Creating Multiple VDOMS to match security zones

Author
Jones6565
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/18 17:11:44
  • Status: offline
2019/06/18 17:24:22 (permalink)
0

Creating Multiple VDOMS to match security zones

Hi Guys,
Today i have a topology where i have a nexus 7K, where there are multiple VRFs that terminate on 500-Es in active/standby.
One or more VRF is part of a zone on the fortigate. the fortigate doesnt have any VRF. Policies are used to control access to the different zones.
Like I have zones Like this to name a few:
Engineering
Corporate
Dev
Requirements from security consultants wants us to have multiple vdoms for each of these zones. Still the VRFs will terminate on those different vdoms.
I am a bit confused on how to go about creating those vdoms, today i have for example port 1 in zone engineering for example and port 2 for dev and 3 for Corporate etc... and i have port 5 for external traffic that talks to an external firewall.
how would i go to create those vdoms to match what i have currently? 
Any help would for sure be highly appreciated.
Thanks
Jones
 
#1

3 Replies Related Threads

    hubertzw
    Gold Member
    • Total Posts : 173
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Creating Multiple VDOMS to match security zones 2019/06/19 06:20:10 (permalink)
    0
    1) create vdoms
    2) create vlans
    3) allocate vlans to particular vdoms
    4) create policies, routing, etc.
    #2
    Jones6565
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/18 17:11:44
    • Status: offline
    Re: Creating Multiple VDOMS to match security zones 2019/06/19 16:21:46 (permalink)
    0
    That was not my question. I know how to create vdoms.
    My question was i have different zones on the fortigate that talk to each other.
    Now i will create vdoms, and each zone will be under 1 vdom.
    i will have one interface connected to the core switch, where a vrf will drop into one vdom.
    what other interface should i have on this vdom. Since i will have another vdom hosting another zone.
    The question is more about design here, not how to create vdoms.
    Thanks
    Jones
     
    #3
    hubertzw
    Gold Member
    • Total Posts : 173
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Creating Multiple VDOMS to match security zones 2019/06/19 22:20:07 (permalink)
    0
    If you need to send traffic between VDOMs/VRFs you should use inter-vdom link:
     
    Engineering VRF -> VDOM Engineering ->inter-vdom link->VDOM Corporate -> Corporate VRF
     
    You treat inter-vdom link as a normal interface, with routing, firewall policies, security profiles, etc. in place
     
    https://cookbook.fortinet.com/inter-vdom-communication-with-static-routing-56/
     
    Usually you don't need SNAT in policies between VDOMs, it simplifies routing. Packet from Engineering VRF will appear with its real source IP, not IP of the link between VDOMs. Hosts in all VRF don't need to know what is the IP between VDOMs.
    #4
    Jump to:
    © 2019 APG vNext Commercial Version 5.5