Virtual Networking

Module Objectives

• By the end of this module participants will be able to:

• Understand the use of virtual LANs

• Create VLAN subinterfaces on the FortiGate unit

• Understand the use of virtual domains

• Create virtual domains

• Create administrators specific to virtual domains

• Create inter-VDOM links

Virtual Local Area Networks (VLAN)

Click here to read more about virtual LANs

VLANs

Physical interfaces

Virtual Local Area Networks (VLAN)

Click here to read more about virtual LANs

VLANs

Physical interfaces

• VLANs increase the number of network

interfaces beyond the physical

connections on the FortiGate unit

• VLANs can be used to logically

distribute devices on a LAN into smaller

broadcast domains

• Uses VLAN tags

VLAN tags

Destination

MAC

Source

MAC Type Data CRC 32

Ethernet frame

6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes

Destination

MAC

Source

MAC Type Data CRC 32

Ethernet frame using VLAN tags

Type

8100

Tag

Control

Info

2 bytes 2 bytes

• User Priority Field

• Canonical Format Indicator

• VLAN Identifier

Click here to read more about VLAN tags

VLAN tags

Destination

MAC

Source

MAC Type Data CRC 32

Ethernet frame

6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes

Destination

MAC

Source

MAC Type Data CRC 32

Ethernet frame using VLAN tags

Type

8100

Tag

Control

Info

2 bytes 2 bytes

• User Priority Field

• Canonical Format Indicator

• VLAN Identifier

• A four-byte extension to the Ethernet frame is used to define VLANs

• Applied by switches and routers to every

packet sent and received by the devices

• Workstations and desktop computers are not an active part of the VLAN process

• VLAN tagging and removal is done after the

packet has left the computer

Click here to read more about VLAN tags

VLAN Scenario

Headquarters

Branch office

Retail office

Accounting computer

Accounting computer

Accounting computer

VLAN Scenario

Headquarters

Branch office

Retail office

Accounting computer

Accounting computer

Accounting computer

• In this scenario, computers located in

different buildings need to communicate

with each other frequently with high

security

• VLANs allow data to be sent between

specific computers in different locations

as if they were on the same physical

subnet

VLANs on a FortiGate Unit

Destination

MAC

Source

MAC Type Data CRC 32

Type

8100

Tag

Control

Info

VLAN A

VLAN B

VLANs on a FortiGate Unit

Destination

MAC

Source

MAC Type Data CRC 32

Type

8100

Tag

Control

Info

VLAN A

VLAN B

• The FortiGate unit acts as a layer-3

device when in default NAT/Route

mode

• Can add, read, remove or modify VLAN tags

• Device can change the VLAN tag if

appropriate and send the data frame out

on a different VLAN

VLANs on a FortiGate Unit

VLAN 100

Branch office

VLAN 200

Headquarters

VLAN 300

Tag: VLAN 100

Tag: VLAN 100

Tag: VLAN 300 Tag: VLAN 300

Router A Router B

Subnet 1 Subnet 2

Virtual Domains

Click here to read more about FortiGate virtual domains

Domain A Domain B Domain C

One physical FortiGate device Multiple virtual FortiGate devices

Virtual Domains

Acme Co. ABC Inc. XYZ Ltd.

• Own network interfaces

• Own routing requirements

• Own firewall policies

• Own protection rules

• Packets confined to this VDOM

Virtual Domains

Acme Co. ABC Inc. XYZ Ltd.

• Own network interfaces

• Own routing requirements

• Own firewall policies

• Own protection rules

• Packets confined to this VDOM

• Logically, virtual domains behave like

separate FortiGate units

• By default, a FortiGate unit can support

a maximum of 10 virtual domains

• Certain models allow the purchase of

additional VDOM licenses to increase number

VDOM Settings

Domain A

Global

settings

Settings affect all configured domains:

• Hostname

• DNS settings

• System time

• Firmware versions

• …

VDOM Settings

Domain A

Global

settings

VDOM

settings

Settings affect specific VDOM only:

• Operating mode

• Router settings

• Firewall settings

• UTM settings

• …

Enabling Virtual Domains

Enabling Virtual Domains

• When VDOMs enabled:

• Global and per-VDOM configurations are

separated

• Only the admin account can view or configure

global options

• Only the admin account can access all

VDOM configurations

• Regular administrators can only configure the

VDOM to which they are assigned

Switching Between Virtual Domains

Switching Between Virtual Domains

• Admin can switch between VDOMs

configured on the FortiGate unit in

addition to accessing the Global

Configuration

• Regular administrators are confined to

their own VDOMs

VDOM Resource Limits

Accounting

Global resource limits

VDOM resource limits

VDOM Resource Limits

Accounting

VDOM resource limits

• Global resources limits affect resources

available to the FortiGate device

• VDOM resource limits affect resources

available for each VDOM

• Resource limits vary by device model

Per-VDOM Configurations

Accounting

Full

Config

VDOM

Config

Per-VDOM Configurations

Accounting

Full

Config

VDOM

Config

• Administrators can back up and restore

the entire device configuration or

VDOM-specific configurations

• VDOM configurations are stored as

separate configuration files

• VDOM configurations can be synched

between HA devices

Virtual Domains Administrators

Domain A Domain B Domain C

Virtual Domains Administrators

Domain A Domain B Domain C

super_admin profile

Virtual Domains Administrators

Domain A Domain B Domain C

super_admin profile

• Virtual domains can be managed using

either one common administrator or

multiple separate administrators for

each VDOM

• Administrators assigned the

super_admin profile can manage all

VDOMs on the FortiGate device

• Can also create other administrator accounts

and assign them to VDOMs

Inter-VDOM Links

Domain A Domain B Domain C

Click here to read more about inter-VDOM links

Inter-VDOM Links

Domain A Domain B Domain C

Click here to read more about inter-VDOM links

• Inter-VDOM links allow VDOMs to

communicate internally without using

additional physical interfaces

• Communication no longer has to leave on a

physical interface and re-enter the FortiGate

device on another physical interface

• Firewall policies need to be in place for

traffic to be allowed to pass through any

interface

• Whether it be physical or virtual

Inter-VDOM Links