FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 32 - Virtual Domains > Virtual Domains in NAT/Route mode > Example configuration: VDOM in NAT/Route mode

Example configuration: VDOM in NAT/Route mode

Company A and Company B each have their own internal networks and their own ISPs. They share a FortiGate unit that is configured with two separate VDOMs, with each VDOM running in NAT/Route mode enabling separate configuration of network protection profiles. Each ISP is connected to a different interface on the FortiGate unit.

This network example was chosen to illustrate one of the most typical VDOM configurations.

This example has the following sections:

Network topology and assumptions

Both companies have their own ISPs and their own internal interface, external interface, and VDOM on the FortiGate unit.

For easier configuration, the following IP addressing is used:

  • all IP addresses on the FortiGate unit end in “.2” such as 10.11.101.2.
  • all IP addresses for ISPs end in “.7”, such as 172.20.201.7.
  • all internal networks are 10.*.*.* networks, and sample internal addresses end in “.55”.

The IP address matrix for this example is as follows.

Address Company A Company B
ISP 172.20.201.7 192.168.201.7
Internal network 10.11.101.0 10.012.101.0
FortiGate / VDOM 172.20.201.2 (port1)

10.11.101.2 (port4)
192.168.201.2 (port3)

10.012.101.2 (port2)

The Company A internal network is on the 10.11.101.0/255.255.255.0 subnet. The Company B internal network is on the 10.12.101.0/255.255.255.0 subnet.

There are no switches or routers required for this configuration.

There are no VLANs in this network topology.

The interfaces used in this example are port1 through port4. Different FortiGate models may have different interface labels. port1 and port3 are used as external interfaces. port2 and port4 are internal interfaces.

The administrator is a super_admin account. If you are a using a non-super_admin account, refer to "Global and per-VDOM settings" to see which parts a non-super_admin account can also configure.

When configuring security policies in the CLI always choose a policy number that is higher than any existing policy numbers, select services before profile-status, and profile-status before profile. If these commands are not entered in that order, they may not be available to enter.

General configuration steps

For best results in this configuration, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

  1. Creating the VDOMs
  2. Configuring the FortiGate interfaces
  3. Configuring the vdomA VDOM, and Configuring the vdomB VDOM
  4. Testing the configuration

Creating the VDOMs

In this example, two new VDOMs are created — vdomA for Company A and vdomB for Company B. These VDOMs will keep the traffic for these two companies separate while enabling each company to access its own ISP.

To create two VDOMs - web-based manager:
  1. Log in with a super_admin account.
  2. Go to Global > System > VDOM, and select Create New.
  3. Enter vdomA and select OK.
  4. Select OK again to return to the VDOM list.
  5. Select Create New.
  6. Enter vdomB and select OK.
To create two VDOMs - CLI:

config vdom

edit vdomA

next

edit vdomB

end

Configuring the FortiGate interfaces

This section configures the interfaces that connect to the companies’ internal networks, and to the companies’ ISPs.

All interfaces on the FortiGate unit will be configured with an IP address ending in “.2” such as 10.11.101.2. This will simplify network administration both for the companies, and for the FortiGate unit global administrator. Also the internal addresses for each company differ in the second octet of their IP address - Company A is 10.11.*, and Company B is 10.12.*.

This section includes the following topics:

note icon If you cannot change the VDOM of an network interface it is because something is referring to that interface that needs to be deleted. Once all the references are deleted the interface will be available to switch to a different VDOM. For example a common reference to the external interface is the default static route entry. See Example configuration: VDOM in NAT/Route mode.

Configuring the vdomA interfaces

The vdomA VDOM includes two FortiGate unit interfaces: port1 and external.

The port4 interface connects the Company A internal network to the FortiGate unit, and shares the internal network subnet of 10.11.101.0/255.255.255.0.

The external interface connects the FortiGate unit to ISP A and the Internet. It shares the ISP A subnet of 172.20.201.0/255.255.255.0.

To configure the vdomA interfaces - web-based manager:
  1. Go to Global > Network > Interfaces.
  2. Select Edit on the port1 interface.
  3. Enter the following information and select OK:
Virtual Domain vdomA
Addressing mode Manual
IP/Netmask 172.20.201.2/255.255.255.0
  1. Select Edit on the port4 interface.
  2. Enter the following information and select OK:
Virtual Domain vdomA
Addressing mode Manual
IP/Netmask 10.11.101.2/255.255.255.0
To configure the vdomA interfaces - CLI:

config global

config system interface

edit port1

set vdom vdomA

set mode static

set ip 172.20.201.2 255.255.255.0

next

edit port4

set vdom ABCDomain

set mode static

set ip 10.11.101.2 255.255.255.0

end

Configuring the vdomB interfaces

The vdomB VDOM uses two FortiGate unit interfaces: port2 and port3.

The port2 interface connects the Company B internal network to the FortiGate unit, and shares the internal network subnet of 10.12.101.0/255.255.255.0.

The port3 interface connects the FortiGate unit to ISP B and the Internet. It shares the ISP B subnet of 192.168.201.0/255.255.255.0.

To configure the vdomB interfaces - web-based manager:
  1. Go to Global > Network > Interfaces.
  2. Select Edit on the port3 interface.
  3. Enter the following information and select OK:
Virtual domain vdomB
Addressing mode Manual
IP/Netmask 192.168.201.2/255.255.255.0
  1. Select Edit on the port2 interface.
  2. Enter the following information and select OK:
Virtual domain vdomB
Addressing mode Manual
IP/Netmask 10.12.101.2/255.255.255.0
To configure the vdomB interfaces - CLI:

config global

config system interface

edit port3

set vdom vdomB

set mode static

set ip 192.168.201.2 255.255.255.0

next

edit port2

set vdom vdomB

set mode static

set ip 10.12.101.2 255.255.255.0

end

Configuring the vdomA VDOM

With the VDOMs created and the ISPs connected, the next step is to configure the vdomA VDOM.

Configuring the vdomA includes the following:

Adding vdomA firewall addresses

You need to define the addresses used by Company A’s internal network for use in security policies. This internal network is the 10.11.101.0/255.255.255.0 subnet.

The FortiGate unit provides one default address, “all”, that you can use when a security policy applies to all addresses as the source or destination of a packet.

To add the vdomA firewall addresses - web-based manager:
  1. In Virtual Domains, select vdomA.
  2. Go to Policy & Objects > Addresses.
  3. Select Create New.
  4. Enter the following information and select OK:
Address Name Ainternal
Type Subnet / IP Range
Subnet / IP Range 10.11.101.0/255.255.255.0
Interface port4
To add the ABCDomain VDOM firewall addresses - CLI:

config vdom

edit vdomA

config firewall address

edit Ainternal

set type ipmask

set subnet 10.11.101.0 255.255.255.0

end

end

Adding the vdomA security policy

You need to add the vdomA security policy to allow traffic from the internal network to reach the external network, and from the external network to internal as well. You need two policies for this domain.

To add the vdomA security policy - web-based manager:
  1. In Virtual Domains, select vdomA.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Select Create New.
  4. Enter the following information and select OK:
Name VDOMA-internal-to-external
Incoming Interface port4
Outgoing Interface port1
Source Address Ainternal
Destination Address all
Schedule Always
Service ANY
Action ACCEPT
  1. Select Create New.
  2. Enter the following information and select OK:
Name VDOMA-external-to-internal
Incoming Interface port1
Outgoing Interface port4
Source Address all
Destination Address Ainternal
Schedule Always
Service ANY
Action ACCEPT
To add the vdomA security policy - CLI:

config vdom

edit vdomA

config firewall policy

edit 1

set srcintf port4

set srcaddr Ainternal

set dstintf port1

set dstaddr all

set schedule always

set service ANY

set action accept

set status enable

next

edit 2

set srcintf port1

set srcaddr all

set dstintf port4

set dstaddr Ainternal

set schedule always

set service ANY

set action accept

set status enable

end

Adding the vdomA default route

You also need to define a default route to direct packets from the Company A internal network to ISP A. Every VDOM needs a default static route, as a minimum, to handle traffic addressed to external networks such as the Internet.

The administrative distance should be set slightly higher than other routes. Lower admin distances will get checked first, and this default route will only be used as a last resort.

To add a default route to the vdomA - web-based manager:
  1. For Virtual Domains, select vdomA
  2. Go to Network > Static Routes.
  3. Select Create New.
  4. Enter the following information and select OK:
Destination IP/Mask 0.0.0.0/0.0.0.0
Device port1
Gateway 172.20.201.7
Distance 20
To add a default route to the vdomA - CLI:

config vdom

edit vdomA

config router static

edit 1

set device port1

set gateway 172.20.201.7

end

Configuring the vdomB VDOM

In this example, the vdomB VDOM is used for Company B. Firewall and routing settings are specific to a single VDOM.

vdomB includes the FortiGate port2 interface to connect to the Company B internal network, and the FortiGate port3 interface to connect to ISP B. Security policies are needed to allow traffic from port2 to external and from external to port2 interfaces.

This section includes the following topics:

Adding the vdomB firewall address

You need to define addresses for use in security policies. In this example, the vdomB VDOM needs an address for the port2 interface and the “all” address.

To add the vdomB firewall address - web-based manager:
  1. In Virtual Domains, select vdomB.
  2. Go to Policy & Objects > Addresses.
  3. Select Create New.
  4. Enter the following information and select OK:
Address Name Binternal
Type Subnet / IP Range
Subnet / IP Range 10.12.101.0/255.255.255.0
Interface port2
To add the vdomB firewall address - CLI:

config vdom

edit vdomB

config firewall address

edit Binternal

set type ipmask

set subnet 10.12.101.0 255.255.255.0

end

end

Adding the vdomB security policy

You also need a security policy for the Company B domain. In this example, the security policy allows all traffic.

To add the vdomB security policy - web-based manager:
  1. Log in with a super_admin account.
  2. In Virtual Domains, select vdomB.
  3. Go to Policy & Objects > IPv4 Policy
  4. Select Create New.
  5. Enter the following information and select OK:
Name VDOMB-internal-to-external
Incoming Interface port2
Outgoing Interface port3
Source Address Binternal
Destination Address all
Schedule Always
Service ANY
Action ACCEPT
  1. Select Create New.
  2. Enter the following information and select OK:
Name VDOMB-external-to-internal
Incoming Interface port3
Outgoing Interface port2
Source Address all
Destination Address Binternal
Schedule Always
Service ANY
Action ACCEPT
To add the vdomB security policy - CLI:

config vdom

edit vdomB

config firewall policy

edit 1

set srcintf port2

set dstintf port3

set srcaddr Binternal

set dstaddr all

set schedule always

set service ANY

set action accept

set status enable

edit 1

set srcintf port3

set dstintf port2

set srcaddr all

set dstaddr Binternal

set schedule always

set service ANY

set action accept

set status enable

end

end

Adding a default route to the vdomB VDOM

You need to define a default route to direct packets to ISP B.

To add a default route to the vdomB VDOM - web-based manager:
  1. Log in as the super_admin administrator.
  2. In Virtual Domains, select vdomB.
  3. Go to Network > Static Routes.
  4. Select Create New.
  5. Enter the following information and select OK:
Destination IP/Mask 0.0.0.0/0.0.0.0
Device port3
Gateway 192.168.201.7
Distance 20
To add a default route to the vdomB VDOM - CLI:

config vdom

edit vdomB

config router static

edit 1

set dst 0.0.0.0/0

set device external

set gateway 192.168.201.7

end

end

Testing the configuration

Once you have completed configuration for both company VDOMs, you can use diagnostic commands, such as tracert in Windows, to test traffic routed through the FortiGate unit. Alternately, you can use the traceroute command on a Linux system with similar output.

Possible errors during the traceroute test are:

  • * * * Request timed out” - the trace was not able to make the next connection towards the destination fast enough
  • Destination host unreachable” - after a number of timed-out responses the trace will give up

Possible reasons for these errors are bad connections or configuration errors.

For additional troubleshooting, see Troubleshooting Virtual Domains.

Testing traffic from the internal network to the ISP

In this example, a route is traced from the Company A internal network to ISP A. The test was run on a Windows PC with an IP address of 10.11.101.55.

The output here indicates three hops between the source and destination, the IP address of each hop, and that the trace was successful.

From the Company A internal network, access a command prompt and enter this command:

C:\>tracert 172.20.201.7

Tracing route to 172.20.201.7 over a maximum of 30 hops:

  1   <10 ms   <10 ms   <10 ms  10.11.101.2

  2   <10 ms   <10 ms   <10 ms  172.20.201.2

  3   <10 ms   <10 ms   <10 ms  172.20.201.7

Trace complete.