Fortigate 1100VDOM Internet Access | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB
Fuse
- Fuse Fortinet User Community

Mark Thread UnreadFlat Reading Mode ❐

Hot!Fortigate 1100VDOM Internet Access

Author Post Essentials Only Full Version
Mo1982 New Member Total Posts : 2 Scores: 0 Reward points: 0 Joined: 2020/11/30 06:10:18 Status: offline 2020/12/21 09:36:42 (permalink) 0 Fortigate 1100VDOM Internet Access Hi I am new to Fortigates and currently looking to swap out our Cisco ASA HA Pair with a Fortigate Cluster. I am having a look at how best to design this. Currently we have a /29 point to point with the ISP. Then we also have a /26 public address block used for natting services. currently we only use a single context on the ASA. I am looking to create 3 VDOMs all of which need internet access. What would be the best ways of achieveing this. Would you recommend the best solution to be to go hierarchical by having a 4th internet facing VDOM (root vdom) terminating the point to point to the ISP. Then for the 3 VDOMs to use the internet VDOM as their gateway. Or is there any other way of achieveing this. The other thing I am trying to figure is our connection to the DMZ. We will have an interface on each firewall in the cluster connecting to the DMZ host via a switch. The DMZ is segregated into multiple VLANs, and the VLANs need to terminate on the different VDOMs. Can this be achieved so multiple VDOMs share the same physical interface using VLANs. Thanks #1 VDOM 2 Replies Related Threads
Toshi Esumi Expert Member Total Posts : 2403 Scores: 233 Reward points: 0 Joined: 2014/11/06 09:56:42 Status: offline Re: Fortigate 1100VDOM Internet Access 2020/12/21 11:11:08 (permalink) 5 (1) I don't know if that's widely a common practice to use root vdom as GW to the internet for other vdoms, but at least that's what we do for our FG1Ks/1.5Ks. FGT's VLANs are similar to Cisco's subinterfaces but can belong one/any VDOM as well as physical interfaces. So yes, you can terminate each VLAN on the DMZ interface at at each individual VDOM. #2
Yurisk Gold Member Total Posts : 157 Scores: 32 Reward points: 0 Joined: 2011/12/04 03:30:01 Status: offline Re: Fortigate 1100VDOM Internet Access 2020/12/21 13:59:41 (permalink) 5 (2) Regarding DMZ, yes, no problem to allocate different VLANs to different VDOMs over the same physical link, here is reference for that https://kb.fortinet.com/kb/documentLink.do?externalID=FD31639 Regarding multiple VDOMs it heavily depends on the organization and its policy. Usually, in places where different firewalls (in your case VDOMs/contexts) are required for the same company, it is done because of some legal regulation/security policy obligation. Then you have no say in this. In my opinion, if it is the same company and same VDOMs admin(s), then it is more hassle than better security - you have to change multiple policies to do one thing, and finally it ends up the internal VDOMs having rulebase "Permit Any Any" and all work is being down on Root Vdom. Fortigate, after all, works by looking at interface of a policy as well, so allocating each department/unit its own L3 VLAN interface and rule section will do the same work. When I do advise clients, for easy management purposes, to have multiple VDOMs, is when they have (if migrating) or plan on having large rulebase, then managing this mess of hundreds of rules would be a nightmare. In other words, like any other firewall, VDOMs in Fortigate is more management separation decision, rather than security based. Yuri https://yurisk.info/ #3

Jump to:

© 2021 APG vNext Commercial Version 5.5