Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mo1982
New Contributor

Fortigate 1100VDOM Internet Access

Hi

 

I am new to Fortigates and currently looking to swap out our Cisco ASA HA Pair with a Fortigate Cluster. I am having a look at how best to design this. Currently we have a /29 point to point with the ISP. Then we also have a /26 public address block used for natting services. currently we only use a single context on the ASA.

 

I am looking to create 3 VDOMs all of which need internet access. What would be the best ways of achieveing this. Would you recommend the best solution to be to go hierarchical by having a 4th internet facing VDOM (root vdom) terminating the point to point to the ISP. Then for the 3 VDOMs to use the internet VDOM as their gateway. Or is there any other way of achieveing this. 

 

The other thing I am trying to figure is our connection to the DMZ. We will have an interface on each firewall in the cluster connecting to the DMZ host via a switch. The DMZ is segregated into multiple VLANs, and the VLANs need to terminate on the different VDOMs. Can this be achieved so multiple VDOMs share the same physical interface using VLANs.

 

Thanks

2 REPLIES 2
Toshi_Esumi
Esteemed Contributor III

I don't know if that's widely a common practice to use root vdom as GW to the internet for other vdoms, but at least that's what we do for our FG1Ks/1.5Ks.

FGT's VLANs are similar to Cisco's subinterfaces but can belong one/any VDOM as well as physical interfaces. So yes, you can terminate each VLAN on the DMZ interface at at each individual VDOM.

Yurisk
Valued Contributor

Regarding DMZ, yes, no problem to allocate different VLANs to different VDOMs over the same physical link, here is reference for that https://kb.fortinet.com/kb/documentLink.do?externalID=FD31639 

 

 Regarding multiple VDOMs it   heavily depends on the organization and its policy. Usually, in places where different firewalls (in your case VDOMs/contexts) are required for the same company, it is done because of some legal regulation/security policy obligation. Then you have no say in this. In my opinion, if it is the same company and same VDOMs admin(s), then it is more hassle than better security - you have to change multiple policies to do one thing, and finally it ends up the internal VDOMs having rulebase "Permit Any Any" and all work is being down on Root Vdom.  Fortigate, after all, works by looking at interface of a policy as well, so allocating each department/unit its own L3 VLAN interface and rule section will do the same work.  

 

 When I do advise clients, for easy management purposes, to have multiple VDOMs, is when they have (if migrating) or plan on having large rulebase, then managing this mess of hundreds of rules would be a nightmare. 

 

In other words, like any other firewall, VDOMs in Fortigate is more management separation decision, rather than security based. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Labels
Top Kudoed Authors