FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 32 - Virtual Domains > Inter-VDOM routing > Example configuration: Inter-VDOM routing

Example configuration: Inter-VDOM routing

This example shows how to configure a FortiGate unit to use inter-VDOM routing.

This section contains the follow topics:

Network topology and assumptions

Two departments of a company, Accounting and Sales, are connected to one FortiGate 800 unit. To do its work, the Sales department receives a lot of email from advertising companies that would appear to be spam if the Accounting department received it. For this reason, each department has its own VDOM to keep firewall policies and other configurations separate. A management VDOM makes sense to ensure company policies are followed for traffic content.

The traffic between Accounting and Sales will be email and HTTPS only. It could use a VDOM link for a meshed configuration, but we will keep from getting too complex. With the configuration, inter-VDOM traffic will have a slightly longer path to follow than normal—from one department VDOM, through the management VDOM, and back to the other department VDOM. Since inter-VDOM links are faster than physical interfaces, this longer path should not be noticed.

Firewall policies will be in place. For added security, firewall policies will allow only valid office services such as email, web browsing, and FTP between either department and the Internet. Any additional services that are required can be added in the future.

The company uses a single ISP to connect to the Internet. The ISP uses DHCP to provide an IP address to the FortiGate unit. Both departments use the same ISP to reach the Internet.

Other assumptions for this example are as follows:

  • Your FortiGate unit has interfaces labelled port1 through port4 and VDOMs are not enabled.
  • You are using the super_admin account.
  • You have the FortiClient application installed.
  • You are familiar with configuring interfaces, firewalls, and other common features on your FortiGate unit.

General configuration steps

This example includes the following general steps. For best results, follow the steps in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

  1. Creating the VDOMs
  2. Configuring the physical interfaces
  3. Configuring the VDOM links
  4. Configuring the firewall and Security Profile settings
  5. Testing the configuration

Creating the VDOMs

This procedure enables VDOMs and creates the Sales and Accounting VDOMs.

To create the VDOMs - web-based manager:
  1. Log in as the super_admin administrator.
  2. Go to the Dashboard and locate the System Information widget. Enable Virtual Domain.
  3. Log in again.
  4. Go to Global > System > VDOM.
  5. Select Create New, enter Accounting for the VDOM Name, and select OK.
  6. Select Create New, enter Sales for the VDOM Name, and select OK.
To create the VDOMs - CLI:

config system global

set vdom enable

end

config system vdom

edit Accounting

next

edit Sales

next

end

Configuring the physical interfaces

Next, the physical interfaces must be configured. This example uses three interfaces on the FortiGate unit - port2 (internal), port3(dmz), and port1(external). port2 and port3 interfaces each have a department’s network connected. port1 is for all traffic to or from the Internet and will use DHCP to configure its IP address, which is common with many ISPs.

To configure the physical interfaces - web-based manager:
  1. Go to Global > Network > Interfaces.
  2. Select Edit for the port2 interface, enter the following information, and select OK.
Alias AccountingLocal
Virtual Domain Accounting
Addressing mode Manual
IP/Netmask 172.100.1.1/255.255.0.0
Administrative Access HTTPS, PING, SSH
Description This is the accounting department internal interface.
  1. Select Edit for the port3 interface, enter the following information, and select OK.
Alias SalesLocal
Virtual Domain Sales
Addressing mode Manual
IP/Netmask 192.168.1.1/255.255.0.0
Administrative Access HTTPS, PING, SSH
Description This is the sales department internal interface.
  1. Select Edit for the port1 interface, enter the following information, and select OK.
Alias ManagementExternal
Virtual Domain root
Addressing Mode DHCP
Distance 5
Retrieve default gateway from server Enable
Override internal DNS Enable
Administrative Access HTTPS, SSH, SNMP
Description This is the accounting department internal interface.
note icon When the mode is set to DHCP or PPoE on an interface you can set the distance field. This is the administrative distance for any routes learned through the gateway for this interface. The gateway is added to the static route table with these values. A lower distance indicates a preferred route.
To configure the physical interfaces - CLI:

config global

config system interface

edit port2

set alias AccountingLocal

set vdom Accounting

set mode static

set ip 172.100.1.1 255.255.0.0

set allowaccess https ping ssh

set description "The accounting dept internal interface"

next

edit port3

set alias SalesLocal

set vdom Sales

set mode static

set ip 192.168.1.1 255.255.0.0

set allowaccess https ping ssh

set description "The sales dept. internal interface"

next

edit port1

set alias ManagementExternal

set vdom root

set mode DHCP

set distance 5

set gwdetect enable

set dns-server-override enable

set allowaccess https ssh snmp

set description “The systemwide management interface.”

end

Configuring the VDOM links

To complete the connection between each VDOM and the management VDOM, you need to add the two VDOM links; one pair is the Accounting - management link and the other is for Sales - management link.

When configuring inter-VDOM links, you do not have to assign IP addresses to the links unless you are using advanced features such as dynamic routing that require them. Not assigning IP addresses results in faster configuration, and more available IP addresses on your networks.

If you require them, or if you simply want to assign IP addresses for clarity can do so.

To configure the Accounting and management VDOM link - web-based manager:
  1. Go to Global > Network > Interfaces.
  2. Select the expand arrow to select Create New > VDOM link.
  3. Enter the following information, and select OK.
Name   AccountVlnk
Interface #0
  Virtual Domain Accounting
IP/Netmask 0.0.0.0/0.0.0.0
Administrative Access HTTPS, PING, SSH
Description The Accounting VDOM side of the link.
Interface #1
  Virtual Domain root
IP/Netmask 0.0.0.0/0.0.0.0
Administrative Access HTTPS, PING, SSH
Description The Management VDOM side of the link.
To configure the Accounting and management VDOM link - CLI:

config global

config system vdom-link

edit AccountVlnk

next

end

config system interface

edit AccountVlnk0

set vdom Accounting

set ip 0.0.0.0 0.0.0.0

set allowaccess https ping ssh

set description “Accounting side of the VDOM link“

next

edit AccountVlnk1

set vdom root

set ip 0.0.0.0 0.0.0.0

set allowaccess https ping ssh

set description “Management side of the VDOM link“

end

To configure the Sales and management VDOM link - web-based manager:
  1. Go to Global > Network > Interfaces.
  2. Select the expand arrow and select Create New > VDOM link.
  3. Enter the following information, and select OK.
Name   SalesVlnk
Interface #0
  Virtual Domain Sales
IP/Netmask 0.0.0.0/0.0.0.0
Administrative Access HTTPS, PING, SSH
Description The Sales VDOM side of the link.
Interface #1
  Virtual Domain root
IP/Netmask 0.0.0.0/0.0.0.0
Administrative Access HTTPS, PING, SSH
Description The Management VDOM side of the link.
To configure the Sales and management VDOM link - CLI:

config global

config system vdom-link

edit SalesVlnk

end

config system interface

edit SalesVlnk0

set vdom Accounting

set ip 0.0.0.0 0.0.0.0

set allowaccess https ping ssh

set description "Sales side of the VDOM link"

next

edit SalesVlnk1

set vdom root

set ip 0.0.0.0 0.0.0.0

set allowaccess https ping ssh

set description "Management side of the VDOM link"

end

end

Configuring the firewall and Security Profile settings

With the VDOMs, physical interfaces, and VDOM links configured the firewall must now be configured to allow the proper traffic. Firewalls are configured per-VDOM, and firewall objects must be created for each VDOM separately.

For this example, the firewall group of services allowed between the internal networks and the Internet are the basic services for web browsing, file transfer, and email. These include: HTTP, HTTPS, SSL, FTP, DNS, NTP, POP3, and SMTP.

The only services allowed between Sales and Accounting are secure web browsing (HTTPS) and email (POP3 and SMTP).

note icon The limited number of services ensures security between departments. The list of services can be expanded in the future if needed.

Security profile settings will block all non-essential business websites while logging all web traffic, scan and file filter all web and email protocols, and block game and peer-to-peer applications using application control.

For added security, FortiClient is required on internal computers with AntiVirus scanning configured. This is enforced by Endpoint NAC in firewall policies.

Using firewall addresses makes the firewall policies easier to read. Also if any changes need to be made in the future, you can simply update the addresses without changing the firewall policies. The addresses required are:

  • AccountingLocal - all traffic from the internal accounting network
  • AccountingVlnk - all traffic from the VDOM link between accounting and management VDOMs
  • SalesLocal - all traffic from the internal sales network
  • SalesVlnk - all traffic from the VDOM link between sales and management VDOM.

The Accounting VDOM requires AccountingLocal, AccountingVlnk, and SalesLocal. The Sales VDOM requires SalesLocal, SalesVlnk, and AccountingLocal.

This section includes the following topics:

Configuring firewall service groups

Service groups are an easy way to manage multiple services, especially if the same services are used on different networks.

The two service groups used here are intended for normal office traffic to the Internet, and for restricted traffic between departments. In both cases network traffic will be limited to the services listed to prevent any potential security risks or bandwidth-robbing applications.

These service groups can be changed as needed to either include additional valid services that are being used on the network, or to exclude services that are not required. Also, custom services can be created as needed for applications that are not listed.

To configure two firewall service groups - web-based manager:
  1. Open the Accounting VDOM.
  2. Go to Policy & Objects > Services and select Create New > Service Group.
  3. Select Create New, enter the following information, and select OK.
Group Name OfficeServices
Members HTTP, HTTPS, SSL, FTP, DNS, NTP, POP3, PING, SMTP
  1. Select Create New, enter the following information, and select OK.
Group Name AccountingSalesServices
Members HTTPS, POP3, PING, SMTP
To configure two firewall service groups - CLI:

config vdom

edit Accounting

config firewall service group

edit OfficeServices

set member HTTP HTTPS SSH FTP DNS NTP POP3 PING SMTP

next

edit AccountingSalesServices

set member HTTPS POP3 PING SMTP

end

end

Configuring Security Profile settings for the Accounting VDOM

Security Profile settings include web filtering, antivirus, application control, and other features. This example just uses those three features to ensure that

  • the business environment is free from viruses
  • employees do not surf grossly inappropriate websites, and
  • employees do not use games or peer-to-peer applications at work.
To configure web filtering for the Accounting VDOM - web-based manager:
  1. Open the Accounting VDOM.
  2. Go to Security Profiles > Web Filter.
  3. Select Create New.
  4. Enter webStrict for the Name.
  5. Select the arrow to expand the FortiGuard Web Filtering section.
  6. Block all Categories except Business Oriented, Other, and Unrated.
  7. Block all Classifications except Image Search..
  8. Log all Categories and Classifications.
  9. Select OK.
To configure AntiVirus for the Accounting VDOM - web-based manager:
  1. Open the Accounting VDOM.
  2. Go to Security Profiles > AntiVirus.
  3. Select Create New.
  4. Enter avStrict for the Name.
  5. Set Detect Virues to Block and enable all Inspected Protocols.
  6. Select OK.
To configure application control for the Accounting VDOM - web-based manager:
  1. Open the Accounting VDOM.
  2. Go to Security Profiles > Application Control.
  3. Select Create New (+ button at top right of page).
  4. Enter appStrict for Name and select OK.
  5. Select Create New.
  6. In Filters, set Category to game.
  7. In Applications/Settings, enter the following, and select OK.
Action Block
Packet Logging Enable
  1. Select Create New.
  2. In Filters, set Category to p2p.
  3. In Applications/Settings, enter the following, and select OK.
Action Block
Packet Logging Enable
  1. Select Apply.
To configure application control for the Accounting VDOM - CLI:

config vdom

edit Accounting

config application list

edit appStrict

config entries

edit 1

set category 2

next

edit 2

set category 8

end

end

end

Configuring firewall settings for the Accounting VDOM

This configuration includes two firewall addresses and two firewall policies for the Accounting VDOM - one for the internal network, and one for the VDOM link with the management VDOM (root).

For added security, all traffic allowed will be scanned. Only valid office traffic will be allowed using the service group OfficeServices.

Note the spelling of AccountVlnk which is due to the eleven character limit on VDOM link names.

To configure firewall addresses - web-based manager:
  1. Open the Accounting VDOM.
  2. Select Policy & Objects > Addresses.
  3. Select Create New, enter the following information, and select OK.
Address Name AccountingLocal
Type Subnet/ IP Range
Subnet / IP Range 172.100.0.0
Interface port1
  1. Select Create New, enter the following information, and select OK.
Address Name AccountManagement
Type Subnet/ IP Range
Subnet / IP Range 10.0.1.0
Interface AccountVlnk
To configure firewall addresses - CLI:

config vdom

edit Accounting

config firewall address

edit AccountingLocal

set type iprange

set subnet 172.100.0.0

set associated-interface port1

next

edit AccountManagement

set type iprange

set subnet 10.0.1.0

set associated-interface AccountVlnk

end

end

To configure the firewall policies from AccountingLocal to the Internet - web-based manager:
  1. Open the Accounting VDOM.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Select Create New, enter the following information, and then select OK.
Name Accounting-Local-to-Management
Incoming Interface port2
Outgoing Interface AccountVlnk
Source Address AccountingLocal
Destination Address AccountManagement
Schedule always
Service OfficeServices
Action ACCEPT
Enable NAT enable
Security Features enabled
  Web Filtering webStrict
  AntiVirus Filtering avStrict
  Application Control appStrict
  1. Open the root VDOM.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Select Create New, enter the following information, and then select OK.
Name Accounting-VDOM-to-Internet
Incoming Interface AccountVlnk
Outgoing Interface ManagementExternal
Source Address AccountManagement
Destination Address all
Schedule always
Service OfficeServices
Action ACCEPT
Enable NAT enable
Security Features enabled
  Web Filtering webStrict
  AntiVirus Filtering avStrict
  Application Control appStrict
To configure the firewall policies from AccountingLocal to Internet - CLI:

config vdom

edit Accounting

config firewall policy

edit 1

set name "Accounting-Local-to-Management"

set srcintf port2

set dstintf AccountVlnk

set srcaddr AccountingLocal

set dstaddr AccountManagement

set action accept

set schedule always

set service OfficeServices

set nat enable

set av-profile avStrict

set webfilter-profile webStrict

set application-list appStrict

end

end

config vdom

edit root

config firewall policy

edit 2

set name "Accounting-VDOM-to-Internet"

set srcintf AccountVlnk

set dstintf port1

set srcaddr AccountManagement

set dstaddr all

set action accept

set schedule always

set service OfficeServices

set nat enable

set av-profile scan

set webfilter-profile scan

set application-list AppControlList

end

end

To configure the firewall policies from Internet to AccountingLocal - web-based manager:
  1. Open the root VDOM.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Select Create New, enter the following information, and select OK.
Name Internet-access-to-Accounting-VDOM
Incoming Interface port1
Outgoing Interface AccountVlnk
Source Address all
Destination Address AccountManagement
Schedule always
Service OfficeServices
Action ACCEPT
Enable NAT enable
Security Features enabled
  Web Filtering webStrict
  AntiVirus Filtering avStrict
  Application Control appStrict
  1. Open the Accounting VDOM.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Select Create New, enter the following information, and select OK.
Name Management-access-to-Accounting-local
Incoming Interface AccountVlnk
Outgoing Interface port2
Source Address AccountManagement
Destination Address AccountingLocal
Schedule always
Service OfficeServices
Action ACCEPT
Enable NAT enable
Security Features enabled
  Web Filtering webStrict
  AntiVirus Filtering avStrict
  Application Control appStrict
To configure the firewall policies from Internet to AccountingLocal - CLI:

config vdom

edit root

config firewall policy

edit 3

set name "Internet-access-to-Accounting-VDOM"

set srcintf port1

set dstintf AccountVlnk

set srcaddr all

set dstaddr AccountManagement

set action accept

set schedule always

set service OfficeServices

set nat enable

set av-profile avStrict

set webfilter-profile webStrict

set application-list appstrict

end

end

config vdom

edit Accounting

config firewall policy

edit 4

set name "Management-access-to-Accounting-local"

set srcintf AccountVlnk

set dstintf port2

set srcaddr AccountManagement

set dstaddr AccountingLocal

set action accept

set schedule always

set service OfficeServices

set nat enable

set av-profile avStrict

set webfilter-profile webStrict

set application-list appstrict

end

end

Configuring Security Profile settings for the Sales VDOM

Security profile settings include web filtering, antivirus, application control, and other features. This example just uses those three features to ensure that

  • the business environment is free from viruses
  • employees do not surf grossly inappropriate websites, and
  • employees do not use games or peer-to-peer applications at work.

Note that Sales web traffic is different from Accounting, and web filtering is different to account for this.

To configure web filtering for the Sales VDOM - web-based manager:
  1. Open the Sales VDOM.
  2. Go to Security Profiles > Web Filter.
  3. Select Create New.
  4. Enter webStrict for the Name.
  5. In FortiGuard Categories, select all of the categories except Bandwidth Consuming, General Interest - Business and Unrated.
  6. In Change Action for Selected Categories select Block.
  7. Select Apply.
To configure web filtering for the Sales VDOM - CLI:

config vdom

edit Sales

config webfilter profile

edit webStrict

config ftgd-wf

set allow g07 g08 g21 g22 c01 c03

set deny g01 g02 g03 g04 g05 g06 c02 c04 c05 c06 c07

end

set web-ftgd-err-log enable

end

end

To configure AntiVirus for the Sales VDOM - web-based manager:
  1. Open the Sales VDOM.
  2. Go to Security Profiles > AntiVirus.
  3. Select Create New.
  4. Enter avStrict for the Name.
  5. Set Detect Virues to Block and enable all Inspected Protocols.
  6. Select Apply.
To configure AntiVirus for the Sales VDOM - CLI:

config vdom

edit Sales

config antivirus profile

edit "avStrict"

config http

set options scan file-filter

end

config ftp

set options scan file-filter

end

config imap

set options scan file-filter

end

config pop3

set options scan file-filter

end

config smtp

set options scan file-filter

end

config nntp

set options scan file-filter

end

config im

set options scan file-filter

end

set filepattable 1

set av-virus-log enable

set av-block-log enable

end

end

To configure application control for the Sales VDOM - web-based manager:
  1. Open the Accounting VDOM.
  2. Go to Security Profiles > Application Control.
  3. Select Create New (+ button at top right of page).
  4. Enter appStrict for Name and select OK.
  5. Select Create New.
  6. In Filters, set Category to game.
  7. In Applications/Settings, enter the following, and select OK.
Action Block
Packet Logging Enable
  1. Select Create New.
  2. In Filters, set Category to p2p.
  3. In Applications/Settings, enter the following, and select OK.
Action Block
Packet Logging Enable
  1. Select Apply.

 

To configure application control for the Sales VDOM - CLI:

config vdom

edit Sales

config application list

edit "appStrict"

config entries

edit 1

set category 2

next

edit 2

set category 8

end

end

end

Configuring firewall settings for the Sales VDOM

Like the Accounting firewall settings, this configuration includes two firewall addresses and two firewall policies for the sales VDOM: one for the internal network, and one for the VDOM link with the management VDOM.

When entering the CLI commands, the number of the firewall policies must be high enough to be a new policy. Depending on the number of firewall policies on your FortiGate unit, this may require starting at a higher number than the 6 required for the default configuration. This number is added automatically when you configure firewall policies using the web manager interface.

The FortiClient application must be used on Sales network computers to ensure additional protection for the sensitive information and for protection against spam.

To configure firewall addresses - web-based manager:
  1. Open the Sales VDOM.
  2. Go to Policy & Objects > Addresses.
  3. Select Create New, enter the following information, and select OK.
Address Name SalesLocal
Type Subnet / IP Range
Subnet / IP Range 172.100.0.0
Interface port3
  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information, and select OK.
Address Name SalesManagement
Type Subnet / IP Range
Subnet / IP Range 10.0.1.0
Interface SalesVlnk
To configure the firewall addresses - CLI:

config vdom

edit Sales

config fireall address

edit SalesLocal

set type iprange

set subnet 172.100.0.0

set associated-interface port2

next

edit SalesManagement

set type iprange

set subnet 10.0.1.0

set associated-interface SalesVlnk

end

end

To configure the firewall policies from SalesLocal to the Internet - web-based manager:
  1. Open the Sales VDOM.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Select Create New, enter the following information, and select OK.
Name Sales-local-to-Management
Incoming Interface port3
Outgoing Interface SalesVlnk
Source Address SalesLocal
Destination Address SalesManagement
Schedule always
Service OfficeServices
Action ACCEPT
Log Allowed Traffic enabled
  1. Open the root VDOM.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Select Create New, enter the following information, and select OK.
Name Sales-VDOM-to-Internet
Incoming Interface SalesVlnk
Outgoing Interface ManagementExternal
Source Address SalesManagement
Destination Address all
Schedule always
Service OfficeServices
Action ACCEPT
Log Allowed Traffic enabled
To configure the firewall policies from SalesLocal to the Internet - CLI:

config vdom

edit root

config firewall policy

edit 6

set name "Sales-local-to-Management"

set srcintf port2

set srcaddr SalesLocal

set dstintf SalesVlnk

set dstaddr SalesManagement

set schedule always

set service OfficeServices

set action accept

set logtraffic enable

end

end

config vdom

edit Sales

config firewall policy

edit 7

set name "Sales-VDOM-to-Internet"

set srcintf SalesVlnk

set srcaddr SalesManagement

set dstintf external

set dstaddr all

set schedule always

set service OfficeServices

set action accept

set logtraffic enable

end

end

To configure the firewall policies from the Internet to SalesLocal - web-based manager:
  1. Open the root VDOM.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Select Create New, enter the following information, and select OK.
Name Internet-access-to-Sales-VDOM
Incoming Interface ManagementExternal
Outgoing Interface SalesVlnk
Source Address all
Destination Address SalesManagement
Schedule always
Service OfficeServices
Action ACCEPT
Protection Profile scan
Log Allowed Traffic enabled
  1. Open the Sales VDOM.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Select Create New, enter the following information, and select OK.
Name Management-access-to-Sales-local
Incoming Interface SalesVlnk
Outgoing Interface port2
Source Address SalesManagement
Destination Address SalesLocal
Schedule always
Service OfficeServices
Action ACCEPT
Log Allowed Traffic enabled
To configure the firewall policies from the Internet to SalesLocal - CLI:

config vdom

edit root

config firewall policy

edit 8

set name "Internet-access-to-Sales-VDOM"

set srcintf external

set srcaddr all

set dstintf SalesVlnk

set dstaddr SalesManagement

set schedule always

set service OfficeServices

set action accept

set logtraffic enable

end

end

config vdom

edit Sales

config firewall policy

edit 9

set name "Management-access-to-Sales-local"

set srcintf SalesVlnk

set srcaddr SalesManagement

set dstintf port2

set dstaddr SalesLocal

set schedule always

set service OfficeServices

set action accept

set logtraffic enable

end

end

Configuring firewall settings between the Accounting and Sales VDOMs

Firewall policies are required for any communication between each internal network and the Internet. Policies are also required for the two internal networks to communicate with each other through the management VDOM.

The more limited AccountingSalesServices group of services will be used between Sales and Accounting to ensure the traffic is necessary business traffic only. These policies will result in a partially meshed VDOM configuration. The FortiClient application must be used to ensure additional protection for the sensitive accounting information.

Two firewall policies are required to allow traffic in both directions between Sales and Accounting.

To configure the firewall policy between Sales and Accounting on the management VDOM - web-based manager:
  1. Open the root VDOM.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Select Create New, enter the following information, and select OK.
Name Sales-VDOM-to-Accounting-VDOM
Incoming Interface SalesVlnk
Outgoing Interface AccountVlnk
Source Address SalesManagement
Destination Address AccountingManagement
Schedule always
Service AccountingSalesServices
Action ACCEPT
Protection Profile scan
Log Allowed Traffic enabled
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New, enter the following information, and select OK.
Name Accounting-VDOM-to-Sales-VDOM
Incoming Interface AccountVlnk
Outgoing Interface SalesVlnk
Source Address AccountingManagement
Destination Address SalesManagement
Schedule always
Service AccountingSalesServices
Action ACCEPT
Log Allowed Traffic enabled
To configure the firewall policy between Sales and Accounting on the management VDOM - CLI:

config vdom

edit root

config system firewall policy

edit 9

set name "Sales-VDOM-to-Accounting-VDOM"

set srcintf SalesVlnk

set srcaddr SalesManagement

set dstintf AccountVlnk

set dstaddr AccountManagement

set schedule always

set service AccountingSalesServices

set action accept

set logtraffic enable

next

edit 10

set name "Accounting-VDOM-to-Sales-VDOM"

set srcintf AccountVlnk

set srcaddr AccountManagement

set dstintf SalesVlnk

set dstaddr SalesManagement

set schedule always

set service AccountingSalesServices

set action accept

set logtraffic enable

end

end

Testing the configuration

Once the inter-VDOM routing has been configured, tests must be conducted to confirm proper operation. If there are any problems, use the troubleshooting tips to resolve them.

This section includes the following topics:

Testing connectivity

Testing connectivity ensures that physical networking connections as well as FortiGate unit interface configurations, including firewall policies, are properly configured.

The easiest way to test connectivity is to use the ping and traceroute commands to confirm the connectivity of different routes on the network. Include testing:

  • from AccountingLocal to Internet
  • from Internet to AccountingLocal
  • from SalesLocal to Internet
  • from Internet to SalesLocal
  • from AccountingLocal to SalesLocal.

When using the commands on a Windows computer, go to a command line prompt and enter either ping <IP address> or tracert <IP address>.

When using the commands on a FortiGate unit, go to the CLI and enter either exec ping <IP address> or exec traceroute <IP address>.

Troubleshooting Tips

When there are problems with connectivity, the following troubleshooting tips will help resolve the issues.

  • If a multiple hop test, such as traceroute, is not successful then reduce it to a single hop to simplify the test. Test each link of the path to see which hop is down. If all hops are up, check the FortiGate unit policies to ensure they allow basic traffic to flow as expected.
  • If ping does not work, confirm that the FortiGate unit interfaces have Ping enabled and also ensure Ping is enabled in the firewall policies. Otherwise the Ping traffic will be blocked.
  • If one protocol does not work but others do work, check the FortiGate unit firewall policies for that one protocol to ensure it is allowed.
  • If there are unexplained connectivity problems, check the local computer to ensure it does not have a software firewall running that may be blocking traffic. MS Windows computers have a firewall running by default that can cause problems.

For additional troubleshooting, see Troubleshooting Virtual Domains.