FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 33 - Virtual Domains > Virtual Domains in Transparent mode > Example configuration: VDOM in Transparent mode

 

Example configuration: VDOM in Transparent mode

In this example, the FortiGate unit provides network protection to two organizations — Company A and Company B. Each company has different policies for incoming and outgoing traffic, requiring three different security policies and protection profiles.

VDOMs are not required for this configuration, but by using VDOMs the profiles and policies can be more easily managed on a per-VDOM basis either by one central administrator or separate administrators for each company. Also future expansion is simply a matter of adding additional VDOMs, whilst not disrupt the existing VDOMs.

For this example, firewalls are only included to deal with web traffic. This is to provide an example without making configuration unnecessarily complicated.

This example includes the following sections:

Network topology and assumptions

Each organization’s internal network consists of a different range of IP addresses:

  • 10.11.0.0.0/255.255.0.0 for Company A.
  • 10.12.0.0/255.255.0.0 for Company B.

For the procedures in this section, it is assumed that you have enabled VDOM configuration on your FortiGate unit. For more information, see Virtual Domains Overview.

The VDOM names are similar to the company names for easy recognition. The root VDOM cannot be renamed and is not used in this example.

Interfaces used in this example are port1 and port2. Some FortiGate models may not have interfaces with these names. port1 is an external interface. port2 is an internal interface.

General configuration steps

The following steps summarize the configuration for this example. For best results, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

  1. Configuring common items
  2. Creating virtual domains
  3. Configuring the Company_A VDOM
  4. Configuring the Company_B VDOM
  5. Configuring the VLAN switch and router
  6. Testing the configuration

Configuring common items

Both VDOMs require you configure security profiles. These will be configured the same way, but need to be configured in both VDOMs.

The relaxed profile allows users to surf websites they are not allowed to visit during normal business hours. Also a quota is in place to restrict users to one hour of access to these websites to ensure employees do not take long and unproductive lunches.

To create a strict web filtering profile - web-based manager:
  1. Go to the proper VDOM, and select Security Profiles > Web Filter.
  2. Select Create New.
  3. Enter strict for the Name.
  4. Expand FortiGuard Web Filtering, and select block for all Categories except Business Oriented, and Other.
  5. Block all Classifications except Cached Content, and Image Search.
  6. Ensure FortiGuard Quota for all Categories and Classifications is Disabled.
  7. Select OK.
To create a strict web filtering profile - CLI:

config vdom

edit <vdom_name>

config webfilter profile

edit strict

config ftgd-wf

set allow g07 g08 g21 g22 c01 c03

set deny g01 g02 g03 g04 g05 g06 c02 c04 c05 c06 c07

end

set web-ftgd-err-log enable

end

To create a relaxed web filtering profile - web-based manager:
  1. Go to the proper VDOM, and select Security Profiles > Web Filter.
  2. Select Create New.
  3. Enter relaxed for the Name.
  4. Expand FortiGuard Web Filtering, and select block for Potentially Security Violating Category, and Spam URL Classification.
  5. Enable FortiGuard Quotas to allow 1 hour for all allowed Categories and Classifications.

Creating virtual domains

The FortiGate unit supports 10 virtual domains. Root is the default VDOM. It cannot be deleted or renamed. The root VDOM is not used in this example. New VDOMs are created for Company A and Company B

To create the virtual domains - web-based manager:
  1. With VDOMs enabled, select Global > System > VDOM.
  2. Select Create New.
  3. Enter Company_A for Name, and select OK.
  4. Select Create New.
  5. Enter Company_B for Name, and select OK.
To create the virtual domains - CLI:

config system vdom

edit Company_A

next

edit Company_B

end

Configuring the Company_A VDOM

This section describes how to add VLAN subinterfaces and configure security policies for the Company_A VDOM.

This section includes the following topics:

Adding VLAN subinterfaces

You need to create a VLAN subinterface on the port2 interface and another one on the port1 interface, both with the same VLAN ID.

To add VLAN subinterfaces - web-based manager:
  1. Go to Global > Network > Interfaces.
  2. Select Create New.
  3. Enter the following information and select OK:
Name VLAN_100_int
Interface port2
VLAN ID 100
Virtual Domain Company_A
  1. Select Create New.
  2. Enter the following information and select OK:
Name VLAN_100_ext
Interface port1
VLAN ID 100
Virtual Domain Company_A
To add the VLAN subinterfaces - CLI:

config system interface

edit VLAN_100_int

set interface port2

set vlanid 100

set vdom Company_A

next

edit VLAN_100_ext

set interface port1

set vlanid 100

set vdom Company_A

end

Creating the Lunch schedule

Both organizations have the same lunch schedule, but only Company A has relaxed its security policy to allow employees more freedom in accessing the Internet during lunch. Lunch schedule will be Monday to Friday from 11:45am to 2:00pm (14:00).

To create a recurring schedule for lunchtime - web-based manager:
  1. In Company_A VDOM, go to Policy & Objects > Schedules.
  2. Select Create New.
  3. Enter Lunch as the name for the schedule.
  4. Select Mon, Tues, Wed, Thu, and Fri.
  5. Set the Start time as 11:45 and set the Stop time as 14:00.
  6. Select OK.
To create a recurring schedule for lunchtime - CLI:

config vdom

edit Company_A

config firewall schedule recurring

edit Lunch

set day monday tuesday wednesday thursday friday

set start 11:45

set end 14:00

end

Configuring Company_A firewall addresses

For Company A, its networks are all on the 10.11.0.0 network, so restricting addresses to that domain provides added security.

To configure Company_A firewall addresses - web-based manager:
  1. In the Company_A VDOM, go to Policy & Objects > Addresses.
  2. Select Create New.
  3. Enter CompanyA in the Address Name field.
  4. Type 10.11.0.0/255.255.0.0 in the Subnet / IP Range field.
  5. Select OK.
To configure vdomA firewall addresses - CLI:

config firewall address

edit CompanyA

set type ipmask

set subnet 10.11.0.0 255.255.0.0

end

Creating Company_A security policies

A security policy can include varying levels of security feature protection. This example only deals with web filtering. The following security policies use the custom security strict and relaxed profiles configured earlier.

For these security policies, we assume that all protocols will be on their standard ports, such as port 80 for http traffic. If the ports are changed, such as using port 8080 for http traffic, you will have to create custom services for protocols with non-standard ports, and assign them different names.

The firewalls configured in this section are:

  • internal to external — always allow all, security features - web filtering: strict
  • internal to external — Lunch allow all, security features - web filtering:relaxed

Security policies allow packets to travel between the internal VLAN_100 interface to the external interface subject to the restrictions of the protection profile. Entering the policies in this order means the last one configured is at the top of the policy list, and will be checked first. This is important because the policies are arranged so if one does not apply the next is checked until the end of the list.

To configure Company_A security policies - web-based manager:
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Enter the following information and select OK:
Name CompanyA-lunch
Incoming Interface VLAN_100_int
Outgoing Interface VLAN_100_ext
Source Address CompanyA
Destination Address all
Schedule Lunch
Service all
Action ACCEPT
Security Features enable
  Web Filtering relaxed

This policy provides relaxed protection during lunch hours — going from strict down to scan for protocol options and web filtering. AntiVirus and Email Filtering remain at strict for security — relaxing them would not provide employees additional access to the Internet and it would make the company vulnerable.

  1. Select Create New.
  1. Enter the following information and select OK:
Name CompanyA-strict
Incoming Interface VLAN_100_int
Outgoing Interface VLAN_100_ext
Source Address CompanyA
Destination Address all
Schedule always
Service all
Action ACCEPT
Security Features enable
  Web Filtering strict

This policy enforces strict scanning at all times, while allowing all traffic. It ensures company policies are met for network security.

  1. Verify that the policy list arranged By Sequence to make sure the CompanyA-lunch policy is located above the CompanyA-strict policy. If necessary, rearrange the policies so that the appropriate policy is applied to outgoing traffic.
To configure Company_A security policies - CLI:

config vdom

edit Company_A

config firewall policy

edit 1

set name "CompanyA-lunch"

set srcintf VLAN_100_int

set dstintf VLAN_100_ext

set srcaddr all

set dstaddr all

set action accept

set schedule Lunch

set webfiltering relaxed

next

edit 2

set name "CompanyA-strict"

set srcintf VLAN_100_int

set dstintf VLAN_100_ext

set srcaddr all

set dstaddr all

set action accept

set schedule always

set webfiltering strict

end

Configuring the Company_B VDOM

This section describes how to add VLAN subinterfaces and configure security policies for the Company B VDOM.

This section includes the following topics:

Adding VLAN subinterfaces

You need to create a VLAN subinterface on the internal interface and another one on the external interface, both with the same VLAN ID.

To add VLAN subinterfaces - web-based manager:
  1. Go to Network > Interfaces.
  2. Select Create New.
  3. Enter the following information and select OK:
Name VLAN_200_int
Interface port2
VLAN ID 200
Virtual Domain Company_B
  1. Select Create New.
  2. Enter the following information and select OK:
Name VLAN_200_ext
Interface port1
VLAN ID 200
Virtual Domain Company_B
To add the VLAN subinterfaces - CLI:

config system interface

edit VLAN_200_int

set interface internal

set vlanid 200

set vdom Company_B

next

edit VLAN_200_ext

set interface external

set vlanid 200

set vdom Company_B

end

Creating Company_B service groups

Company_B does not want its employees to use any online chat software except NetMeeting, which the company uses for net conferencing. To simplify the creation of a security policy for this purpose, you create a service group that contains all of the services you want to restrict. A security policy can manage only one service or one group.

To create a chat service group - web-based manager:
  1. Go to Policy & Objects > Services and select Create New > Service Group.
  2. Enter Chat in the Group Name field.
  3. For each of IRC, AOL, SIP-MSNmessenger and TALK, select the service in the Available Services list and select the right arrow to add it to the Members list.

If a particular service does not appear in the Available Services list, see the list in Policy & Objects > Services. Some services do not appear by default unless edited.

  1. Select OK.
To create a games and chat service group - CLI:

config firewall service group

edit Chat

set member IRC SIP-MSNmessenger AOL TALK

end

Configuring Company_B firewall addresses

Company B’s network is all in the 10.12.0.0 network. Security can be improved by only allowing traffic from IP addresses on that network.

To configure Company_B firewall address - web-based manager:
  1. In the Company_B VDOM, go to Policy & Objects > Addresses.
  2. Select Create New.
  3. Enter new in the Address Name field.
  4. Type 10.12.0.0/255.255.0.0 in the Subnet / IP Range field.
  5. Select OK.
To configure Company_B firewall addresses - CLI:

config vdom

edit Company_B

config firewall address

edit all

set type ipmask

set subnet 10.12.0.0 255.255.0.0

end

Configuring Company_B security policies

Security policies allow packets to travel between the internal and external VLAN_200 interfaces subject to the restrictions of the protection profile.

To configure Company_B security policies - web-based manager:
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Enter the following information and select OK:
Name CompanyB-deny-games-chat
Incoming Interface VLAN_200_int
Outgoing Interface VLAN_200_ext
Source Address all
Destination Address all
Schedule BusinessDay
Service games-chat
Action DENY

This policy prevents the use of network games or chat programs (except NetMeeting) during business hours.

  1. Enter the following information and select OK:
Name CompanyB-lunch
Incoming Interface VLAN_200_int
Outgoing Interface VLAN_200_ext
Source Address all
Destination Address all
Schedule Lunch
Service HTTP, DNS
Action ACCEPT
Security Features enable
  Web Filter relaxed

This policy relaxes the web category filtering during lunch hour.

  1. Select Create New.
  2. Enter the following information and select OK:
  Name CompanyB-strict
  Incoming Interface VLAN_200_int
  Outgoing Interface VLAN_200_ext
  Source Address all
  Destination Address all
  Schedule BusinessDay
  Service HTTP, DNS
  Action ACCEPT
Security Profiles enabled
  Web Filter strict

This policy provides rather strict web category filtering during business hours.

  1. Select Create New.
  2. Enter the following information and select OK:
Name CompanyB-after-hours
Incoming Interface VLAN_200_int
Outgoing Interface VLAN_200_ext
Source Address all
Destination Address all
Schedule always
Service ANY
Action ACCEPT
Security Profiles enabled
  Web Filter relaxed

Because it is last in the list, this policy applies to the times and services not covered in preceding policies. This means that outside of regular business hours, the Relaxed protection profile applies to email and web browsing, and online chat and games are permitted. Company B needs this policy because its employees sometimes work overtime. The other companies in this example maintain fixed hours and do not want any after-hours Internet access.

To configure Company_B security policies - CLI:

config firewall policy

edit 1

set name "CompanyB-deny-games-chat"

set srcintf VLAN_200_int

set srcaddr all

set dstintf VLAN_200_ext

set dstaddr all

set schedule BusinessDay

set service Games

set action deny

next

edit 2

set name "CompanyB-lunch"

set srcintf VLAN_200_int

set srcaddr all

set dstintf VLAN_200_ext

set dstaddr all

set action accept

set schedule Lunch

set service HTTP

set profile_status enable

set profile Relaxed

next

edit 3

set name "CompanyB-strict"

set srcintf VLAN_200_int

set srcaddr all

set dstintf VLAN_200_ext

set dstaddr all

set action accept

set schedule BusinessDay

set service HTTP

set profile_status enable

set profile BusinessOnly

next

edit 4

set name "CompanyB-after-hours"

set srcintf VLAN_200_int

set srcaddr all

set dstintf VLAN_200_ext

set dstaddr all

set action accept

set schedule always

set service ANY

set profile_status enable

set profile Relaxed

end

Configuring the VLAN switch and router

The Cisco switch is the first VLAN device internal passes through, and the Cisco router is the last device before the Internet or ISP.

This section includes the following topics:

Configuring the Cisco switch

On the Cisco Catalyst 2900 ethernet switch, you need to define the VLANs 100, 200 and 300 in the VLAN database, and then add configuration files to define the VLAN subinterfaces and the 802.1Q trunk interface.

Add this file to Cisco VLAN switch:

!

interface FastEthernet0/1

switchport access vlan 100

!

interface FastEthernet0/5

switchport access vlan 300

!

interface FastEthernet0/6

switchport trunk encapsulation dot1q

switchport mode trunk

!

Switch 1 has the following configuration:

Port 0/1 VLAN ID 100
Port 0/3 VLAN ID 200
Port 0/6 802.1Q trunk

Configuring the Cisco router

The configuration for the Cisco router in this example is the same as in the basic example, except we add VLAN_300. Each of the three companies has its own subnet assigned to it.

The IP addressees assigned to each VLAN on the router are the gateway addresses for the VLANs. For example, devices on VLAN_100 would have their gateway set to 10.11.0.1/255.255.0.0.

!

interface FastEthernet0/0

 switchport trunk encapsulation dot1q

 switchport mode trunk

!

interface FastEthernet0/0.1

 encapsulation dot1Q 100

 ip address 10.11.0.1 255.255.0.0

!

interface FastEthernet0/0.3

 encapsulation dot1Q 200

 ip address 10.12.0.1 255.255.0.0

!

 

The router has the following configuration:

Port 0/0.1 VLAN ID 100
Port 0/0.3 VLAN ID 200
Port 0/0 802.1Q trunk

Testing the configuration

Use diagnostic commands, such as tracert, to test traffic routed through the network.

You should test traffic between the internal VLANs as well as from the internal VLANs to the Internet to ensure connectivity.

For additional troubleshooting, see Troubleshooting Virtual Domains.

This section includes the following topics:

Testing traffic from VLAN_100 to the Internet

In this example, a route is traced from VLANs to a host on the Internet. The route target is www.example.com.

From a host on VLAN_100, access a command prompt and enter this command:

C:\>tracert www.example.com

Tracing route to www.example.com [208.77.188.166]

over a maximum of 30 hops:

 1 <10 ms <10 ms <10 ms 10.100.0.1

...

14 172 ms 141 ms 140 ms 208.77.188.166

Trace complete.

The number of steps between the first and the last hop, as well as their IP addresses, will vary depending on your location and ISP. However, all successful tracerts to www.example.com will start and end with these lines.

Repeat the tracert for VLAN_200.

The tracert for each VLAN will include the gateway for that VLAN as the first step. Otherwise, the tracert should be the same for each VLAN.

Testing traffic from VLAN_100 to VLAN_200

In this example, a route is traced between two internal networks. The route target is a host on VLAN_200. The Windows traceroute command tracert is used.

From VLAN_100, access a Windows command prompt and enter this command:

C:\>tracert 10.12.0.2

Tracing route to 10.12.0.2 over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 10.100.0.1

2 <10 ms <10 ms <10 ms 10.12.0.2

Trace complete.

You can repeat this for different routes in the topology. In each case the IP addresses will be the gateway for the starting VLAN, and the end point at the ending VLAN.