Friday, February 23, 2018

Inter-VDOM routing



In this example we will be setting up inter-VDOM links between a VDOM named "root" and another VDOM named "untrust". This will allow bidirectional traffic to traverse the 2 VDOMs without any additional cabling.

Prerequisites:

  • Tested on FortiOS 6
  • VDOMs created
  • Links up


Process:

  • Configure interfaces
  • Configure policies
  • Configure static routes





### Interfaces
config global
config system interface
    edit "internal1"
        set vdom "root"
        set ip 10.0.0.254 255.255.255.0
  set allowaccess ping https #This is your choice
        set type physical
    next
    edit "internal2"
        set vdom "untrust"
        set ip 192.168.1.254 255.255.255.0
        set allowaccess ping https  #This is your choice
        set type physical
    next
    edit "root-to-un0"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.252
        set allowaccess ping
        set type vdom-link
    next
    edit "root-to-un1"
        set vdom "untrust"
        set ip 10.10.10.2 255.255.255.252
        set allowaccess ping
        set type vdom-link
    next
end
end

config vdom
edit root
### Policies
config firewall policy
    edit 1                         
        set name "int1-to-root-to-un0"
  set srcintf "internal1"     #this is your WAN intf
        set dstintf "root-to-un0"
        set srcaddr "all"           #Do not leave as all. Lock down.
        set dstaddr "all"           #Do not leave as all. Lock down.
        set action accept
        set schedule "always"
        set service "ALL"           #Do not leave as all. Lock down.
        set logtraffic disable
    next
    edit 2                         
        set name "root-to-un0-to-int1"
  set srcintf "root-to-un0"
        set dstintf "internal1"     #this is your WAN intf
        set srcaddr "all"           #Do not leave as all. Lock down.
        set dstaddr "all"           #Do not leave as all. Lock down.
        set action accept
        set schedule "always"
        set service "ALL"           #Do not leave as all. Lock down.
        set logtraffic disable
    next
    end
    ### Static Routes
    config router static
    edit 1
        set dst 192.168.1.0 255.255.255.0
        set gateway 10.10.10.2      #This is the OPPOSITE side of the VLink
        set device "root-to-un0"
    next
    end
    end

config vdom
edit untrust
### Policies
config firewall policy
    edit 1                         
        set name "int1-to-root-to-un0"
  set srcintf "internal2"     #this is your WAN intf
        set dstintf "root-to-un1"
        set srcaddr "all"           #Do not leave as all. Lock down.
        set dstaddr "all"           #Do not leave as all. Lock down.
        set action accept
        set schedule "always"
        set service "ALL"           #Do not leave as all. Lock down.
        set logtraffic disable
    next
    edit 2                         
        set name "root-to-un0-to-int1"
  set srcintf "root-to-un1"
        set dstintf "internal2"     #this is your WAN intf
        set srcaddr "all"           #Do not leave as all. Lock down.
        set dstaddr "all"           #Do not leave as all. Lock down.
        set action accept
        set schedule "always"
        set service "ALL"           #Do not leave as all. Lock down.
        set logtraffic disable
    next
    end
    ### Static Routes
    config router static
    edit 1
        set dst 10.0.0.0 255.255.255.0
        set gateway 10.10.10.1      #This is the OPPOSITE side of the VLink
        set device "root-to-un1"
    next
    end
-->
    end

Saturday, July 1, 2017

FGT VM in transparent mode on ESXi 6.0



Purpose:
Our goal with this config is to inspect/restrict traffic sourced/destined from servers on our LAN without causing much impact to the existing network.

Caution:
Failing to specify VLAN, Forwarding-domain and strict src/dst addresses may result in a Layer2 loop/broadcast storm. Please make sure to follow the directions carefully.

Topology:





1.     Deploy OVF Template
b.     I prefer to thin provision everything but that is your choice
c.     Do not power on the Virtual machine after deploying.
2.     Shut off your VM servers that you would like to add to the port group so that we may edit their port assignments.
3.     Create a Port Group in ESXi


Make sure that you assign a unique vlan id here.

Edit your server VM and assign the network adapter to your new port group.
Edit your FGTVM.
Disconnect all ports that will not be used.
You will need 3 ports: In/Out/mgmt.
In this case, we are using:
Port1 for out to our network.
Port2 for management.
Port8 for connection the VM port group.
Your port group should now look something like this if you had 2 servers in it. The only exception is that your ports are not green as we have not powered anything on yet.


4.     Power on your FGT VM  and console into FortiOS CLI.
5.     As a precaution, we should shut all ports.
config sys interface
edit port1
set status down
next
#repeat for all ports
6.     Set the box transparent mode.
config system settings
set opmode transparent
set manageip
            end
            #this will log you out so log back in.
7.     Set DNS and static route if needed.
config system dns
set primary x.x.x.x
set secondary x.x.x.x
            end
            config router static
                        edit 0
                                    set dst x.x.x.x x.x.x.x
                                    set gateway x.x.x.x
            end
           
8.     Set the forward-domain for your interfaces that are not used for management.
config system interface
edit port1
            set forward-domain 100
next
edit port8
            set forward-domain 100
end
9.     Set the allowaccess for your mgmt. interface.
config system interface
edit port2
            set allowaccess ping https
end
10.  Setup the in/out firewall policies for your Server communications.
It is very important that you set specify srcaddr/dstaddr to avoid layer2 issues on your network .
config firewall policy
edit 0
            set name “p1-p8”
            set srcintf port1
            set dstintf port8
            set srcaddr all
            set dstaddr "/32 srvIP"
            set service any
            set schedule always
            set action accept
next
edit 0
            set name “p8-p1”
            set srcintf port8
            set dstintf port1
            set dstaddr  all
            set srcaddr "/32 srvIP"
            set service any
            set schedule always
            set action accept
next     




11.  Enable your 3 interfaces on the FGTVM and power on your VM servers. Traffic towards your servers should now be routed through your FGTVM and the FGT should be accessible via the management IP.


12.  Go back and apply any UTM policies, restrict services, etc in your policies that you may require.