Você está na página 1de 35

HostingmorethanoneFortiOSinstanceon

asingleFortiGateunitusingVDOMsand
VLANs
1. Network topology

UseVirtualdomains(VDOMs)todividetheFortiGateunitintotwoormorevirtualinstancesofFortiOS
thatfunctionsimilartoindependentFortiGateunits.EachVDOMhasitsownphysicalinterfaces,routing
configuration,andsecuritypolicies.

ThisexamplesimulatesanISPthatprovidesCompanyAandCompanyBwithInternetservicesandoffer
tothemdailynetworkmanagementandsecurityviaTLS(TransparentLANService)connections.Alsothe
ISPneedstoprotectitsserverssettopublicrouteableIPaddresses.
EachcompanywouldhaveitsownInternetIPaddressandinternalnetwork.Thisconfigurationrequires:

TwoVDOMs:VDOMAandVDOMBoperatinginNAT/Routemode,VDOMAforcompanyAand
VDOMBforcompanyB
OneVDOMCoperatingintransparentmodefortheISP

Thisscenariowillcoverthefollowingfeatures:

VDOMA:
o SettingupVLANStoseparateinternalnetworks
o ConfigureDHCPserveronVLANinterface

VDOMB:
o ConfigurelocalDNSserverresolvinginternalwebsitesandservers
o UseDHCPtoassignsomeIPsaccordingtodeviceMACaddresses
o Configuretrafficshapingforsensitivetraffic
o Configureexplicitwebproxyandwebcachingonsomenetwork

VDOMC:
o AllowingsecureaccesstoawebserverssettopublicIPaddress
o ProtectingthiswebserverusingUTMsecurityprofiles

2. Creating VDOMA, VDOMB and VDOMC

GotoSystem>Dashboard>StatusandenableVirtualDomain


GotoGlobal>VDOM>VDOMandaddVDOMA,VDOMB,VDOMCandamanagementIPforVDOMC
sinceitstransparent

Bydefault,rootisthemanagementVDOManditshouldhaveaninterfaceconnectedtotheinternetfor
managementtrafficsuchasFortiGuardservices,NTP,SNMP,etc.themanagementVDOMcanbemoved
toVDOMAorVDOMBorVDOMC.

TheadminaccounthasfullcontrolofallVDOMsintheFortiGateunit.Adminaccountcanaccessthe
FortiGateonanyinterfaceofanyVDOMasfarastheinterfacehasanIPaddressandallowinghttps
access.

GotoGlobal>Network>Interfaceandaddport1andport2toVDOMA

GotoRouter>Static>StaticRoutetoaddadefaultrouteforVDOMA

GotoGlobal>Network>Interfaceandaddport3andport4toVDOMB,andaddDHCPservertoport4

GotoRouter>Static>StaticRoutetoaddadefaultrouteforVDOMB

GotoGlobal>Network>Interfaceandaddport5andport6toVDOMC

GotoSystem>Network>RoutingTabletoaddadefaultrouteforVDOMC

GotoGlobal>Admin>AdministratorstocreateadministratorsforeachVDOM.Theadministrators
shouldonlyhaveaccesstotheirown

3. Configuring VDOMA using VLANs

LogontotheFortiGateunitVDOMAonport1orport2interfaceusingaadminaccount,thiswillletyou
manageonlyVDOMA

CompanyAseparatestheirthreeinternalnetworks(engineering,salesandmarketing)usingVLANs
ThissolutionusesVLANstoconnectthreenetworkstoVDOMAinternalinterfaceinthefollowingway:

PacketsfromeachnetworkpassthroughaVLANswitchbeforereachingtheVDOMA.TheVLAN
switchaddsdifferentVLANtagstopacketsfromeachnetwork.
TohandleVLANsonVDOMA,addVLANinterfacestotheinternalinterfaceforeachnetwork
AddaDHCPservertoeachVLANinterface.
CreatesecuritypoliciestoalloweachnetworktoaccesstheInternet.

ThissolutionassumesyouhaveconfiguredaVLANswitchtotagpacketsfromthethreenetworks

GotoSystem>Network>Interfacetocreatethreenewvlaninterfacesforengineering,marketingand
salesnetworks

GotoPolicy>Policy>Policytoaddfirewallpoliciesthatallowsusersontheengineering,marketingand
salesnetworkstoaccesstheinternetseparately

4. Showing results

FromengineeringnetworksetallhostsIPsinthesamesubnetastheEngineeringnetvlan
(192.168.10.x/24)withthegateway192.168.10.1orsethoststouseDHCP

FrommarketingnetworksetallhostsIPsinthesamesubnetastheMarketingnetvlan
(192.168.20.x/24)withthegateway192.168.20.1orsethoststouseDHCP
AndfromsalesnetworksetallhostsIPsinthesamesubnetastheSalesnetvlan(192.168.30.x/24)
withthegateway192.168.30.1orsethoststouseDHCP

ThenusersfromanyofthenetworksshouldbeabletoconnecttotheInternet

Policy>Policy>Policytoseetrafficcountforeachfirewallpolicy

GotoPolicy>Monitor>PolicyMonitortoseetheactivesessions


ClickoneachbluebarfordetailsforsourceIPandpolicyId

GotoLog&Report>TrafficLog>ForwardTraffic

Selectanentryformoredetails

5. Configuring VDOMB

LogontotheFortiGateunitVDOMBonport3orport4interfaceusingbadminaccount,thiswillletyou
manageonlyVDOMB

CompanyBrequiresreservedIPaccordingtodeviceMACaddressusingDHCP,localDNSserver,
guaranteedbandwidthforsensitivetrafficandfasterwebbrowsing.Consequentlythefollowing
featureswillbecovered:

DHCPservertoassignsomeIPaddressesaccordingtodeviceMACaddresses
LocalDNSserverlistingforinternalwebsitesandservers
Trafficshapingtomakesurehighpriorityservicesalwayshaveenoughbandwidth
Explicitwebproxyandwebcachingusersonsomenetworks

6. Configure DHCP to assign some IP addresses according to device


MAC addresses

GotoSystem>Network>DHCPServerandaddnewfortheinternalinterface(port4)

MakesuretospecifytheDNSServertotheinternalIPoftheFortiGateVDOMB(10.10.1.99).Thiswillbe
usefultoresolveinternalDNSrequests

ExtendMACAddressAccessControlListandcreateanewthenentertheMACaddressofthedevice
anditsdesiredreservedIPaddress.YoucanalsouseAddfromDHCPClientList

7. Creating a local DNS server listing for internal web sites and
servers

GotoSystem>Network>DNSServerandcreatenewunderDNSServiceonInterface.Makesureto
setModetoRecursive

ThencreatenewunderDNSDatabaseandaddDNSZoneandDomainName

ThencreatenewunderDNSEntriesandaddhostnames

TheDNSzonewillbelookinglikefollowing:

Fromanyhostontheinternalnetwork,setyournetworkconnectionstousetheinternalinterfaceof
FortiGateVDOMBIPaddress(10.10.1.99)asaprimaryDNSserver,thenyouwillbeabletosurftothe
webserverusingitsIPaddress(10.10.1.101)anditsdomainname(fortidocs.comor
www.fortidocs.com)

8. Configuring guaranteed bandwidth for sensitive traffic using traffic


shaping

Sensitivetraffic,suchasVoIP,flowingthroughtheFortigateVDOMBneedstohaveenoughguaranteed
bandwidthtoassurethevoicequality.

ThisscenarioinvolvestrafficshapingforVoIP/SIPtraffic.ToseehowtoconfigureSIPontheFortiGate
unit,refertoAllowinginboundandoutboundVoIP/SIPtrafficthroughtheFortiGaterecipe.

Usingtrafficshaping,youcanconfiguresharedshapersthatensureaconsistentamountofreserved
bandwidthforVoIP/SIPcommunicationsandstillmaintainbandwidthforotherInternettrafficsuchas
emailandwebbrowsing.Dependsthetotalavailablebandwidthyouhaveyoucandedicatea
guaranteedandamaximumbandwidthforeachfirewallpolicy(youcanverifyyourtotalbandwidth
usinghttp://speedtest.net/).Forthissolution,totalavailablebandwidthis70000Kbits/s,10000kbits/s
isguaranteedtobeavailableforVoIPandVoIPtrafficisgivenhigherprioritythanothertraffic.Other
trafficislimitedtoamaximumbandwidthof600000kbits/s.
InthisconfigurationtheinternalIPphonesandinternalnetworkareconnectedtotheFortiGateVDOM
Binternalinterface(port4).

GotoFirewallObjects>TrafficShaper>SharedandVoIPandDaily_TrafficShapers

GotoPolicy>Policy>PolicyandapplytheVoIPtrafficshapertothefirewallpolicycontrollingVoIP/SIP
traffic


ThenapplytheDaily_Trafficshapertothefirewallpolicycontrollingothertraffic


GotoFirewallObjects>Monitor>TrafficShaperMonitor


GotoLog&Report>TrafficLog>ForwardTraffictoseethatVoIPandDaily_Trafficshaperswere
appliedsuccessfully

Selectanentryforeachshapertoseedetails

9. Adding the explicit web proxy and web caching on the internal
network

Forfasterwebbrowsing,internaluserswillconnecttoanexplicitwebproxyusingport8080insteadof
surfingdirectlytotheInternetusingport80

GotoSystem>Network>ExplicitProxyandenablehttp/httpsexplicitwebproxy

MakesuretosettheDefaultFirewallPolicyActionheretoDeny,becausewewillcreateapolicyfor
webproxytrafficwithwebcacheenabledonit.

GotoSystem>Network>Interfaceandenablewebproxyonport4

GotoPolicy>Policy>Policytocreatenewoneforwebproxytrafficandenablewebcache

Configurewebbrowsersontheprivatenetworktoconnecttothenetworkusingaproxyserver.TheIP
addressoftheHTTPproxyserveris10.10.1.99(theIPaddressoftheFortiGateinternalinterface)and
theportis8080(thedefaultexplicitwebproxyport).

WebbrowsersconfiguredtousetheproxyserverareabletoconnecttotheInternet.

Gotopolicy>Policy>PolicytoseetheIDofthepolicyallowingwebproxytraffic(hereitsID3)

Webproxytrafficisnotcountedbyfirewallpolicy!

GotoLog&Report>TrafficLog>ForwardTrafficandfilterbypolicyID3

Selectanentryfordetails

10.

Configuring VDOMC

ThisVDOMCintransparentmodewillbesettoprotecttheISPsserverssettopublicIPsusingUTM
Profiles

LogontotheFortiGateunitVDOMConport5interface(managementIP172.20.120.23)usingcadmin
account,thiswillletyoumanageonlyVDOMC

GotoFirewallObjects>Address>AddresstosetwebserverIP

GotoPolicy>Policy>PolicytocreateoneforoutboundtrafficandapplyUTMsecurityprofilesthen
anotheroneforinboundtrafficwithsecurityUTMprofilesaswell


Youcanusethedefaultprofilesandcustomizethemifyouwantto.

YoucannowconnecttoyourwebserversecurelyfromtheinternetusingitspublicIPaddress
(eventuallyusingthesameFQDN)althoughthewebserverisbehindaFortiGateunit.Alsotheweb
serverisabletoconnecttotheinternetforupdatesandothers.

GotoLog&Report>TrafficLog>ForwardTraffictoseeinandoutboundtraffic


Selectanentryforoutboundandanotherentryforinboundtrafficfordetails

GotoUTMSecurityProfiles>MonitortoseeallUTMstatus

HereisanexampleofApplicationmonitorfromthatwebserverwithIPaddress172.20.120.226