Fortigate VLAN and VDOM Configuration examples

 

VDOM Segregation 

VLAN (Virtual LAN) uses tag IDs to network frames, reason is to increase the networks (virtual networks) beyond the physical network, whereas VDOM (Virtual Domain) splits the physical domain into virtual by configuring VDOM enabled device as multiple independent devices with common administration.

Although it is assumed that VLAN are not suitable for security measure perspective, and we should not use this with external (untrusted) physical interfaces as VLAN tags can be altered by attackers.

Using Fortigate , there is no requirement of separate hardware switches or routers with Fortigate appliances. However, switches such as FortiADC which can restrict broadcast traffic may be used to connect physically distant broadcast domains.

To configure a VLAN subinterface in Fortigate

  1. Go to System > Network > Interface.
  2. Select Create New VLAN subinterface.
  3. Enter a Name
  4. Select Physical interface (associated with newly created subinterface) from the Interface list,
  5. Enter the VLAN ID
  6. Configure the VLAN subinterface settings
  7. Select OK to save your changes.

Firewall policies to work with VLAN subinterfaces

  1. Go to Firewall > Address.
  2. Select Create New to add firewall addresses that matches source and destination IP addresses.
  3. Go to Firewall > Policy.
  4. Add firewall policies as required.

VDOM

configure a VLAN subinterface in Fortigate

THE MAIN REASON FOR CREATING VDOM IS TO Separate Networks (vlan) which can behave and  functions separately  (like New Domain with it’s all new policies) and for Virtual Clustering ( Virtual Machines ).

As it works on split technology,VDOM delivers a method to split FortiGate unit into multiple separate units. Every VDOM can have its own configuration and management of interfaces, VLANs, zones, firewall policies, routing and VPNs. This can make easy to manage multiple subnets as we don’t need to manage as many routes or firewall policies. Inter-VDOM routing also can be configured.

To enable virtual domain configuration

  1. Log in to the web-based manager as admin.
  2. Go to System > Admin > Settings.
  3. Select Enable; under Virtual Domain Configuration.
  4. Select Apply.

Configuring routing for VDOM

VDOM-specific routing, every VDOM should have at least the default route configured.to configure routing for a virtual domain

  1. Log in as admin.
  2. Select the VDOM.
  3. Go to Router.
  4. Configure routing for the current VDOM.

Configuring firewall policies for VDOM

VDOM-specific firewall policy,to add firewall addresses to a VDOM

  1. Log in as admin.
  2. Select the VDOM.
  3. Go to Firewall > Address.
  4. Add new firewall addresses.

To configure firewall policies for a virtual domain

  1. Log in as admin.
  2. Choose the VDOM for which to configure firewall policies.
  3. Go to Firewall > Policy.
  4. Select Create new

TECHEXE.

Leave a Reply

Your email address will not be published. Required fields are marked *

Latest Posts By ahson

Category

Network Virtualization

Tags

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,