Virtual Firewalls with Fortigate

Posted on June 18, 2012

0



It is pretty easy to configure more firewalls on a Fortigate box and against Cisco ASA they can do VPN as well!
And the virtual firewalls can work in transparent and routed mode independently from each other, this is not possible with Cisco.
The missing feature would be what Cisco already has is the resource management. One virtual firewall can use the whole CPU of the machine, the only way to control it is a QoS feature, but maybe it is enough to use only QoS…
Whats new with Fortigate that you can configure virtual interfaces as well between the virtual firewalls (inter-VDOM links).

1. Enable virtual firewall mode, the vdom mode.

firewall # config system global
firewall (global) # set vdom-admin enable
firewall (global) # end
After login and logout:
firewall # config
global    config global
vdom      config vdom
firewall # config vdom
firewall (vdom) # edit testvdom
current vf=testvdom:5
firewall (testvdom) # show system interface
config system interface
...

2. Administrator configuration.

– admin is a global admin (admin in root vdom)
– service-admin is the admin on vfirewall1 vdom

firewall # config global
firewall (global) # show system admin
config system admin
    edit "admin"
        set accprofile "super_admin"
        set vdom "root"
...
    edit "service-admin"
        set accprofile "prof_admin"
        set vdom "vfirewall1"
...

3. Allocate interface to vdom.

allocate port3 to vdom root.

firewall # config system global
firewall (global) # config system interface
firewall (interface) # edit port3
firewall (port3) # set vdom root
firewall (port3) # end 

4. ssh to the ip of the vdom:

If we login to the vdom, we can see only the interfaces allocated to that vdom:

Login as: service-admin
service-admin@10.10.100.2's password:
firewall $
firewall $ show system interface
config system interface
    edit "port8"
        set vdom "vfirewall1"
        set type physical
        set macaddr 00:0c:29:00:7c:bc
    next
    edit "ssl.vfirewall1"
        set vdom "vfirewall1"
        set type tunnel
    next
    edit "vlink1"
        set vdom "vfirewall1"
        set ip 10.10.100.2 255.255.255.252
        set allowaccess https ssh fgfm
        set type vdom-link
    next
end
Advertisements