can be completed through the web-based manager, or the CLI. To add VLAN subinterfaces - web-based manager 1 Go to System > Network > Interface. 2 Select Create New. 3 Enter the following information for VLAN_100 and select OK:

30 Example configuration NAT/Route mode (simple) Using VLANs in NAT/Route mode Name VLAN_100 Interface internal VLAN ID 100 Addressing mode Manual IP/Netmask / Administrative Access HTTPS, PING, TELNET Configure other fields as required. 4 Select Create New. 5 Enter the following information for VLAN_200 and select OK: Name VLAN_200 Interface internal VLAN ID 200 Addressing mode Manual IP/Netmask / Administrative Access HTTPS, PING, TELNET Configure other fields as required. Figure 6: VLAN subinterfaces To add VLAN subinterfaces - CLI config system interface edit VLAN_100 set interface internal set vlanid 100 set mode static set ip set allowaccess https ping telnet next edit VLAN_200 set interface internal set vlanid 200 set mode static set ip set allowaccess https ping telnet end

31 Using VLANs in NAT/Route mode Example configuration NAT/Route mode (simple) Adding the firewall addresses You need to define the addresses of the VLAN subnets for use in firewall policies. The FortiGate unit provides one default address, all, that you can use when a firewall policy applies to all addresses as a source or destination of a packet. In this example, the _Net part of the address name indicates a range of addresses instead of a unique address. When choosing firewall address names keep them informative and unique, but short.you can select the web-based manager or the CLI to add firewall addresses. To add the firewall addresses - web-based manager 1 Go to Firewall > Address. 2 Select Create New. 3 Enter the following information and select OK: Address Name VLAN_100_Net Type Subnet/IP Range Subnet / IP Range / Select Create New. 5 Enter the following information and select OK: Address Name VLAN_200_Net Type Subnet/IP Range Subnet / IP Range / Figure 7: Firewall addresses To add the firewall addresses - CLI config firewall address edit VLAN_100_Net set type ipmask set subnet next edit VLAN_200_Net set type ipmask set subnet end Adding the firewall policies Once you have assigned addresses to the VLANs, you need to configure firewall policies for them using either the web-based manager or the CLI. This will allow packets to pass from one VLAN to another and to the Internet

32 Example configuration NAT/Route mode (simple) Using VLANs in NAT/Route mode If you do not wish to allow all services on a VLAN, you can create a firewall policy for each service you want to allow. This example allows all services. To add the firewall policies - web-based manager 1 Go to Firewall > Policy. 2 Select Create New. 3 Enter the following information and select OK: Source Interface/Zone VLAN_100 Address Name VLAN_100_Net Destination Interface/Zone VLAN_200 Address Name VLAN_200_Net Schedule Always Service ANY Action ACCEPT NAT Select Configure other fields as required. 4 Select Create New. 5 Enter the following information and select OK: Source Interface/Zone VLAN_200 Address Name VLAN_200_Net Destination Interface/Zone VLAN_100 Address Name VLAN_100_Net Schedule Always Service ANY Action ACCEPT NAT Select Configure other fields as required. 6 Select Create New. 7 Enter the following information and select OK: